Healthcare DDoS Killnet Attacks Decline as Identity Risks Rise

After a series of Killnet DDoS cyberattacks against healthcare facilities throughout January, hacktivist campaigns have slowed. However, the Department of Health and Social Services The Cybersecurity Coordination Center (HC3) warns that the risk posed against the misappropriation of digital identities remains high.

KillNet is considered a Russian-aligned hacktivist group, active since January 2022, and is known for its DoS and DDoS attacks against government institutions, including the healthcare sector.

An HC3 alert released this week notes that only “a few incidents” have been attributed to Killnet this month, outside of a DDoS attack on a lab, blood and pharmaceutical organization. The hacktivists’ Telegram channel also posted “little to no content on” possible healthcare targeting.

However, a predominant killnet campaign underway against healthcare remains, focused on the exploitation of Microsoft Azure infrastructure over the past three months. As previously statedlife sciences and pharmaceutical organizations were the primary campaign target observed, followed by hospitals, health insurance, health services and healthcare.

The observed campaign overlapped the DDoS Killnet Previously Leaked cyberattacks that resulted in the successful exfiltration of data from a series of hospitals, which later came to light on the so-called Killnet list.

The latest HC3 alert updates the January disclosure, noting that more than 90 DDoS attacks have been orchestrated at this time against health systems, stand-alone hospitals and medical centers. More than half of those casualties were health systems with at least one hospital, isolated hospitals with Level I trauma centers that provide the highest level of care for critically injured patients.

Large facilities are ideal targets for Killnet and affiliated cybercriminals because they have “considerable patient data to capture and exploit,” HC3 said.

“Although their primary type of cyberattack method usually does not cause major damage, it can cause vulnerable systems to be out of service for several hours or even days,” according to HC3. “While many hacktivist groups refrain from targeting healthcare organisations, the group has dispassionately targeted hospitals and medical organizations in the sector.”

Although the industry has not faced a new upsurge in such attacks since the January incidents, Killnet continues to collaborate and recruit affiliates who share Russian interests. A Killnet article from March 21 “emphasized that they are decentralized, that KillNet is just an ‘idea’ that unites the cyber-patriots of Russia and that they are not supported by the (Russian) state” .

In addition to DDoS risks, the Killnet founder, who goes by the pseudonym KillMilk, has launched a new private military hacking company, Black Skills, which appears to be “highly organized” with 24 departments responsible for various separate functions, including intelligence. , public relations, and general staff. It is currently unclear whether the group is a rebrand of KillNet or an initiative for more qualified members.

KillMilk has since left the group and been replaced by a hacker named Blackside, who focuses on ransomware, phishing, and crypto theft.

HC3 warns entities that the easiest way for hacktivists to find information about potential victims is through their online presence, easily found with a quick Internet search.

The alert recommends the use of Identity Management (IdM), a program that healthcare entities could use for their staff to proactively protect their identities from hacktivists like KillNet who actively exploit the tactics identity recognition. The program includes discovery, analysis and management of the identity of the entity or an individual employee.

“IdM programs aim to improve an organization’s ability to mitigate current threats to its mission, capabilities, and personnel from adversarial and/or criminal entities seeking to exploit identity data, as well as identify emerging threats to the organization’s assets,” according to the alert.

Killnet Analysis contains a host of resources that healthcare entities can use to bolster defenses against hacktivist attacks. But HC3 makes it clear that “there is no single action that can protect an organization from cyber threat groups, such as KillNet.”

“Nevertheless, healthcare organizations must take proactive measures,” warns HC3. “Efforts should focus on minimizing the amount and sensitivity of data available to external parties.”