Threat Management, Threat Management, Network Security

Passion botnet cyberattacks hit healthcare, as actors offer threat as DDoS-as-a-service 

The doors outside of a hospital emergency room

Healthcare entities are being warned of yet another DDoS attack vector targeting the U.S. and other countries tied to NATO. The Passion Group, which is linked to Killnet and Anonymous Russia, has been offering a DDoS-as-a-service to pro-Russian hacktivists, according to a recent threat advisory from Radware.

The Radware report notes it was likely the Passion botnet was used in the Jan. 27 attacks detailed in the Department of Health and Human Services Cybersecurity Coordination Center alert, which also warned the Killnet group is still targeting the sector with DDoS attacks. While the threat rarely causes significant damage, DDoS attacks cause traffic surges that can cause up to several days of website outages.

The recent DDoS attack led to health and personal information tied to global health entities being publicly shared on the alleged Killnet list last week. It’s the third alert tied to nation-state actors targeting healthcare issued in the last week.

The Radware report warns that the threat actors behind Passion botnet are using Telegram to offer other cybercriminals access to their botnet service. The current merchant is Synmirai, which is selling the Passion botnet subscriptions for $30 per week of service, or prepaid access for a year of service for $1,440.

DDoS-as-a-service has become a standard hacktivist tool, as it broadens the impact of their attacks by managing the “botnet to launch significantly larger and more impacting attacks.”

“DDoS services are generally sold as a subscription-based model, allowing customers to choose their attack vectors, duration, and intensity,” the report authors explained. For the Passion botnet, subscribers are being offered 10 attack vectors focused on “application layer encrypted web attacks, L4 attacks, DNS attacks and UDP/TCP floods.”

The use of a range of attack methods lets customers customize their attacks and increases the probability that the DDoS attack will successfully take down its target. The model can also enable a more fluid attack vector that inhibits detection and mitigation.

The latest alert from Radware warns that the Passion Botnet was used in cyberattacks deployed on Jan. 27, which targeted medical institutions in the U.S., Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the UK. The attacks are believed to be an act of retaliation for sending Ukraine tanks.

The group’s tactics mirror other ongoing hacktivist campaigns and have drawn support from cybercriminal groups on Telegram, like MIRAI, Venom, and Killnet. The report notes that “after conducting a denial-of-service attack, the group typically posts a link to a check-host[.]net1 page as evidence of their success.”

It’s unclear when the Passion group began, but their attacks have increased since early January. Their past campaigns were focused on defacement campaigns directed at small organizations in Japan and South Africa, designed to build more notoriety to the DDoS attacks.

Defacement campaigns can not only harm an entity’s reputation, these attacks can “escalate to theft or compromise of sensitive information by moving laterally across the infrastructure from the breached web server,” according to the report. The compromise can also lead to significant downtime and disruptions to operations.

Radware researchers are urging healthcare entities to ensure they’ve employed proper security measures, including routinely monitoring for these types of attacks and network access, to mitigate the impact of a possible attack.

Healthcare entities should review the provided tactics and possible impacts of the Radware report to confirm they’re well-defended.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.