Russian Hackers Targeting Hospitals with DDoS Attacks

Pro-Russian hackers are believed to have launched cyberattacks against hospitals in the Netherlands and other European countries as revenge for their support for Ukraine.

The U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3) identified in an analyst note that the KillNet hacktivist group is actively targeting the healthcare and public health sector. It also revealed that the group has previously targeted the U.S. healthcare industry, is known to launch DDoS (distributed denial-of-service) attacks and operates multiple public channels aimed at recruitment and garnering attention from these attacks.

The HC3 disclosed in its note that “on January 28, 2023, an alleged Killnet attack list for hospitals and medical organizations in several countries was found by users and publicly shared.”

The American Hospital Association also warned its members based on the HC3 alert. These industry-wide alerts come in the midst of news reports that Russian hackers are claiming responsibility for a cyberattack that brought down the websites of more than a dozen US hospitals Monday morning.

KillNet has previously targeted or threatened to target, organizations in the healthcare and public health sector, according to the HC3 note. “For example, Killmilk, a senior member of the KillNet group, has threatened the U.S. Congress with the sale of the health and personal data of the American people because of the Ukraine policy of the U.S. Congress. In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based healthcare organization that supports members of the U.S. military and claimed to possess a large amount of user data from that organization,” it added.

The agency added that last May, a 23-year-old supposed KillNet member was arrested in connection with attacks on Romanian government websites. “In response to the arrest, KillNet reportedly demanded his release and threatened to target life-saving ventilators in British hospitals if their demands were not met. The member also threatened to target the UK Ministry of Health. It is worth taking any claims KillNet makes about its attacks or operations with a grain of salt,” it added.

Given the group’s tendency to exaggerate, some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground, HC3 assessed. “While senior members of the group likely have extensive experience launching DDoS attacks — leadership has previously operated their own DDoS services and botnets — KillNet has been using publicly available DDoS scripts and IP stressers for most of its operations,” it added.

KillNet is a pro-Russian hacktivist group active since at least January last year and known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack employed by the group which can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems.

The HC3 also pointed out that last month the U.S. Department of Justice (DoJ) announced the court-authorized seizure of 48 internet domains associated with ‘some of the world’s leading’ DDoS-for-hire services. The agency also announced criminal charges against six defendants who allegedly oversaw computer attack platforms commonly called ‘booter’ services. These websites allowed paying users to launch DDoS attacks that flood targeted computers with information and prevent them from being able to access the internet.

Security Advisor Dr Zakir Hussain said, Recently 14 public-facing U.S. airport websites, including those for some of the nation’s largest airports, were inaccessible as KillNet, a pro-Russian hacker group claimed they were responsible for the attack. He also mentioned that, Killnet has 92,000 people in its online chat group, had also called for supporters to attack hospitals.He advise every organization should have established DDoS response playbook as part of IR strategy.

About DDoS attack, the group’s modus operandi, is a relatively unsophisticated form of cyber attack that floods its targets’ servers, website or network resources with junk messages, connection requests or malformed packets, causing them to slow or crash. They are generally intended more to cause temporary disruption than anything else, and were historically favored.