Pro-Russian hacktivist group Killnet this week launched distributed denial-of-service (DDoS) attacks on networks belonging to 14 major US hospitals in its continuing retaliation campaign against entities in countries the threat actor perceives as hostile to Russian interests in Ukraine.
The attacks — like most Killnet attacks since Russia's invasion last February — appear to have done little to seriously disrupt network operations at any of the targeted organizations, which included Stanford Health, Michigan Medicine, Duke Health, and Cedars-Sinai.
Designed to Garner More Support
That said, they are likely going to garner Killnet more support from other like-minded hacktivists in Russia and elsewhere, and possibly even fuel investments into its operations from others, making them more dangerous in the process, security experts said this week.
"Killnet has been actively attacking anyone who supports Ukraine or goes against Russia for almost 12 months now," says Pascal Geenens, director of threat intelligence at Radware. "They have been dedicated to their cause and have had the time to build experience and increase their circle of influence across affiliate pro-Russian hacktivist groups."
Killnet surfaced last year, soon after Russia invaded Ukraine in February. Since then, the group has carried out a series of often high-profile DDoS attacks on organizations in critical infrastructure sectors in the US and multiple other countries. Their victims have included airports, banks, defense contractors, hospitals, Internet service providers, and the White House.
Killnet's latest DDoS campaign this week against hospitals in the US and medical institutions in multiple other countries, including Germany, Poland, and the UK, were likely motivated by the recent US-led decision by NATO countries to send battle tanks to Ukraine. However, the impact of these attacks remains questionable.
Killnet's Questionable DDoS Impact
Mary Masson, director of public relations at Michigan Medicine, for instance, says Killnet's DDoS attacks hit multiple of its websites on Jan. 30, including uofmhealth.org and mottchildren.org. Masson describes the attacks as causing "intermittent problems" for some of Michigan Medicine's public-facing websites hosted by a third-party service provider.
"None of the sites impacted contain patient information, and all patient information is safe," she notes. "Patients were always still able to access the patient portal via myuofmhealth.org." The websites were all back to almost normal operations a day later, on Jan. 31.
Sally Stewart, associate director of media relations at Cedars-Sinai, describes Killnet's DDoS attack as having a similarly low impact on the hospital's operations: "The Cedars-Sinai website experienced a brief service interruption early Monday morning that has resolved. The website remains fully functional," Stewart said in an emailed statement to Dark Reading.
Stanford Healthcare and Duke Health did not immediately respond to Dark Reading's request for comment.
"They are not as disruptive as they claim to be," Geenens says, adding that Killnet’s main objective is attracting attention and getting their pro-Russian message heard. "They go after targets that are visible to the larger public, such as public websites of institutions, governments, and organizations." Often the resources the group has targeted are not business-critical.
A Mistake to Underestimate
That does not mean the group can be ignored, however. In an advisory following the recent DDoS attacks, the American Hospital Association described Killnet as an active threat to the healthcare industry.
"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," the AHA warned. Killnet's links to Russia's Foreign Intelligence Service remain unconfirmed, AHA noted, "[but] the group should be considered a threat to government and critical infrastructure organizations, including healthcare."
Importantly, Killnet's pro-Russian DDoS crusade has also begun attracting many more followers and fans. Daniel Smith, head of cyber-threat intelligence at Radware, says the number of subscribers for @Killnet_reserve on Telegram grew from about 34,000 subscribers to 85,000 subscribers in June 2022. "Just for comparison, IT Army of Ukraine has over 200,000 subscribers, but has been losing subscribers since March 2022," he says.
The group has focused quite a bit on publicity via its Telegram channel, which it also uses to encourage followers to conduct DDoS attacks of their own.
Jewelry and Rap Anthems: Growing Killnet Support
Radware's Geenens points to affiliate Russian groups such as NoName and the Passion Group offering their DDoS botnets to Killnet for carrying out attacks as one indication of the growing support it has begun attracting within Russia.
Other signs of the support that Killnet has mobilized in recent months include a song in the gang's honor, titled “KillnetFlow (Anonymous diss)” by a Russian rapper, and the sale of Killnet-related jewelry by a Moscow-based jewelry maker called HooliganZ. Killnet has also received some $44,000 worth of financial support from a Dark Web marketplace called Solaris, according to Radware.
"Killnet’s influence, reach, and skills are growing, and they are not showing signs of slowing down or retiring soon," Geenens warns.
It's unclear how, if at all, Killnet will leverage its growing support, or whether it will pivot to other, more dangerous forms of attack. Aleksandr Yamploskiy, co-founder and CEO at SecurityScorecard, notes how Killnet began as a financially motivated operation offering a botnet for hire. But it has since become more of a hacktivist collective, conducting a series of relatively low-sophistication DDoS attacks against targets it perceives to oppose the Russian invasion of Ukraine. "Killnet has historically made use of open proxy IP addresses and publicly available scripts in its attacks," he says.
What makes the group now potentially more dangerous are its growing reach and skills, Radware's Smith adds. A few months ago, Radware's assessment of the risk posed by a pro-Russian hacktivist group such as Killnet would have been low, he explains. "But after 12 months of building their experience," he says, "advancing their tools and growing their social network, I’m more likely to increase that risk to moderate."
While there's no reason for panic, it is better to err on the side of caution and be prepared. "Everyone in the security community knows it does not take extremely skilled or sophisticated actors to disrupt or cause impact to an organization or infrastructure," Smith adds.