HC3 Warns HPH Sector Of Pro-Russian Ransomware Gang

The Health Sector Cybersecurity Coordination Center (HC3) has released an analyst note informing the HPH sector of Killnet, a pro-Russian hacking group. Since January 2022, KillNet has been an active pro-Russian hacktivist group and has carried out DDoS campaigns against countries backing Ukraine, especially those in NATO. These assaults began shortly after the United States and other nations decided to provide tanks to Ukraine in order to assist them in their struggle against Russian forces. 

A DDoS attack is an act of flooding a target server or website with thousands of connection requests and packets per minute, leading to a disruption of service. These attacks can cause outages lasting several hours or days, although generally not causing major damage. It is unclear whether KillNet is linked to Russian government agencies such as the FSB or SVR, but it should be viewed as a potential risk to organizations providing essential services such as banking, energy and in particluar, healthcare. Recently, a  number of DDoS attacks have been conducted by the group which has targeted at least 15 medical institutions and health systems, including University of Michigan Health, Stanford Healthcare, Banner Health, Anaheim Regional Medical Center, and Atrium Health. 

KillNet has previously targeted, or threatened to target, organizations in the healthcare and public health (HPH) sector. In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based healthcare organization, and in May 2022, a 23-year old claimed KillNet member was arrested in connection with attacks on Romanian government websites. In response, KillNet reportedly demanded the release of their member, and threatened to target life-saving ventilators in British hospitals. The group has also threatened the UK Ministry of Health. While it is important to take any claims KillNet makes with a grain of salt, it is still worth taking any such threats seriously. Reports of their attacks and operations have been exaggerated in the past, but it is possible that some of these announced developments may be attempts to garner attention and notoriety in the cybercrime underground.

On December 14, 2022, the Justice Department announced the court-authorized seizure of 48 internet domains connected to DDoS-for-hire services, as well as criminal charges against those allegedly responsible for the services. These websites allowed customers to launch powerful DDoS attacks that jam up targeted computers. It is uncertain how this law enforcement action will affect KillNet, which shifted its DDoS-for-hire operations to hacktivism earlier this year. It is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will come to KillNet’s aid. This possibly means that entities targeted by KillNet will be at risk of ransomware and DDoS attacks as a form of extortion, which is a tactic multiple ransomware groups have employed. Despite this, senior members of the group are assumed to have extensive experience launching DDoS attacks, as the leadership has operated their own DDoS services and botnets in the past.

In order to protect health care organizations against attacks from the Killnet ransomware gang, the HC3 analyst note recommends taking a multi-pronged approach. This includes understanding the service, implementing upstream defenses, scaling, creating a response plan, testing and monitoring, and using additional measures such as web application firewalls or a multi-content delivery network (CDN) solution. To understand the service, organizations should identify any potential weaknesses or vulnerabilities. Upstream defenses can be put in place to detect and mitigate threats early on and to limit the potential damage. Scaling is important to ensure the service is able to cope with sudden increases in traffic. A response plan should be developed so that the organization is prepared to respond in the event of an attack. Testing and monitoring should be used to ensure the system is up to date and effective. Finally, web application firewalls and a multi-content delivery network should be implemented to minimize the threat of DDoS attacks by distributing and balancing traffic across a network. With the right measures in place, health care organizations can be better prepared to defend against the Killnet ransomware gang.