HC3: KillNet Hacktivist Group Uses DDoS Cyberattacks to Target Healthcare

January 31, 2023 - A hacktivist group known as KillNet is actively targeting the US healthcare sector with distributed denial-of-service (DDoS) cyberattacks, the Health Sector Cybersecurity Coordination Center warned in its latest analyst note.

The pro-Russian group has been active since at least January 2022 and has been known to target countries that support Ukraine.

“DDoS is the primary type of cyber-attack employed by the group which can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems,” the analyst note stated.

“While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days.”

For healthcare, days-long outages can result in appointment delays, EHR downtime, and ambulance diversions. As a result, the US healthcare sector should remain vigilant against cyber threats and monitor systems for suspicious activity.

Past Activity

A senior member of the KillNet group previously threatened to sell health data because of Congress’ Ukraine policy. In December, the group claimed a cyberattack against a US healthcare organization that supports US military members. A member of the group also threatened to target the UK Ministry of Health. 

“It is worth taking any claims KillNet makes about its attacks or operations with a grain of salt,” HC3 noted. “Given the group’s tendency to exaggerate, it’s possible some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground.”

Although the US government recently seized 48 internet domains associated with DDoS-for-hire services, uncertainty remains, and the cyber threat landscape is constantly evolving.

“Despite this success, it remains unknown if (and how) this law enforcement action might impact KillNet which turned its DDoS-for-hire service into a hacktivist operation earlier this year,” HC3 underscored.

“Furthermore, it is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet’s call and provide support. This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used.”

Mitigation Tactics

Although it can be difficult to mitigate DDoS risks, HC3 encouraged healthcare organizations to enable firewalls to mitigate application-level DDoS attacks and implement a multi-content delivery network (CDN) solution. There are also lots of free guidance and resources that organizations can use to mitigate risk.

For example, in November 2022, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released a joint guide containing recommended procedures to reduce the likelihood and impact of DDoS attacks.

“In a progressively interconnected world with additional post-pandemic remote connectivity requirements, maintaining the availability of business-essential external-facing resources can be challenging for even the most mature IT and incident response teams,” the CISA, FBI, and MS-ISAC wrote in the guide.

“It is impossible to completely avoid becoming a target of a DDoS attack. However, there are proactive steps organizations can take to reduce the effects of an attack on the availability of their resources.”

Organizations should begin by identifying services that may be exposed to the public internet and the ways in which their user base connects to networks. Additionally, the entities recommended that organizations engage with internet service providers (ISP) and cloud service providers, understand dedicated edge network defenses, and develop a DDoS response plan.