The US government has issued a warning about the Russian cybercrime gang stepping up its attacks against hospitals and health clinics by flooding their networks and using, as part of its warning, a free tool that is designed to help organizations defend against KillNet distributed-denial-of-service (DDoS) bots.
Currently, tens of thousands of proxy IP addresses are listed on the KillNet open proxy IP blocklist. These IP addresses are being used by Russian hackers in their attempts to flood networks with traffic. Following the investigation that SecurityScorecard's threat researchers conducted on Killnet and other network spamming miscreants, the security company built this list of threats.
Although DDoS attacks are relatively unsophisticated, like many other attacks, they can still take a serious toll, especially when they disrupt hospitals, according to a recent blog post by the security firm using KillNet as an example.
A website taken down by the Russian gang toward the end of January was one of 14 hospitals targeted in the United States. The University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai Medical Center, among others, were some of the hospitals. There are several reasons for using DDoS attacks, one of which is to mask more intrusive activities.
A report released by the US Department of Health and Human Services (HHS) on Wednesday confirmed that KillNet is a threat to the healthcare sector and prompted DHS to issue a second warning. A similar security alert has been issued by the Department of Homeland Security twice in the last few months.
It is common for pro-Kremlin supporters to attach an ideological bent to their attacks - sometimes using empty threats to convey their message. "Killmilk, one of the leading members of the KillNet group, has threatened the US Congress with the sale of the health and personal information of American citizens to attack US policies concerned with Ukraine," according to the December security alert from HHS. According to the US, the planned attack has not yet been carried out.
In a similar vein, the gang threatened to attack ventilators and other technical devices in British hospitals if another alleged KillNet criminal arrested in London in May was not released as soon as he was arrested.
Although KillNet may claim to have carried out attacks on the US military, it is wise to take its claims with a pinch of salt, according to HHS. Given the fact that the group tends to exaggerate, there is a possibility that some of these operational and development announcements may simply be meant to garner attention, both publicly and within the cybercrime underground.
According to the FBI and private security researchers, the group's DDoS campaigns have been viewed as publicity stunts, which, as annoying as they have been, have had "limited success."
A Public Relations Stunt That Could Turn Wrong
KillNet claimed responsibility on October 10 for deactivating more than a dozen websites associated with US airports as part of an attack aimed at knocking the websites offline. Although the large-scale DDoS attack was disruptive, it did not disrupt air travel or harm the operation of the airports.
As soon as someone claimed to have unleashed a second bot army against JPMorgan Chase a day later, the same criminals saw similarly feeble results. In my opinion, some PR agency is trying to increase their budget for PR.
It was then that at the beginning of November, a US Treasury official announced that the department had halted a "pretty low-level" DDOS attack designed to disrupt critical infrastructure nodes in the department, also attributed to Killnet.
KillNet's DDoS attacks usually do not cause major damage but they have the potential to disrupt healthcare organizations and the millions of patients they serve for hours, days, or even weeks - and this can be especially damaging to organizations and patients in the healthcare sector.
It has been reported that these bots are flooding the network traffic of patients and doctors, preventing them from sending and receiving health information online and making it harder for patients to schedule appointments in the future.
Furthermore, sometimes miscreants use DDoS attacks as a distraction for their security teams to keep their attention while they work on more dangerous attacks, including the theft of sensitive information or the deployment of ransomware.
According to HHS, it is likely that pro-Russian ransomware groups, including those that were part of the defunct Conti group, will respond to KillNet's appeal and offer support. These results will most likely lead to KillNet targeting entities that will be victimized by extortion or DDoS attacks as a means of extortion, a tactic that several ransomware groups have employed.
