A Long-Running Intrusion Campaign Is Hitting Healthcare. Defenders Should Already Be Acting.

What Has INDIGO RUST Been Doing in Healthcare Networks?

For roughly 18 weeks, a cluster of activity I designate INDIGO RUST has been moving through U.S. healthcare networks with a clear preference for patient-record systems and revenue-cycle workflows. The campaign appears designed for long-term collection and disruption leverage rather than quick ransomware payouts, and it has affected hospital systems, specialty clinics, and regional billing processors across multiple states.

I am withholding the affected vendor and the affected build. The patch is not out yet. That is not journalistic theater. It is the only responsible posture when attackers are already inside live environments and the fix is still in development. Naming the vendor now would hand a target list to every low-skill adversary with a scanner. My obligation is to the administrators defending beds and patient data, not to the headline writers who want a brand name.

The sector matters. Healthcare is not a bank or a tech campus. It cannot unplug its network for a week to rebuild. A disabled electronic health-record system means delayed surgeries, rerouted ambulances, and clinicians working from paper charts while administrators pray the backups are clean. IBM's 2024 data-breach report found the average healthcare breach costs $10.93 million, the highest of any industry. INDIGO RUST knows this. The choice of target is the tactic. The pressure on patient care is the payload.

How Did the Activity Surface?

The campaign came into focus through operational-security failures on the attacker side, not through any claimed offensive action by defenders. INDIGO RUST reused command-and-control infrastructure across multiple victims and left predictable tooling artifacts in staging directories. Those repeated patterns allowed passive analysis to link otherwise unrelated intrusions and establish a timeline stretching back to late January 2026. No one had to hack back to see it. The group exposed itself.

I will not publish hashes, domains, or filenames. IOC-driven reporting feels precise, but it ages badly and helps only the subset of readers who can import indicators into a SIEM today. What helps more is describing behavior. INDIGO RUST has shown a consistent interest in credential vaults, backup appliances, and network-segmentation documentation. They want the keys to the kingdom and a map of the walls. That pattern is more durable than any single domain.

The timeline is the key detail. Eighteen weeks is long enough to establish persistence, map dependencies, and wait for a moment of maximum leverage. It is also long enough for a well-run security program to detect the anomaly. The presence of the activity is not a verdict on every victim's competence. Even capable teams miss patient adversaries. But the timeline does mean there have been opportunities to find this. Some organizations took them. Others are about to.

What Should Defenders Be Doing Already?

If you run security for a healthcare organization, you should already be treating this as a hunting problem, not a patching problem. Review privileged-access logs for service accounts that authenticate outside normal maintenance windows. Inspect backup appliances for unexpected administrative sessions. Segment patient-record networks from billing systems so a compromise in one does not become a compromise in both. These are basics. They are also the things attackers bet you have not done.

Patching still matters. When the vendor releases the fix, apply it fast. But do not wait for that fix to start looking. The vulnerability is one entry point among many. A determined intruder will find another door if the first one closes. CISA added more than 70 healthcare-related vulnerabilities to its Known Exploited Vulnerabilities catalog in 2025 alone. That is not a coincidence. It is a reminder that healthcare infrastructure is a preferred target and that patching is a race most organizations are losing.

Resilience comes from assuming breach and building controls that limit what an insider or a stolen credential can touch. Zero trust is a buzzword in vendor brochures. In a hospital, it is a lifesaving architecture. Leadership should also rehearse the worst case. Run a tabletop exercise that starts with the electronic health-record system offline on a Monday morning. Ask who decides which surgeries proceed. Ask how long paper processes can sustain clinical operations. Ask whether your cyber insurer has actually seen the incident-response plan or just the premium check.

The FBI, CISA, and HHS have all published healthcare-sector guidance in the past year. The documents are free. The discipline to follow them is not. I have no idea whether INDIGO RUST intends to monetize this access, hand it to a partner, or simply hold it in reserve. Prediction is not my business. Observation is. What I can say is that the activity has been ongoing for 18 weeks, the targets are patient-care institutions, and the defensive window is already narrowing. The question is not whether the next alert will come. The question is whether your team is already looking.