News, news analysis, and commentary on the latest trends in cybersecurity technology.

Keeping KillNet at Bay: Use the IP Address Blocklist

Security teams can use a blocklist containing tens of thousands of proxy IP addresses used by the pro-Russian hacktivist group to defend their organizations from DDoS attacks.

Dark Reading Staff, Dark Reading

February 7, 2023

2 Min Read
people being linked to other groups
Source: Marcos Alvarado via Alamy Stock Photo

SecurityScorecard has pulled together a list of proxy IP addresses used by KillNet to launch distributed denial-of-service attacks (DDoS) against various entities around the world over the past year.

KillNet has taken responsibility for DDoS attacks against US-based hospitals and airports, as well as financial and government organizations in Germany. The pro-Russian group is targeting countries supporting Ukraine, especially NATO countries.

In a DDoS attack, the attack group cause thousands of connection requests and packets to be sent to the targeted entity's server or website per minute. The attack is made possible by bots – compromised systems that are being harnessed by the attack group. The sheer volume and size of these requests and packets can slow down the targeted system or even overwhelm it to the point where it is no longer available.

In January, KillNet's attacks took websites for 14 hospitals offline; affected organizations included University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai. Knocking websites offline for days or disrupting network connectivity can interfere with patient care: Patients may be prevented from scheduling appointments and doctors may be unable to send and receive health information online. Both the US Department of Health and Human Services (HHS) and the American Hospital Association released warnings that KillNet posed a threat to healthcare organizations.

"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," AHA said.

SecurityScorecard's blocklist, which lists tens of thousands of proxy IP addresses used by the hacktivists in previous DDoS attacks, can be particularly helpful for defenders at healthcare organizations. Security teams can use the list, which is regularly updated by SecurityScorecard's team of researchers, and deploy firewall rules to block malicious traffic from even entering the network. The list can also support network monitoring and investigations to identify and track attacker activities.

Right now, it is just DDoS attacks, but there is also the worry that other criminal groups – such as ransomware gangs – sharing KillNet's political views will join in to target these organizations.

"It is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet's call and provide support," HHS warned. "This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used."

Cloudflare's analysis shows an increase in DDoS activity against healthcare organizations and that there may already be multiple threat actors acting on behalf of KillNet.

"The attacks observed by the Cloudflare global network do not show a clear indication that they are originating from a single botnet and the attack methods and sources seem to vary," Cloudflare said last week. "This could indicate the involvement of multiple threat actors acting on behalf of Killnet, or it could indicate a more sophisticated, coordinated attack."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights