Inside The Wire Inside The Wire

THE RUNDOWN

Pro-Russian hacktivist group KillNet claimed responsibility for a wave of Distributed Denial of Service (DDoS) attacks on U.S. and foreign healthcare institutions early this week. According to the group’s Telegram channel, they targeted hospitals in all 50 states, as well as institutions in the Netherlands, Germany, Spain, and Portugal.

At the time of writing, Atrium Health, among many others, have restored access to their websites. Public websites, including the University of Iowa Hospital and Clinics, are still down.

Between January 30 and 31, KillNet called upon the ~90,000 supporters in its Telegram group to attack these healthcare institutions, referencing the targeted countries’ support of Ukraine.

DDoS attacks are a popular choice among attackers as they have a high success rate and a low skill level requirement to carry out.

Who is KillNet?

KillNet is a Russian “hackivist” group that has been active since approximately January 2022. They are likely tied to either the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR), although this is unconfirmed. State-sponsored or not, cybercrime groups like Killnet are often primarily financially motivated. On April 20, 2022, KillNet was included in the CISA Alert AA22-110A among a list of Russian cybercrime groups which pose a threat to U.S. critical infrastructure organizations.

In a recent HC3 analyst note, a comment is made about KillNet’s operations.

“While senior members of the group likely have extensive experience launching DDoS attacks — leadership has previously operated their own DDoS services and botnets — KillNet has been using publicly available DDoS scripts and IP stressors for most of its operations.”

Screenshot from the Killnet Telegram channel listing allegedly successfully targeted institutions

Additionally, open-source research shows that Russian cybercriminals sell their DDoS services on the open web.

Strike Source pulled the following image from a recent post on a forum that is popular for Russian cyber criminals.

“A botnet based on Medusa Botnet and loaded from 2020. There are about 50 browsers (per computer) running on Windows that pass any anti-DDoS protection. Our botnet ranges from 10,000 to 80,000, which, in 2023, is the largest botnet not only in Windows, but in the IoT as well.”

“We have over 1000 servers with 10 gigabit channels, which is equivalent to a botnet. Self written scripts which emulate a browser or use socket flooding with pipelining.”

“All our tests are free (up to an hour, if necessary), if you want to check your site/someone else’s = reach out, but we only do the test before the purchase.”

“Our prices are the lowest on the market. Literally from $20. Prices depend on the content of the site, site category (commerce, gaming, government, etc.), the protection of the site (cloud flare, DDoS guard, stormwall, etc.), and on the duration.”

“We have a discount for regular customers, as well as a discount for orders for a period longer than one day.”

“We accept orders of any complexity and category.”

THE TAKEAWAY

The recent string of global DDoS attacks by KillNet demonstrate the willingness of state-sponsored groups to target the U.S. healthcare system. While the most recent attacks were very low in their severity and damage, this could be a preview of what is to come. These attacks will likely result in health care providers increasing their network security and other hospitals that weren’t targeted potentially following the same pattern.