How geopolitics and hacktivism is causing trouble for the healthcare industry
Killnet, a Russia-aligned threat actor group, has claimed responsibility for a cyberattack that brought down the websites of 14 U.S. hospitals on January 30, including Duke University, Stanford Healthcare, and Cedars-Sinai. The distributed denial of service (DDoS) attack came one month after the U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center issued a warning about the group. Cyberattacks on healthcare organizations are on the rise. The volume of these breaches, and the associated publicity, contributes to a lack of trust in healthcare systems. Cyber resilience is necessary for building and sustaining trust in our institutions, but according to the World Economic Forum (WEF), only 19% of cyber leaders feel confident that their organizations are cyber resilient.
Killnet was reportedly behind a similar attack in Germany on January 25. And in November 2022, Killnet’s associate, Anonymous Russia, claimed responsibility for a DDoS attack against the European Parliament’s website after it adopted a resolution declaring Russia a state sponsor of terrorism and calling upon the EU to further isolate the country. To help organizations better protect themselves, SecurityScorecard has published a list of proxy IPs to help block the Killnet DDoS bot.
The group, which emerged in January 2022, organizes in an encrypted chat group hosted on a Telegram channel with over 92,000 subscribers. It’s here where (mostly Russian) followers are recruited and taught how to become hackers. They discuss the coordination of attacks and possible targets, and also share instructions for how to carry out their attacks. A common strategy employed by both Killnet and the Russia-linked DDoS botnet known as Zhadnost (which SecurityScorecard researchers identified at the beginning of the war in Ukraine) is to exploit the vulnerabilities in devices that run on MikroTik routers.
While Killnet is making a name for itself with a series of recent, high-profile attacks, they are not the only threat actor group exploiting organizational vulnerabilities. A growing number of recent cyberattacks on critical infrastructure originate from nation-states and their proxies. In fact, the number of nation-state attacks against critical infrastructure has doubled from 20% to 40% between July 2021 and June 2022. And with the anniversary of Russia’s invasion of Ukraine fast approaching, these incidents show no sign of stopping. Russia is the suspected culprit behind an attack against Montenegro’s water infrastructure in August 2022 and a wave of denial-of-service attacks against Lithuania’s state-owned energy company.
Building cyber resilience in critical infrastructure
SecurityScorecard’s recent report examined the state of critical infrastructure and found that cyber resilience has gotten worse, despite years of increased focus on cybersecurity. And our most essential institutions are sometimes the most vulnerable, as was the case in Killnet’s hospital attack. SecurityScorecard’s benchmark report, “Common External Cyber Risk Factors in the Healthcare Sector” (December 2022) studied 126 organizations and found that 70% have at least one high severity Common Vulnerability and Exposure (CVE). Additionally, 39 malware families were detected across 30 organizations. As a result, we believe that healthcare organizations must improve their patching cadence, network security, application security, and DNS health.
DDoS attacks are relatively unsophisticated but can still cause serious damage, especially when they affect hospitals. And for most organizations, a cyber incident is not a matter of if, but when. An institution’s level of cyber resilience can preserve its trust with customers and the public at large, which is why having a system in place to respond to incidents is vital. During a cyberattack, organizations need access to intelligence and forensics to help prevent future attacks. The first 24 hours after the discovery of a breach are crucial, which is why SecurityScorecard’s Incident Response team can help triage the situation, stop further damage, offer communication guidance, investigate the source, and provide actionable post-incident reporting.
We stay up-to-date on the tactics, techniques, and procedures (TTP’s) of threat actors, such as nation-state attacks, ransomware, insider threats, organized criminals, hacktivists, and more. Additionally, we maintain blocklists (available by request) that can help defend against KillNet and similar groups by identifying IP addresses involved in their previous attacks. Our team will provide the expertise to assist with law enforcement and regulators, while also notifying affected parties.
In addition to incident response and forensics, SecurityScorecard offers security ratings, which provide an outside-in view of an organization’s security posture. These ratings are becoming a trusted barometer of cyber resilience because they provide a standard unit of measurement and transparency. With this common language and level of insight, organizations can identify their own vulnerabilities in addition to the cyber risks posed by their suppliers and make informed decisions to strengthen their cyber defenses. As a global leader in cybersecurity ratings, SecurityScorecard helps businesses of all sizes and industries gain comprehensive visibility into the effectiveness of their cybersecurity efforts, detect and remediate the most critical areas of risk, and more. Gain continuous visibility into your cyber risk and deploy award-winning services and solutions with SecurityScorecard. Visit SecurityScorecard.com for more information.