Ransomware, Threat Management, Threat Management

Hospitals urged to tighten DDoS defenses after health data found on Killnet list

Medical instruments are seen in an operating room

The Killnet hacktivist group is actively targeting the health sector with DDoS attacks, claiming to have successfully exfiltrated data from a number of hospitals within the last month, according to a Department of Health and Human Services Cybersecurity Coordination Center alert.

In fact, users found and publicly shared global health and personal information belonging to global health organizations on the alleged Killnet list on Jan. 28.

John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, warned that “As of today, we understand that some of the named entities were, in fact, targeted by DDoS attacks.”

However, the impact of the activity was found to be “minimal and temporary with no impact to care delivery services,” he added. Although DDoS attacks don’t typically cause significant damage, the traffic surges brought on by these cyberattacks can cause website outages that can last for several hours or days.

As such, provider entities should ensure they have adequate DDoS protection for their web hosting.

Killnet is notorious for launching DDoS attacks with “thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems,” according to a December HC3 alert that followed a successful attack on a U.S. healthcare entity.

The group operates multiple public channels for recruitment purposes and has suspected ties with Russian government organizations like the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR). But the connections have not been confirmed. 

What’s clear is that the group’s senior members have extensive experience with deploying DDoS attacks, having “previously operated their own DDoS services and botnets. Most of these operations rely on publicly available DDoS scripts and IP stressers.

But researchers are divided on the group’s impact, noting the group has failed at pivoting their attack models. In October, for example, Killnet successfully blocked the infrastructure of J.P. Morgan but was unable to disrupt the bank operations.

The Department of Justice seized 48 internet domains tied to some of the biggest DDoS-for-hire services and issued criminal charges against six individuals in December, but it’s unclear how these enforcement actions will impact Killnet, if at all, particularly given the group’s recent success.

And while Killnet is known to exaggerate the impact of its nefarious operations, HC3, AHA, Health-ISAC, and FBI officials have confirmed the credibility of the ongoing campaign against the health sector. The groups are actively coordinating on Killnet and the possible impact.

In past incidents, Killnet has targeted or threatened to target healthcare entities. In one instance, a senior member of the group threatened Congress with the sale of the personal and health information of Americans who support of Ukraine.

The group already targeted a U.S. health organization in December that supports U.S. service members. Killnet claimed to have stolen a large amount of user data from the entity, while making threats against other global health providers. HC3 is also concerned that other pro-Russian ransomware groups or operators will lend support to Killnet.

The alert warns that the ongoing campaign may “result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used. But “it is worth taking any claims KillNet makes about its attacks or operations with a grain of salt.”

However, that doesn’t mean providers should not ensure they are leveraging the best possible defenses against their external-facing platforms. It’s certainly not possible to completely eliminate the risk of a DDoS attack against the enterprise, but providers can take practical steps to ensure they can quickly pivot in the event of an attack.

Security teams must understand their services, potential exposures, upstream defenses, testing, monitoring, and possible scaling, while practicing a thorough response plan. To mitigate a DDoS threat, entities should consider using web application firewalls and a multi-content delivery network (CDN) solution. 

The HC3 alert contains a deeper look at recommended remediation measures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.