Identity, Threat Management, Network Security

Killnet DDoS attacks against healthcare dip as identity risks tick up

Killnet DDoS attacks subside, but ID risk are on uptick

After a spate of Killnet DDoS cyberattacks against healthcare entities throughout January, the hacktivist campaigns have slowed. However, the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warns the risk posed against the hijacking of digital identities remains high.

KillNet is believed to be a Russia-aligned hacktivist group, active since January 2022, and is known for its DoS and DDoS attacks towards government institutions, including the healthcare sector.

A HC3 alert released this week notes that only a “few incidents” have been attributed to Killnet this month, outside of a DDoS attack against a laboratory, blood and pharmaceutical organization. The hacktivists’ Telegram channel also posted “little to no content on” possible healthcare targeting.

However, an ongoing, predominant Killnet campaign against healthcare remains, focused on leveraging the Microsoft Azure infrastructure over the last three months. As previously reported, life sciences and pharmaceutical organizations were the primary target of the observed campaign, followed by hospitals, health insurance, health service and healthcare.

The observed campaign overlapped the previously disclosed Killnet DDoS cyberattacks that resulted in the successful exfiltration of data from a range of hospitals, which was later exposed on the alleged Killnet list.

The latest HC3 alert updates the January disclosure, noting that more than 90 DDoS attacks were orchestrated at that time against health systems, standalone hospitals and medical centers. Over half of these victims were health systems with at least one hospital, lone hospitals with Level I trauma centers that provide the highest level of care to critically injured patients.

Large establishments are ideal targets for Killnet and affiliated cybercriminals, as they have “considerable patient data to enter and exploit,” HC3 said.

“Although their primary type of cyber-attack method usually does not cause major damage, it can cause service outages to vulnerable systems lasting several hours or even days,” according to HC3. “Whereas many hacktivist groups abstain from targeting healthcare organizations, the group has dispassionately targeted hospitals and medical organizations across the sector.”

Although the sector has not faced another surge in these attacks since the January incidents, Killnet continues to collaborate with and recruit affiliates who share Russian interests. A March 21 Killnet post “emphasized that they are decentralized, that KillNet is just an ‘idea’ that unites the cyber patriots of Russia, and that they are not supported by the [Russian] state.”

In addition to DDoS risks, Killnet’s founder, that goes by the handle KillMilk, launched a new private military hacking company, Black Skills, which appears to be “highly organized” with 24 departments tasked with various distinct functions, including intelligence, public relations, and general staff. It’s currently unclear whether the group is a rebrand of KillNet or an initiative for more skilled members.

KillMilk has since left the group and was replaced by a hacker named Blackside, who focuses on ransomware, phishing, and crypto theft.

HC3 warns entities that the easiest way for hacktivists to find information on potential victims is through their online presence, easily found with a quick internet search.

The alert recommends the use of Identity Management (IdM), a program healthcare entities could employ for its workforce to proactively protect their identities from hacktivists like KillNet that actively leverage identity reconnaissance tactics. The program includes the discovery, analysis, and management of the identity of the entity or an individual employee.

“IdM programs seek to improve an organization’s ability to mitigate current threats to its mission, capabilities, and personnel from adversarial and/or criminal entities seeking to exploit identity data, as well as identify emerging threats to organizational assets,” according to the alert.

The Killnet analysis contains a host of resources for healthcare entities to employ to sharpen defenses against hacktivist attacks. But HC3 makes it clear that “there’s no single action that can protect an organization from cyber threat groups, such as KillNet.” 

“Nevertheless, healthcare organizations need to take proactive measures,” HC3 warns. “Efforts should focus on minimizing the amount and sensitivity of data available to external parties.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.