On Jan. 30, BetterCyber, a cybersecurity company, tweeted that pro-Russian hacktivist group ‘KillNet’ took responsibility for DDoS (distributed denial-of-service) attacks on official websites of U.S.-based hospitals. On that same day, the Health Sector Cybersecurity Coordination Center (HC3) published an analyst note about the group and its threat to the health and public health sector.
BetterCyber posted several tweets listing organizations affected by the attack, including:
- Huntsville, Ala.-based Huntsville Hospital
- Anaheim, Calif.-based Anaheim Regional Medical Center
- Los Angeles-based Hollywood Presbyterian Medical Center
- Ann Abor, Mich.-based C.S. Mott Children's Hospital
- Storm Lake, Iowa-based Buena Vista Regional Medical Center
- Salida, Colo.-based Heart of the Rockies Regional Medical Center
- Ann Abor, Mich.-based Michigan Medicine
- Stanford, Calif.-based Stanford Health Care
- Los Angeles-based Cedars-Sinai Medical Center
- Pittsburgh-based UPMC Presbyterian Shadyside
- Philadelphia-based Thomas Jefferson University Hospitals
- Durham, N.C.-based Duke University Hospital
- Phoenix-based. Abrazo Arizona Heart Hospital
- Egg Harbor Township, N.J.-based AtlantiCar
- Charlotte, N.C.-based. Atrium Health
- St. Louis-based Siteman Cancer Center at Barnes Jewish Hospital and Washington University School of Medicine
- Keene, N.H.-based Dartmouth Health Cheshire Medical Center
- Anderson, S.C.-based AnMed
Atrium Health made a statement to The Charlotte Observer in an article by Mary Ramsey. Ramsey writes, “Atrium said in a statement about 7 p.m. [on Jan. 30] it had ‘successfully resolved the situation,’ which it said was ‘similar to widespread instances at other health systems around the world on Monday.’”
She adds, “‘It’s important to note the disruption affected only our public-facing website,’ the company said. ‘Our hospital systems and patient portal remained fully functional at all times.’”
On Jan. 30, HC3 published an analyst note about KillNet. The note says that “KillNet is a pro-Russian hacktivist group active since at least January 2022 known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack employed by the group which can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems. While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days. Although KillNet’s ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) are unconfirmed, the group should be considered a threat to government and critical infrastructure organizations including healthcare.”
Further, “KillNet has previously targeted, or threatened to target, organizations in the healthcare and public health (HPH) sector. For example, Killmilk, a senior member of the KillNet group, has threatened the U.S. Congress with the sale of the health and personal data of the American people because of the Ukraine policy of the U.S. Congress. In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based healthcare organization that supports members of the U.S. military and claimed to possess a large amount of user data from that organization. In May 2022, a 23-year old supposed KillNet member was arrested in connection with attacks on Romanian government websites. In response to the arrest, KillNet reportedly demanded his release and threatened to target life-saving ventilators in British hospitals if their demands were not met. The member also threatened to target the UK Ministry of Health. It is worth taking any claims KillNet makes about its attacks or operations with a grain of salt. Given the group’s tendency to exaggerate, it’s possible some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground.”
The note adds that the hospitals and medical organizations were not only in the U.S. On Jan. 28, KillNet attack lists for hospitals and health systems in several countries were found by users and publicly shared.
The note goes on to say that it is not possible to fully mitigate the risk of a DDoS attack affecting services, there are some actions that can help organizations be prepared to respond if necessary, including:
- Understanding your service
- Upstream defenses
- Scaling
- Response plan
- Testing and monitoring
Additionally, organizations can take steps immediately by considering enabling web application firewalls to mitigate application-level DDoS attacks and implementing a multi-content delivery (CDN) solution.
The analyst note includes an analyst comment that states “While senior members of the group likely have extensive experience launching DDoS attacks—leadership has previously operated their own DDoS services and botnets—KillNet has been using publicly available DDoS scripts and IP stressers for most of its operations. On December 14, 2022, the Justice Department announced the court-authorized seizure of 48 internet domains associated with some of the world’s leading DDoS-for-hire services, as well as criminal charges against six defendants who allegedly oversaw computer attack platforms commonly called ‘booter’ services. These websites allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet. Despite this success, it remains unknown if (and how) this law enforcement action might impact KillNet which turned its DDoS-for-hire service into a hacktivist operation earlier this year. Furthermore, it is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet’s call and provide support. This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used.”
