HC3: Updated Analyst Note on KillNet Hacktivist Group Leave a comment

On April 5, the Health Sector Cybersecurity Coordination Center (HC3) published an analyst note on KillNet’s targeting of the health and public health sector (December 2022 – March 2023). The pro-Russia hacktivist group has been targeting the U.S. health and public health sector since December of 2022 primarily through denial-of-service (DDoS) attacks that cause service outages for several hours to several days. For the healthcare sector, the consequences of these attacks and downtime are critical.

On Jan. 30, we reported that BetterCyber, a cybersecurity company, tweeted that pro-Russian hacktivist group ‘KillNet’ took responsibility for DDoS attacks on official websites of U.S.-based hospitals. On that same day, the HC3 published an analyst note about the group and its threat to the health and public health sector.

HC3’s latest analyst note says that “In the late January 2023 attack, over 90 known orchestrated DDoS attacks took place on healthcare systems (covering multiple hospitals), lone hospitals, and medical centers. Of these, 55 percent were healthcare systems with at least one hospital and lone hospitals with Level I trauma centers, which provide the most comprehensive and highest level of trauma care to critically ill or injured patients. As they are normally large establishments with considerable patient data to enter and exploit, these types of HPH organizations are ideal targets for KillNet and its affiliates.”

“Since the February 24, 2022, Russian invasion of Urkaine, KillNet continued its harassment of U.S. and NATO countries’ critical infrastructure,” the note adds. “By December 2022, their targeting of the HPH sector was apparent, with announcements of their coordinated attacks across multiple countries posted on the Telegram channel of its founder and leader, KillMilk.”

The note also provides a timeline of screenshots from December of 2022 to February of 2023 of KillNet’s posts boasting about attacks on the healthcare sector.

As of March 2023, according to the note, there have been few incidents attributed to KillNet—except a DDoS attack on a laboratory, blood, and pharmaceutical sub-industry organization. Additionally, there is little to no content on the organization’s Telegram channel indicating further targeting of the HPH sector. Yet, on we reported on March 17, Microsoft published a blog regarding DDoS attacks by KillNet and affiliate activist groups in the healthcare sector using the Microsoft Azure infrastructure for over three months.

Interestingly, the note comments that “On their Telegram channels, both KillMilk and KillNet show that they are adroit in graphic design and have a penchant for using novel or “millennial” ways of announcing boastful threats or attacks, to include memes, gifs, emojis, and short edited videos. Demonstrating their hostility to the U.S. HPH sector, on February 4, 2023, five days after the release of HC3’s most recent Analyst Note on KillNet, former leader, KillMilk, posted a meme that seemingly threatened the U.S. Department of Health and Human Services (HHS). Whether signaling a future warning to HHS writ large or coincidentally in response to the Analyst Note, it has already been shown that the hacktivist group remains aware of open source articles or publications about their group (namely, from Medium user, CyberKnow, and online publication, SOCRadar).”

As for actions organizations can take to protect themselves from ransomware groups like KillNet, the note recommends taking proactive measures to mitigate against a variety of attacks including DDoS, such as minimizing the amount and sensitivity of data available to external parties and implementing identify management program.


Leave a Reply