Threat Management, Critical Infrastructure Security, Network Security

Danish hospitals latest target of DDoS attacks on NATO-backed countries

Waving flag with NATO logo. (Alexey Novikov/Adobe Stock Images)

A relatively new hacking group known as Anonymous Sudan targeted nine Region H hospitals in Denmark with DDoS attacks late on Feb. 26, bringing down their website for several hours.

On Twitter, officials alerted patients to the outage and shared an emergency page with relevant hospital contact information in case of emergency, as the IT team worked to recover the impacted sites. The apparent DDoS attack did not affect the rest of the digital infrastructure.

The Anonymous Sudan Telegram channel warned it would attack Denmark healthcare infrastructure after an alleged far-right activist burned a Koran in front of the embassy of Turkey in Stockholm on Saturday. The hackers warned the targeting would continue in retaliation for what they view as anti-Islamic behavior.

However, the attack on Denmark’s hospital had limited impact, as The Capital Region and the hospital websites were back to full operation after a few hours of downtime.

It’s the latest nation-backed cyberattack against a country with NATO ties, a growing risk facing the critical infrastructure of countries actively supporting Ukraine amid the Russian conflict. Since the start of the year, Russian-backed threat groups have pummeled the critical infrastructure of NATO members with DDoS attacks that appear highly coordinated.

Anonymous Sudan emerged a month ago and is believed to be unrelated to a group of the same name that levied attacks in 2019, according to TrueSec research. The politically motivated hacktivist group is believed to be based in Russia and is amplified by the country’s hacktivism sphere — including Killnet and Passion Net.

These groups have recently targeted the U.S. health sector in force. Killnet has already hit nearly 50 U.S. healthcare organizations this year, in addition to launching a collaborative marketplace designed to secure funding for future attacks. Anonymous Sudan announced it joined the Russian Killnet collective on Feb. 19.

But unlike hacktivist groups like Killnet, Anonymous Sudan doesn’t use an illegal botnet to generate the needed traffic volume for a successful DDoS attack. TrueSec and Baffin Bay Networks research found the group uses a paid cluster of 61 servers hosted in Germany.

The attacks are then “routed through open proxies to disguise the real origin of the attacks,” according to the research. The finding suggests that Anonymous Sudan is funded by paid infrastructure. “Additional evidence” shows the operation is being carefully funded by a willing donor and not “a spontaneous action by activists.”

On Feb. 23, the known servers used by the group were taken down by IBM — just after it warned it would attack Denmark.

Initially, Cybersecurity and Infrastructure Security Agency noted DDoS attacks would have limited impact. But in healthcare, it’s a patient-safety risk when DDoS attacks are deployed against patient-facing tech.

“This is war,” Carter Groome, First Health Advisory founder and CEO, said earlier this month. The first round of Killnet attacks “cleaned our clocks." These attacks, and possible impacts, against the “the vital part of the nation's critical infrastructure, cannot be overstated.”

His comments were followed by a supplement resource on the DDoS attacks against healthcare, warning of needed remediations in light of the patient-safety risks.

As for Anonymous Sudan, its latest Telegram post explains the group is not selling its DDoS attack module or “anything.” The group will, however, “search for the best botnet for you with great power,” which includes a list of three that they’re willing to test on behalf of interested parties. 

The post, when combined with its Killnet affiliation, suggests there’s more to come.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.