Healthcare providers in the United States and other NATO countries have been warned about the risk of distributed denial of service (DDoS) attacks by the Russian hacktivist group Killnet. More than a dozen hospitals and health systems in the United States have been attacked over the past few days, including Stanford Healthcare, University of Michigan Health, University of Pittsburg Medical Center, Duke University Hospital, Buena Vista Regional Medical Center, and Cedars-Sinai Hospital.
The timing of the attacks coincides with the decisions of NATO countries to send tanks to Ukraine to assist the country in the fight against the Russian Invasion. The attacks in the U.S. came shortly after President Biden authorized the sending of dozens of its Abrams tanks to Ukraine. Any country that has made similar pledges or is otherwise providing arms to Ukraine can consider it a target. For instance, University Medical Center Groningen (UMCG) in the Netherlands suffered a DDoS attack, yet the country has not provided any tanks to Ukraine, although the Netherlands has recently agreed to send a Patriot missile defense system to Ukraine.
Killnet started conducting attacks around the same time that Russia invaded Ukraine in early 2022 and primarily conducts DDoS attacks on governments and private companies in countries that are providing support to Ukraine. The DDoS attacks target servers and websites and can cause disruption for several hours to several days, preventing access to essential services. The group operates several public channels for recruiting new members, public communication, and issuing threats. While the group is aligned with Russia, it does not appear to be tied to either the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR).
The group claimed to have conducted an attack on a U.S. healthcare organization that provides healthcare services to the military and said it stole a significant amount of patient data, and has issued threats to conduct similar attacks on other healthcare providers. The group previously threatened to target life-saving ventilators in British hospitals in response to support for Ukraine, although some of these threats may have been issued just to attract media attention. It is currently unclear whether the group has managed to steal data from healthcare organizations or is solely concerned with conducting DDoS attacks to cause disruption and for FUD purposes.
A Killnet attack list containing many hospitals and health systems in multiple countries was recently shared on social media, several of which have announced that they have experienced DDoS attacks on their websites. These attacks have caused minimal disruption and the attacks do not appear to have included network compromises or data theft, typically causing intermittent disruption over hours or a few days.
The Health Sector Cybersecurity Coordination Center (HC3) has advised all healthcare organizations to strengthen their defenses against DDoS attacks and to be wary of ransomware attacks. While Killnet does not appear to be involved in ransomware attacks, its calls for support from the cybercrime community may result in pro-Russian ransomware gangs targeting the healthcare sector.