The Killnet hacktivist group’s DDoS attacks against healthcare and the mass data exfiltration in January was reportedly just the first round of targeting. Industry leaders have grown increasingly concerned over the impact of nation-state actors — and the possibility it will only get worse.
“This is a war,” Carter Groome, First Health Advisory founder and CEO, said during the Chime State of Cybersecurity in Healthcare Virtual Summit. “We got our clocks cleaned by nation-state actors last week, and nobody's really talking about it.”
“Every week, every year, we're on the frontlines. And we think this can't get any worse; then it does,” he continued, adding that the amount of damage being inflicted on the healthcare sector, “the vital part of the nation's critical infrastructure, cannot be overstated. Simply put, our ability to provide care is in jeopardy.”
The Russian invasion of Ukraine one year ago led to multiple alerts about the possibility of cyber warfare. For healthcare, the concern was the chance of another NotPetya: health systems becoming incidental victims of a Russian-backed hack that could disrupt operations.
Despite a handful of cyber-incidents in Ukraine at the start of the war, those fears, fortunately, were not realized.
Something shifted in recent months, however, particularly as NATO-backed countries issued support and weaponry to Ukraine. Now, hacktivists with ties to Russia are targeting critical infrastructure in the U.S. and other NATO countries with DDoS attacks and other tactics.
While some healthcare stakeholders have declined to report broadly on the ongoing DDoS attacks and nation-state hacking as to not draw attention to the nefarious acts, Groome has opted to use the impacts as a call to action to Congress and in hopes providers can better defend themselves.
SC Media also spoke candidly with a healthcare CISO whose organization was targeted in the initial round of attacks to gain insight into the actual impact of these hacktivist campaigns. In addition, the Department of Health and Human Services Cybersecurity Coordination Center issued new insights on the ongoing DDoS attacks to support defense measures.
Round 2 of DDoS attacks against health sector ongoing
Since November, HC3 has issued multiple alerts tied to DDoS and ransomware attacks against healthcare — some of which were tied to nation-state actors. And a report from Nozomi Networks in January warned that the Russia-Ukraine war had spurred hacktivists to leverage more destructive tactics.
But until January, no major U.S. attacks were reported.
That seemed to change when the Department of Health and Human Services Cybersecurity Coordination Center’s Jan. 31 alert warned that the Killnet hacktivists exfiltrated data from a number of hospitals in January and publicly shared the health and personal information they hacked from the networks.
The initial estimates placed the total impact at about a dozen organizations. But a conversation between SC Media and one U.S. health system CISO suggested that number was much higher.
Killnet reportedly went after 17 high profile U.S. health organizations. After successfully exploiting those networks, the group decided to add one organization from every state, according to the CISO who spoke with SC Media, who admitted their entity was among those targeted.
The group targeted their domain host, which resulted in their health system website being brought down for four hours while the health system worked with their vendor to restore access. The attack, however, was unsuccessful given their appropriate DDoS defenses.
Since the initial wave of attacks, Killnet has added “more and more” to their list. One Telegram channel warned “round one is over” and announced Round 2 is ongoing.
DDoS protection tools prevent malicious traffic from reaching the target and limit the impact, while allowing normal traffic flow. Without it, an organization targeted with a volumetric attack can degrade website performance or even knock it offline. In more serious cases, an entity may not be able to communicate those outages with clients, or patients, in the healthcare space.
The latest HC3 alert on these DDoS campaigns warn that the attacks have the potential to prevent providers from accessing vital resources, which may “have detrimental impact on the ability to provide care.” The effectiveness is due to the devices able to be exploited by these attacks: telehealth platforms, patient portals, EHRs, and even patient-monitoring applications.
“Adversaries will use web application attacks, such as DDoS attacks, to target an organization’s most exposed infrastructure, such as web servers to exploit a weakness in an internet facing computer or software,” according to the alert.
These hacktivist groups are leveraging DDoS attacks as they’re cost-effective and require low resources and technical skills to deploy. The actors don’t even need to install code on victim’s servers to find success.
These attacks can cause disruptions that “may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software-based medical equipment, and websites to coordinate critical tasks,” HC3 added.
Adding fuel to the fire: Killnet joined forces with Deanon Club to launch the forum and marketplace known as Infinity Team in late December. The effort offers hacking services and resources to other cybercriminals for a cost, including DDoS services. Killnet has also been observed asking for donations and attempting to recruit new members for its pro-Russia cause.
Groome, whose company represents a large market share of health systems, is increasingly concerned about the damage and impact of the incidents.
The previous HC3 alert described traffic surges from the DDoS campaigns causing website outages that can last for several hours or days, warning organizations to ensure they’re employing adequate DDoS protection.
The verdict may be out on the possible fallout and overall impact this may have on the targeted entities, particularly if the entity does not have the tools needed to fend off or recover from a successful exploit. But all of the leading stakeholder groups agree that although Killnet is notorious for exaggerating the impact of attacks, the threat to critical infrastructure is credible.
Healthcare cybersecurity a bipartisan issue
Healthcare cybersecurity, and its ongoing resource and vulnerability challenges, are “a threat to national security: it’s a patient safety issue,” explained Mari Savickis, Chime’s vice president of public policy, during last week’s Chime summit.
However, it remains to be seen what measures will be put into place — and when.
The policy options from Sen. Mark Warner, D-Va., were heralded as a "hallelujah moment" for healthcare, as it described incentive programs, added resources, and workforce development policies to reduce some of the biggest burdens currently hindering the sector from making real progress on these critical issues.
The paper has signaled that healthcare has congressional attention, and “cyber is a bipartisan issue,” said Savickis.
Healthcare will certainly “need the help of the executive branch and Congress to empower HHS to administer those baseline cybersecurity practices” outlined in Warner’s policy paper and that stakeholders have long-requested, Groome said.
“We need a lot more support for something impactful to happen,” Groome concluded. “Today, we're facing attacks that are putting patients and health outcomes in harm's way like never before.”
For now, provider organizations should review the newest DDoS threat analysis from HHS HC3 and yield stakeholder warnings as the “second round” of DDoS attacks may already be underway.
