Incident Report: Bikur Rofeh Cyber Incident

Incident Overview:

On March 6, 2025, the Bikur Rofeh medical network, a significant provider of urgent care services to IDF soldiers, experienced a cyber incident. The Israeli Health Ministry publicly acknowledged the suspected cyber attack, leading to immediate investigations by Bikur Rofeh's cybersecurity teams. Although the breach instigated concerns regarding data compromise, investigations confirmed that no classified military data was accessed due to Bikur Rofeh's independent operation under a specific agreement with the IDF.

Attack Vector Analysis:

Suspected Iranian threat actors are believed to have executed the cyber incident. The attack likely involved exploiting vulnerabilities in public-facing applications, a tactic commonly associated with Iranian groups. These actors often exploit remote external services on internet-facing assets to gain initial access, targeting vulnerabilities in widely used systems such as Citrix Netscaler, F5 BIG-IP, and Palo Alto Networks PAN-OS.

Malware and Tools Identified:

While the specific malware used in this incident was not identified, it is known that Iranian actors have historically utilized webshells to capture login credentials on compromised devices. These webshells are typically deployed to maintain persistence and facilitate further malicious activities.

Historical Context:

Iranian cyber actors have a documented history of targeting various sectors, including healthcare. This is supported by previous advisories, such as the CISA advisory (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a), which detail Iranian government-associated activities involving network exploitation to steal sensitive data and collaboration with ransomware affiliates for financial gain.

Sector-Specific Targeting Patterns:

The attack on Bikur Rofeh underscores vulnerabilities within Israel's emergency medical infrastructure, particularly services linked to military healthcare. Iranian threat actors have previously targeted healthcare sectors, leveraging opportunities for data theft and potential disruption of critical services.

Technical Details Mapped to MITRE ATT&CK Framework:

• Initial Access: Exploiting Public-Facing Application (T1190)
• Persistence: Web Shell (T1505.003)
• Credential Access: Input Capture (T1056)
• Discovery: Query Registry (T1012)
• Command and Control: Remote Access Software (T1219)

These details align with known Iranian cyber operations, characterized by exploiting vulnerabilities and maintaining persistence through credential theft and webshell deployment. The attribution to Iranian actors is supported by circumstantial evidence and historical patterns of similar attacks. However, the confidence level remains medium due to the absence of specific technical indicators directly linking the attack to these actors.

Impact Assessment:

The breach primarily raised concerns about data integrity and service availability within Bikur Rofeh's network. Although no classified military data was compromised, the incident highlights the potential risks to critical healthcare services and underscores the need for robust security measures in sectors tied to national security.

Recommendations:

1. Critical: Implement immediate patches for known vulnerabilities in public-facing applications like Citrix Netscaler, F5 BIG-IP, and Palo Alto Networks PAN-OS to prevent initial access exploitation.
2. High: Enhance monitoring and detection capabilities for webshell activity to ensure rapid identification and remediation of persistence mechanisms.
3. Medium: Conduct regular security audits and penetration testing to identify and mitigate potential vulnerabilities within the network.
4. Low: Increase cybersecurity awareness and training for staff to recognize and respond to potential phishing attempts and social engineering tactics.