A free tool aims is helping organizations defend against KillNet distributed-denial-of-service (DDoS) bots and comes as the US government issued a warning that the Russian cybercrime gang is stepping up its network flooding attacks against hospitals and health clinics.
At current count, the KillNet open proxy IP blocklist lists tens of thousands of proxy IP addresses used by the Russian hacktivists in their network-traffic flooding events. SecurityScorecard’s threat researchers developed the list following their ongoing investigation into Killnet and other network-spamming miscreants.
“DDoS attacks are relatively unsophisticated but can still cause serious damage, especially when they affect hospitals,” the security firm wrote in a recent blog about KillNet.
In late January, the Russian gang claimed responsibility for a series of these attacks that took 14 US hospitals’ websites offline. These included University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University and Cedars-Sinai. While DDoS attacks are normal they can be used to mask more intrusive actions.
This prompted the US Department of Health and Human Services (HHS) to issue a second warning [PDF] about the threat KillNet poses to the health-care sector. This was the department’s second such security alert in as many months.
The pro-Kremlin group’s attacks — and sometimes empty threats — usually have a political bent to them. “For example, Killmilk, a senior member of the KillNet group, has threatened the US Congress with the sale of the health and personal data of the American people because of the Ukraine policy of the US Congress,” HHS noted in its December security alert [PDF]. The US is still waiting for the claimed attack.
Similarly, last May, following the arrest of an alleged KillNet criminal in London, the gang threatened to target ventilators in British hospitals if the man wasn’t released.
“It is worth taking any claims KillNet makes about its attacks or operations with a grain of salt,” according to HHS. “Given the group’s tendency to exaggerate, it is possible some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground.”
The FBI and private security researchers have essentially called the group’s DDoS events publicity stunts, which, while annoying, have had “limited success.”
Publicity stunts…with potential for far worse
As a case in point: KillNet claimed responsibility for knocking more than a dozen US airports; websites offline on October 10. However, the large-scale DDoS attack didn’t disrupt air travel or cause any operational harm to the airports.
A day later, the same criminals claimed they unleashed another bot army on JPMorgan Chase, but saw similarly feeble results. Clearly someone is trying to pad their PR budget.
And then in early November, a US Treasury Department official said the agency thwarted a “pretty low-level” DDoS attack targeting the department’s critical infrastructure nodes, also attributed to Killnet.
Although KillNet’s DDoS attacks usually do not cause major damage, they can cause hours-long service outages — or even knock websites offline for days — and this can be especially damaging to healthcare organizations and the millions of patients they support.
These network traffic flooding bots can prevent patients and doctors from sending and receiving health information online, and make it more difficult for patients to schedule appointments.
Plus, sometimes miscreants use DDoS as a distraction to keep organizations’ security teams occupied while they attempt more serious attacks, like stealing sensitive information or deploying ransomware.
As HHS warned: “It is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet’s call and provide support. This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used.”
This makes SecurityScorecard’s KillNet blocklist all the more valuable.
Additionally, as Akamai noted in a recent blog, KillNet attackers do their homework before selecting targets. “Recent events have shown that healthcare is likely to continue as a prime target,” it said, adding that these attacks usually focus on organizations that aren’t well protected .
The health-care industry had the most DDoS attacks on the Akamai platform in 2022, excluding “leading verticals” including digital commerce, according to the provider. ®