The pro-Russia group Killnet launched a series of distributed denial-of-service (DDoS) attacks in the past few days against some of the top clinics and medical centers in the United States, and many experts posit that similar attacks could expand in breadth across other countries that are supporting Ukraine.
Why you’ve likely heard of Killnet
Killnet is not new, but the nature of their attacks on government institutions, private companies — and now, healthcare organizations — is evolving. Killnet is the same pro-Russian hacker collective that recently took down the European Parliament (EP) website with a DDoS attack after EP leaders “proclaimed Russia as a state sponsor of terrorism,” noted Parliament president Roberta Metsola. Lithuania, Czech Republic, and Romania have all also had their government websites attacked.
In the United States, the landscape is a bit more broad. Killnet's targets included the government websites of at least three states last year. U.S. airport websites also fell victim to Killnet in October 2022, and the group took credit for stealing employee data from defense contractor Lockheed Martin in an August 2022 cyberattack.
All these organizations can be considered critical infrastructure, but attacking healthcare systems takes that a step further, with the potential to affect millions of patients in one fell swoop.
Common techniques, unique target
Killnet employs two-stage attacks by first hitting websites with an HTTP flood and then hitting the sites with a DNS amplification attack. These techniques aren’t unique — but Killnet’s recent focus on the healthcare industry is.
Given the Biden administration's high-profile focus late last year on healthcare as a key area in which to enhance cybersecurity guidance and requirements, it’s not a complete surprise that a pro-Russia organization would capitalize on vulnerabilities. Whether these are assumed or ascertained weaknesses is besides the point.
What we know — and how we can help
Killnet attackers do extensive research on their targets, and recent events have shown that healthcare is likely to continue as a prime target. As the healthcare industry rapidly becomes more digitized, the conversation around posture, infrastructure, and mitigation is evolving.
Akamai is no stranger to that conversation, and we are driving a proactive dialogue by examining data and reviewing attacker reconnaissance techniques. In healthcare, this is especially important since the industry had the most DDoS attacks on the Akamai platform in 2022 (excluding leading verticals, such as digital commerce, which have a larger volume because of the established nature of their industries).
What we have observed is that groups like Killnet appear to be well aware of who is currently protected, and who is not. DDoS attacks tend to focus on less well-protected entities. Through careful and precise reconnaissance, the attackers determine who will be attacked next.
I know it’s hard to find the time and resources needed to assess what it will take to address accepted risks, but there is nothing worse than being pulled into a cyber war without a response plan that was constructed during peacetime.
Roger Barranco, Akamai’s Vice President of Security Operations
Stories from Inside the Global Security Operations Command Center
A simple HTTP request or BGP peering lookup can validate the request path from the attacker machine back to the target web server, or work out whether the target infrastructure is protected by BGP/routing-based DDoS defenses.
What’s next?
No one can predict the future. But as an industry that’s recently grappled with COVID-19, lower profit margins, and worker shortages (among myriad other challenges), it’s likely that readiness conversations in the healthcare space have been geared more toward clinical or financial outcomes.
That needs to change. Today, protecting patients is about more than wearing a mask or providing vaccinations. It’s about protecting patients’ personal data and holistically safeguarding the systems that require continuous uptime to provide healthcare 24/7/365. Assessing threat readiness is an essential part of the conversation — one that Akamai is well-versed to lead.
If an enterprise accepts the risk associated with a relatively weak layer in their defensive posture, they at minimum should perform a technical evaluation of what it will take to work through an emergency onboarding effort — like time to provision, impact during time to provision, existing gear configuration requirements, and cost.
Roger Barranco, Akamai’s Vice President of Security Operations
Stories from Inside the Global Security Operations Command Center
Learn more
Want to learn more about the evolution and growing threat of DDoS attacks? This 30-minute security architecture review with Akamai experts will help you identify if you’re at risk.Assess your readiness