Analysis
Attacks and Vulnerabilities
Malware, Phishing & Ransomware
Medical
News

HC3, AHA warn of pro-Russian KillNet hacktivist group targeting healthcare sector using DDoS attack technique

January 31, 2023
HC3, AHA warn of pro-Russian KillNet hacktivist group targeting healthcare sector using DDoS attack technique

The U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3) identified in an analyst note that the KillNet hacktivist group is actively targeting the healthcare and public health sector. It also revealed that the group has previously targeted the U.S. healthcare industry, is known to launch DDoS (distributed denial-of-service) attacks and operates multiple public channels aimed at recruitment and garnering attention from these attacks.

The HC3 disclosed in its note that “on January 28, 2023, an alleged Killnet attack list for hospitals and medical organizations in several countries was found by users and publically shared.” 

On Monday, the American Hospital Association also warned its members based on the HC3 alert. These industry-wide alerts come in the midst of news reports that Russian hackers are claiming responsibility for a cyberattack that brought down the websites of more than a dozen US hospitals Monday morning. 

KillNet has previously targeted or threatened to target, organizations in the healthcare and public health sector, according to the HC3 note. “For example, Killmilk, a senior member of the KillNet group, has threatened the U.S. Congress with the sale of the health and personal data of the American people because of the Ukraine policy of the U.S. Congress. In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based healthcare organization that supports members of the U.S. military and claimed to possess a large amount of user data from that organization,” it added. 

The agency added that last May, a 23-year-old supposed KillNet member was arrested in connection with attacks on Romanian government websites. “In response to the arrest, KillNet reportedly demanded his release and threatened to target life-saving ventilators in British hospitals if their demands were not met. The member also threatened to target the UK Ministry of Health. It is worth taking any claims KillNet makes about its attacks or operations with a grain of salt,” it added. 

Given the group’s tendency to exaggerate, some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground, HC3 assessed. “While senior members of the group likely have extensive experience launching DDoS attacks — leadership has previously operated their own DDoS services and botnets — KillNet has been using publicly available DDoS scripts and IP stressers for most of its operations,” it added.

KillNet is a pro-Russian hacktivist group active since at least January last year and known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack employed by the group which can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems. 

While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days. Although KillNet’s ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) are unconfirmed, the group should be considered a threat to government and critical infrastructure organizations, including healthcare.

“After Killnet conducts a DDoS attack, they deface their target’s website and post pro-Russia messages,” managed cybersecurity services firm Avertium wrote in an October blog post. “Killnet appears to work based on emotion and revenge. If they believe that anyone has wronged Russia, they will retaliate by launching DDoS attacks against them. The group has often been described as a nuisance due to their lack of sophistication and their sometimes empty threats. They also only attack organizations via DDoS attacks, therefore their tactics and techniques are quite limited,” it added.

The HC3 also pointed out that last month the U.S. Department of Justice (DoJ) announced the court-authorized seizure of 48 internet domains associated with ‘some of the world’s leading’ DDoS-for-hire services. The agency also announced criminal charges against six defendants who allegedly oversaw computer attack platforms commonly called ‘booter’ services. These websites allowed paying users to launch DDoS attacks that flood targeted computers with information and prevent them from being able to access the internet. 

Despite this success, it remains unknown if (and how) this law enforcement action might impact KillNet which turned its DDoS-for-hire service into a hacktivist operation earlier this year, the HC3 analyzed. “Furthermore, it is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet’s call and provide support. This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used,” it added.

The HC3 advised the healthcare and public health sector that while it is not possible to fully mitigate the risk of a denial of service attack affecting their service, there are some practical steps that will help them to be prepared to respond, in the event their services are attacked. The U.K.’s National Cyber Security Centre (NCSC) called for understanding the service, upstream defenses, scaling, response plan, and testing and monitoring.

In October, about 14 public-facing U.S. airport websites, including those for some of the nation’s largest airports, were inaccessible as KillNet, a pro-Russian hacker group claimed responsibility for the attack in a Twitter message. The DDoS cyberattack led to hackers flooding computer servers with phony web traffic to knock them offline.

Earlier this month, the HC3 confirmed that it is aware of attacks on the healthcare and public health sector by the Clop ransomware hacker group. The disclosure comes a few months after the Russian-based Cl0p ransomware hacker group breached water systems at the U.K. water supply company South Staffordshire.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems