Threat Management, Critical Infrastructure Security

HHS alert warns KillNet hacktivist group targeted US healthcare entity

Department of Health and Human Services Office for Civil Rights enforcement

The pro-Russian hacktivist group known as "KillNet" targeted a U.S. healthcare entity. The attack should serve as a warning to provider organizations to be on the alert and shore up defenses to prevent a similar outcome, according to the latest Department of Health and Human Services Cybersecurity Coordination Center alert.

HC3 has been closely tracking hacktivist groups given their broad global targeting across a range of sectors, including healthcare. These groups are known to launch DDoS attacks with “thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems.”

KillNet is one of these hacktivist groups with unconfirmed ties to official Russian government organizations like the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR). The group previously targeted primarily European countries perceived to be hostile to Russia.

But the war in Ukraine has shifted those tactics to include countries that are part of NATO.

“While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days,” according to the alert. “The group should be considered a threat to government and critical infrastructure organizations, including healthcare.”

Particularly as the group recently targeted a U.S. organization in the healthcare sector.

The alert confirms a newly released warning from the American Hospital Association’s National Advisor for Cybersecurity and Risk John Riggi that stressed threat actors will likely increase their targeting of the healthcare sector during the holidays, as “cyber adversaries believe we may pause for the holidays.”

KillNet has previously targeted or threatened to target healthcare and public health organizations. The HC3 alert stressed that a senior member of the group previously threatened Congress “with the sale of the health and personal data of the American people because of the Ukraine policy of the U.S. Congress.”

Just this month, the group claimed to have compromised a “U.S.-based healthcare organization that supports members of the U.S. military and claimed to possess a large amount of user data from that organization,” according to the alert. 

And after the arrest of a KillNet member earlier this year, the group demanded his release and threatened to target life-saving ventilators in British hospitals if their demands were not met. The same member also threatened to target the UK Ministry of Health.

But “it’s worth taking any claims KillNet makes about its attacks or operations with a grain of salt given the group’s tendency to exaggerate. It’s possible some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground,” according to the alert.

HC3 also noted that it’s likely the group’s senior members have extensive experience with deploying DDoS attacks, but KillNet has been using publicly available DDoS scripts and IP stressors for most of its operations. And federal efforts have shut down dozens of internet domains tied to leading DDoS-for-hire services, while taking other enforcement actions.

But despite successful efforts, it’s unknown how much the law enforcement actions will impact KillNet. It’s also possible that “pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet’s call and provide support.”

“This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used,” HC3 warned.

While it’s not possible to completely eliminate the risk of a DDoS attack, providers should take note of the recommended measures for preparing to respond to a possible attack. This should include prioritizing services, understanding defense measures, upstream defenses, and having a well-practiced response plan. 

The alert contains links to Killnet insights, as well as recommended DDoS measures provided by the Cybersecurity and Infrastructure Security Agency.

“Increased vigilance is especially important currently as foreign cyber gangs and spies continue to test our resiliency through use of remote access tools, exploitation of technical vulnerabilities and use of new ransomware strains — all in an attempt to steal patient data and disrupt health care delivery,” Riggi said in a statement.

Riggi stressed that it’s important to review the multiple ransomware alerts provided by HC3 and other federal defense agencies in the last month and apply the recommended remediation measures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.