KillNet targeting healthcare sector: What you need to know

The U.S. Department of Health and Human Services (HHS) has issued an Analyst Note on the hacktivist group KillNet and its attacks on the healthcare and public health sector. KillNet is a pro-Russian hacking group that uses cyberattacks on targets in the United States and other countries friendly to Ukraine. In December 2022 KillNet took credit for disabling sites associated with the U.S. Commerce Department and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Who is KillNet?

KillNet refers to itself as a ‘patriotic Russian group,’ though it is currently not confirmed to have ties with any official Russian government organizations. The group cofounded the ‘Infinity’ forum as a platform for “pro-Kremlin hacktivists” to share techniques, tools, and other resources and knowledge. KillNet also used the platform to raise funds via Bitcoin. Although the forum has been successful on both fronts, KillNet announced in February that it was selling the forum to “go dark.”

The group always targeted European countries with anti-Kremlin sentiments but narrowed their focus on NATO and pro-Ukraine countries after the start of the Russia-Ukraine war. In February, the group claimed responsibility for attacks on NATO that disrupted aid to the victims of the Turkish-Syrian earthquake. The attacks targeted NATO Special Operations Headquarters, Strategic Airlift Capability, and NATO Restricted communications network. The leader of KillNet announced the attacks in a Telegram channel:

KillNet has also claimed responsibility for attacks against Lockheed Martin, several targets in Latvia, and other high-profile targets.

What is the threat?

It’s not possible to identify a single threat from KillNet activity because the impact of this group creates ripples that may become large waves. The group has limited itself to distributed denial of service (DDoS) attacks that have not caused serious damage to systems, though major outages can last several hours or days. The service outages are the actual threat to infrastructure, the economy, and human lives. 

The headlines are full of stories about ransomware attacks, but a strategic DDoS attack can be very damaging. The HHS Analyst Note mentions that a list of KillNet attack targets includes hospitals and medical organizations in multiple countries. KillNet members have also claimed intent to attack hospital ventilators and other specific healthcare targets. Any service disruption to these services can cause life-threatening situations.

KillNet is also inspiring new pro-Russian threat actors and a growing KillNet fanbase. A Russian rapper has released “Killnetflow (Anonymous diss)” (available on YouTube) and a Moscow-based jeweler is offering a line of KillNet-themed ‘bling’ and other merchandise. These items help the KillNet brand in terms of recruiting, fundraising, and promoting the message. With tools like DDoS-as-a-service, it’s much easier for new ‘hacktivists’ to take part in pro-Russian attacks. KillNet also benefits from established pro-Russian hacking gangs that offer their resources to aid in attacks.

DDoS is more than disruption

DDoS attacks often bring something more sinister than a service disruption. Flooding a system with a DDoS attack can distract the IT team from other malicious activity. While responders are working on DDoS mitigation, attackers may be installing malware, stealing data, or starting a ransomware attack.  One notorious example of this is the 2012 ‘heist’ of $900,000 in dozens of small transactions that took place during a DDoS attack on Bank of the West.

Although that happened more than a decade ago, DDoS-with-a-higher-purpose attacks continue. Banks are still a favorite target, and the cause may be ideological or financial. Some ransomware gangs also use the threat of a DDoS attack to force victims into negotiation. The HHS Analyst Note specifically warns against these additional extortion-related threats.

Defend yourself

Barracuda WAF-as-a-Service is a great solution to defend your web applications from DDoS and other attacks. We can help you get started with a demo and a free trial that you can deploy within minutes. Deploying a web application firewall is one of the most important steps you can take to protect your organization, but it’s just one part of a larger strategy:

• When possible, ensure your application is developed with security and scalability in mind.  This will provide an additional layer of defense against an attack.
• Understand the defenses that might be available through your internet and cloud service providers. Your service agreements might include assistance with DDoS mitigation.
• Include DDoS attacks in your overall security strategy and incident response plans. This will help you identify and mitigate attacks and ensure that other resources are not under attack.

Visit our website for details on Barracuda WAF-as-a-Service and our other application security solutions. If you’d like more ideas on defending against DDoS attacks, see the CISA publication, Understanding and Responding to Distributed Denial-of-Service Attacks.

Resources

• Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies
• Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
• DDoS attack against the institutional website of the CSIRT Italia. Preliminary analysis
• Technical White Paper – Guide to DDoS Attacks