US Trauma Centers Hit by KillNet's Recent DDoS BarrageRussian Group Targets Patient Care and Evolves Its Tactics, HHS HC3 Report Warns
Most of the healthcare organizations hit by distributed denial-of-service attacks by pro-Russia hacktivists in January have one or more level 1 trauma centers, indicating that the attackers aimed to disrupt care for the most critically ill and injured patients, according to a new government report warning of the ongoing and evolving threats.
While nuisance hacking group KillNet and its affiliates have been active since at least January 2022 and have been targeting the U.S. healthcare and public health sector since last December, a coordinated bombardment of about 90 such attacks on Jan. 28 targeted medical organizations in the U.S. and several NATO countries, said the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (see: HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals).
Of these DDoS attacks, 55% were on healthcare systems with at least one hospital - and also stand-alone hospitals - that operate level 1 trauma centers, which provide the most comprehensive and highest level of critical care, the report says.
The attacks appear to be intended as retaliation against U.S. and NATO support of Ukraine in its war with Russia, although the January onslaught of DDoS attacks on the healthcare entities' websites had minimal effect. A government spokeswoman told The Record in February that there were no reports of unauthorized access to hospital networks, disruptions to healthcare delivery or impacts on patient safety.
"The good news is that for the most part, trauma centers are not dependent on the cloud infrastructure that KillNet and its affiliates are targeting to care for patients," said Erick Galinkin, principal researcher at security firm Rapid7.
"This targeting can be incredibly disruptive for patients and practitioners, but mostly in terms of billing, insurance and so on - not in terms of their actual ability to provide care."
Such DDoS attacks can be most disruptive in transferring patient information, Galinkin told Information Security Media Group. "DDoS is a tremendous nuisance, but given the limited resources hospitals so frequently have to cope with, focusing on higher-impact malicious activities like data theft and ransomware is far more important."
Still, KillNet and its affiliates' DDoS assaults pose an ongoing, concerning threat to healthcare sector entities, HHS HC3 wrote.
"Their signature DDoS attacks on critical infrastructure sectors typically only cause service outages lasting several hours or even days. However, the range of consequences from these attacks on the health and public health sector can be significant, threatening routine to critical day-to-day operations."
DDoS attacks are also sometimes a precursor to "a much larger nefarious plot" of a threat actor, HHS HC3 previously warned (see: Feds Urge Health Sector Entities to Guard Against DDoS).
In March, Microsoft Security reported that it had observed KillNet targeting healthcare applications using the Microsoft Azure infrastructure from Nov. 18, 2022, to Feb. 17, 2023, HHS wrote.
The type of organizations targeted in those Azure-related attacks included pharmaceutical and life sciences firms, hospitals, health insurers and other healthcare services providers.
"The findings illuminated new trends on KillNet and other hacktivist organizations' characteristic DDoS campaigns in Azure," HHS said.
"In contrast to overall DDoS attack trends for 2022, in which transmission control protocol was the most common attack vector, 53% of the attacks on healthcare were user datagram protocol floods, and TCP accounted for 44%, reflecting a different mixture of attack patterns used by adversaries," HHS wrote.
Once an adversary attacks with new tactics, techniques or protocols, it is critical for the "collective cyber industry" to quickly discover and share mitigation strategies to assist healthcare sector entities against future incidents, said Jess Parnell, vice president of security operations at Centripetal Networks, a cybersecurity firm.
"Defenders have had about four months to adjust their DDoS defense strategies to defeat a similar attack they experienced in January, forcing the attackers to shift their DDoS TTPs, which may or may not be as effective," said Parnell, who previously managed security operation services at HHS during the rollout of the Affordable Care Act's website, HealthCare.gov.
"One the biggest problems the healthcare industry faces is the overwhelming amount of attacks and recon activities that are constantly being waged against them without any recourse," Parnell told ISMG.
The kind of activity seen recently "can be heavily mitigated by blocking any known bad threats provided through real-time threat intelligence," he said. "This will significantly reduce the amount of noise that the limited staff will need to parse through, greatly assisting them in detecting actual threats they need to be concerned about."