Healthcare/infra APTs: IRGC CyberAv3ngers Rockwell PLC US CI/CareCloud/EU/HK Hospital/Monmouth/Oklahoma/Texas/St. Joseph Handala Stryker/Pay2Key/MuddyWater + PII breaches
Key Questions
What is IRGC CyberAv3ngers targeting?
Exploiting Rockwell PLCs in US critical infrastructure like water/energy using default creds and malware on ports 44818/2222/102/502. FBI/CISA alert on air-gapped OT systems.
What healthcare breaches occurred?
CareCloud EHR breached (45k providers via AWS), Stryker (50TB), St. Joseph, plus ransomware averaging $18.2M. Groups like Handala, Pay2Key, MuddyWater involved.
Which US facilities were disrupted?
Monmouth, Oklahoma, Texas water/energy systems hit by Iranian actors. Pro-Iran hackers targeted internet-exposed PLCs.
What other APTs and breaches are linked?
Salt Typhoon, Mythic, Qilin, Crimson Echo, Fancy Bear on TP-Link, plus PII leaks at Hasbro, Hims, Alabama, Vivaticket, Nike, DocketWise.
Why are PLCs vulnerable?
Internet-exposed OT devices with default credentials allow disruptions. Maintain airgaps and monitor PLC logs.
What is the CareCloud incident?
March 16 AWS breach exposed patient records for 45k providers. Confirm affected status and notify impacted parties.
How is Iran-linked activity escalating?
FBI warns of disruptions to US water/energy facilities; actors use malware for espionage and sabotage.
What CTEM measures for healthcare/infra?
Hunt IOCs, secure OT airgaps, deploy Intune/PAM, log PLCs, track IRGC/Handala/PEAR. Situation developing with ongoing APT threats.
IRGC CyberAv3ngers exploiting Rockwell PLCs US CI water/energy (FBI/CISA alerts: default creds/malware ports 44818/2222/102/502 airgap)/CareCloud EHR breach (Mar16 AWS 45k prov)/Healthcare ransomware $18.2M avg/St. Joseph Handala Stryker 50TB/Pay2Key/MuddyWater Olalampo AI CHAR/Salt Typhoon/Handala/Mythic/Qilin/Crimson Echo/Hasbro/Fancy Bear TP-Link/Hims/Alabama/Vivaticket/Nike/DocketWise. CTEM: IOC hunts/OT airgap/Intune/PAM/PLC logs/IRGC/PEAR/Handala.