The UPMC, University of Pittsburgh Medical Center, showing DDoS attacks by Russian hacktivists

Russian Hacktivists Actively Targeting Hospitals With DDoS Attacks in the US and Pro-Ukraine Countries

The US Department of Health and Human Services (HHS) warned about widespread DDoS attacks on the country’s healthcare industry by Russian hacktivists.

HHS’s Health Sector Cybersecurity Coordination Center (HC3) warned that the pro-Russian hacking group Killnet had previously and was actively targeting health sector organizations in a politically-motivated hacking campaign.

DDoS (distributed denial of service) attacks involve sending a barrage of connection requests or data packets to overwhelm websites, networks, or devices and prevent legitimate users from accessing them.

Killnet usually targets countries that Russia perceives as antagonistic to its national interest. The attacks target countries supporting Ukraine, mainly NATO members. The latest escalation coincided with Western governments’ consensus on sending weapons, including American M1A2 Abrams and German Leopard 2 tanks, to Ukraine.

Russian hacktivists attack hospitals across multiple countries

Hospitals and medical organizations in several countries have experienced DDoS attacks from the pro-Russian hacktivist group.

The Killnet Russian hacktivists have claimed responsibility for DDoS attacks on more than a dozen US healthcare organizations, including:

  • Abrazo Health, Phoenix, Arizona
  • Anaheim Regional Medical Center, California
  • Atlanticare, Atlantic County, New Jersey
  • Buena Vista Regional Medical Center, Storm Lake, Iowa
  • Cedars-Sinai Hospital, Los Angeles, California
  • Duke University Hospital, Durham, North Carolina
  • Heart of the Rockies Regional Medical Center, Salina, Colorado
  • Hollywood Presbyterian Medical Center, California
  • Huntsville Hospital, Alabama
  • Rockies Regional Medical Center
  • Stanford Healthcare, California
  • Jefferson Health, Philadelphia, Pennsylvania
  • Michigan Medicine, Ann Arbor, Michigan
  • Mott Children’s Hospital
  • University of Pittsburgh Medical Center, Pennsylvania

The Russian hacktivists also targeted hospitals in the Netherlands, a NATO founding member that promised to send Patriot Missiles to Ukraine. The Dutch hospital, University Medical Center Groningen (UMGC), suffered DDoS attacks that Z-CERT attributed to the Killnet Russian hacktivists. However, the Dutch National Cybersecurity Centre (NCSC), the attacks had moderate to limited impacts. Some reports suggest that the hacking group plans to target 31 hospitals in the country.

The Killnet Russian hacktivists also targeted British, German, Polish, and Scandinavian hospitals.

Meanwhile, a document containing alleged Killnet attack lists for hospitals in multiple countries was found by users and publicly shared on Twitter. Hospitals in the United States, United Kingdom, Germany, Netherlands, and Norway are among the targets.

In the past, Killnet has targeted businesses such as banks, airports, and government institutions, including state administrative and legislative bodies. Killnet’s recent victims include Colorado, Kentucky, and Mississippi states, Atlanta and Los Angeles airports, JPMorgan Chase bank, Lockheed Martin defense contractor, and the European Parliament.

The attacks have yet to produce the desired impact, becoming nothing more than a nuisance. However, recent attacks on healthcare systems mark a significant shift in the group’s operations and could disrupt critical operations posing substantial risks to human life.

HHS did not quantify the risk of Killnet’s DDoS attacks but warned that such attacks could last “several hours or days.”

“Though bothersome over the short-term, DDoS attacks are the least likely category of cyber loss event that healthcare organizations risk in a year – they are far more likely to suffer a loss due to insider misuse or insider error leading to a data breach,” said Bryan Smith, CTO at RiskLens.

Killnet threatens to sell healthcare data and target lifesaving equipment

HHS disclosed that Killnet Russian Hacktivists allegedly stole data from a U.S. based healthcare organization serving the US military in 2022. The group also threatened to sell data stolen from Americans if the country did not change its policy on Ukraine.

Additionally, the Russian hacktivists threatened to target ventilators in British hospitals unless one of its members in custody over attacks on the Romanian government websites was freed.

However, HC3 believes Killnet exaggerates its capabilities, and such threats can only be taken with a grain of salt. Nevertheless, the group intends to create fear, uncertainty, and doubt, undermining public support for the Western governments’ involvement in the Ukraine war.

Addressing health care cybersecurity

Meanwhile, HC3 warned that completely mitigating DDoS attacks were impossible. To assist hospitals in weathering a blitz of Killnet’s DDoS attacks, HC3 has published a list of mitigations and recommended testing and monitoring, implementing response plans, upscaling, deploying upstream defenses, and understanding the connected service.

The center also noted that Killnet’s attack toolset remains relatively simple, comprising publicly-available DDoS scripts and IP stressors.

According to Aleksandr Yampolskiy, Co-Founder and Chief Executive Officer, SecurityScorecard, Killnet could exploit any misconfigured OT/IT device to achieve its objectives.

“A common theme with Killnet is the continued exploitation of MikroTek routers,” said Yampolskiy. “Most of the proxy servers used by the CC-Attack tool are obtained from publicly available free proxy websites. A significant amount of the proxies harvested from those resources consist of misconfigured, vulnerable, and exploited devices that run MikroTik RouterOS.”

Given its suspected political connections in the Kremlin, public support within Russia, and a pervasive operational environment, dismantling Killnet will remain a challenge for Western governments.