Russian Hacktivist Group KillNet Hits U.S. Hospitals with DDoS Attacks
Russia is sending destructive digital tendrils out towards countries it believes to be aiding Ukraine. The websites of at least 14 medical centers across the U.S. were hit by a distributed denial-of-service (DDoS) attack on January 30, including Stanford Healthcare, Duke University Hospital and Cedars-Sinai.
A pro-Russia hacktivist group known as KillNet is now claiming responsibility. It boasts to have successfully exfiltrated data from a number of U.S. hospitals within the last month, according to an alert issued by the U.S. Department of Health & Human Services (HSS).
According to the report, on Jan. 28, the group allegedly posted health and personal information belonging to global health organizations on its “KillNet list” where it publishes data stolen from its victims.
Active since at least January 2022, KillNet evolved from what was originally a DDoS-for-hire service, becoming a fully-fledged threat group in recent months. The group organizes itself in an encrypted chat group hosted on a Telegram channel with almost 92,000 subscribers. It is well-known for recent attacks against nations that have opposed the Russian invasion of Ukraine, especially NATO countries. It has previously targeted or claimed to target airports, banks, and defense contractors in the U.S.
DDoS attacks overwhelm a public website’s servers by flooding it with traffic. Some attempts may be shrugged off with limited impact to the targeted organization, while others cause service outages lasting several hours or even days, which may even be life-threatening, where healthcare centers are concerned. They can also be used to mask more intrusive events, like stealing sensitive information or deploying ransomware.
Should Hospitals Be Exempt From Cyberattacks?
Attacks on healthcare organizations are on the rise. The Fourth Convention of the Geneva Convention, which deals with humanitarian protections for civilians in the time of war, legally prohibits attack of civilian hospitals and medical transports, yet hospitals continue to face these types of threats far too often.
The Fourth Convention prohibits and defines "Indiscriminate attacks." "Incidental loss of civilian life, injury to civilians, [and] damage to civilian objects" is also covered by the Convention. Even an attack not aimed at civilians is prohibited when it "may be expected to cause incidental" civilian loss or damages.
With many of KillNet’s claims believed to be empty threats made “to garner attention, both publicly and across the cybercrime underground,” it may be easy to write off such claims as FUD. However, the Health Sector Cybersecurity Coordination Center (HC3), the American Hospital association (AHA), Health-ISAC, and FBI officials have individually confirmed that the group’s ongoing campaign against the health sector is credible. They are currently collaboratively investigating the group.
According to HHS, “Although KillNet’s ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service are unconfirmed, the group should be considered a threat to government and critical infrastructure organizations including healthcare.”
Mitigation
While it is not possible to completely mitigate the risk of a DDoS attack affecting your organization, there are several practical steps you can take to help you quickly pivot in the event of an attack. The National Counterintelligence and Security Center (NCSC) has published helpful cyber defense guidelines, including five essential practices. Healthcare entities are being advised to have adequate DDoS protection for their web hosting. Additional guidance from CISA on responding to DDoS attacks can be found in this report.
If you believe your organization may be a future target, the KillNet open proxy IP blocklist lists tens of thousands of proxy IP addresses used by the Russian hacktivists in their network-traffic flooding events. This free tool was created by security researchers and aims to help organizations defend against KillNet’s DDoS bots.
For ongoing proactive defense, BlackBerry provides contextualized threat intelligence that helps organizations prepare their defenses against these types of attacks. Threat intelligence is “the art of taking the adversary by surprise,” and we believe that anticipating, mitigating, and preventing cyberattacks is the primary mission of a practical threat intelligence program. Our mission is to deliver actionable and contextualized intelligence to increase your organization’s cyber resilience. Please email us at cti@backberry.com for more information.