Alert essentials:
In response to ongoing developments in the war in Ukraine, the Russian-linked hacktivist group ‘KillNet’ has launched DDoS attacks this week against U.S. and German infrastructure, including healthcare organizations. So far, KillNet attacks have only sought to knock websites offline. Fortified has seen a pattern of ‘noisy’ attacks being a distraction while attackers deploy things like ransomware or other destructive attacks.
Detailed threat description:
The hacktivist group ‘KillNet’ is actively targeting critical infrastructure of nations allied with Ukraine, including the U.S. health and public health sectors. KillNet is a pro-Russian hacktivist group active since at least January 2022, known for its DDoS campaigns against countries supporting Ukraine.
KillNet has claimed responsibility for numerous DDoS attacks in recent days, including at least 14 attacks against U.S. hospital websites. Actions by KillNet are expected to remain limited to DDoS attacks which typically do not cause major damage, however they can cause service outages on public websites lasting several hours or even days. Additionally, organizations targeted by KillNet may face additional attacks by associated threat groups seeking to take advantage of disruptions as organizations handle the KillNet DDoS.
On January 28, 2023, an alleged KillNet attack list for hospitals and medical organizations in several countries began circulating online. However, specific target lists may not be comprehensive and may be subject to change. As a precaution, Fortified suggests that all healthcare providers act as if they are potential targets and follow recommendations to minimize any potential impact.
Impacts on healthcare organizations
Organizations without adequate protection against DDoS attacks risk internet-facing websites and associated IT systems downtime. Ransomware threats are currently elevated as other threat groups may seek to take advantage of disruptions to launch additional attacks.
Among several other industries, healthcare organizations are being targeted by KillNet with DDoS attacks. Multiple U.S., German, and Dutch hospitals have seen websites knocked temporarily offline, however patient care and availability of medical records have so far remained unaffected in all known attacks.
Recommendations
Engineering recommendations:
- Enable web application firewalls to mitigate application-level DDoS attacks.
- Implement a multi-content delivery network (CDN) solution.
- Ensure that DDoS attacks against internet-facing IT assets will not impact systems critical for patient care.
Leadership / program recommendations:
Implement the NCSC’s guidance for preparing against DoS attacks which includes:
- Understanding your service
- Upstream defenses
- Scaling
- Response plan
- Testing and monitoring
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://www.hhs.gov/sites/default/files/killnet-analyst-note.pdf
- https://www.msspalert.com/cybersecurity-news/russia-linked-hackers-launch-ddos-attack-on-germany-threatencanada-for-ukraine-artillery
- https://www.cisa.gov/uscert/ncas/alerts/aa22-110a#:%7E:text=Responding%20to%20Cyber%20Incidents
- https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection/preparing-denial-service-dos-attacks1
