HHS, AHA Warn of Surge in Russian DDoS Attacks on HospitalsAlerts Come as Attack Threats Spike in Recent Days
U.S. government and industry authorities are warning the healthcare sector of a surge in distributed-denial-of-service attacks in recent days against hospitals and other medical entities instigated by Russian nuisance hacking group KillNet.
See Also: Healthcare Sector Threat Brief
The American Hospital Association on Monday issued an alert for its members based on a warning also issued Monday by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center.
John Riggi, national adviser for cybersecurity and risk at the AHA, tells Information Security Media Group that several U.S. hospitals and healthcare systems in recent days have been hit with denial-of-service attacks by the Russian group. He declined to name the affected entities or their regions but said the number of victims so far is less than 10.
"A pro-Russian activist group has specifically targeted U.S. hospitals and health systems for these denial-of-service attacks, which basically means they're overloading hospital and health systems, public websites causing them to crash, making them unavailable and potentially, in some instances, might even impact the patient portal," he says.
"I've been in touch with the FBI as well about this. They're well aware of it, and they're actively warning and providing assistance to those impacted victims," Riggi tells ISMG.
KillNet is among a handful of Russian cybercrime groups that openly pledged allegiance to Moscow. The group, whose name comes from a tool used to launch DDoS attacks, has initiated a slew of them against Western targets since Russia escalated its invasion of Ukraine in February 2022. The attacks have mostly proved more irritating than dangerous. KillNet's activity typically picks up after a Russian setback, such as Germany's recent decision to send Leopard 2 advanced battle tanks to Ukraine and a pledge by the United States to send M1A2 Abrams tanks.
Hospitals should nonetheless pay heightened attention to ransomware attempts made in the wake of KillNet attacks, H3C warns. Other pro-Russian hackers, such as members of the defunct Conti ransomware-as-a-service group, may follow up KillNet's DDoS attempts with extortion malware.
The HC3 and AHA alerts say that on Saturday "an alleged KillNet attack list for hospitals and medical organizations in several countries was found by users and publically shared."
The alerts say that KillNet also has previously targeted, or threatened to target, organizations in the healthcare and public health sector.
"For example, Killmilk, a senior member of the KillNet group, has threatened the U.S. Congress with the sale of the health and personal data of the American people because of the Ukraine policy of the U.S. Congress," HC3 writes. "In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based healthcare organization that supports members of the U.S. military and claimed to possess a large amount of user data from that organization."
In its alert, HC3 reports that KillNet has been using publicly available DDoS scripts and IP stressers for most of its operations.
Federal prosecutors in December charged six individuals and seized four dozen web domains for offering DDoS-as-a-service, more commonly known as "booter" websites (see: US Prosecutors Charge 6 With Offering DDoS for Sale).
H3C says it's possible those takedowns may have affected KillNet's ability to launch DDoS attacks.