DDoS Attacks on the U.S. Healthcare System Could Have Disastrous Results

Initial DDoS attacks launched at the U.S. healthcare system have been written off as a nuisance. This will change as more experienced attackers join the fray.

Background of hospital with beakers, test tubes, needles, heart, suitcase in foreground

Imagine you need something to keep you alive, but you find out that a hacker has shut down the system that provides that life-saving necessity—say a ventilator or a medication dispensing system. What can you do?

At the beginning of March, the U.S. Department of Health and Human Services (HHS) warned about DDoS attacks on the country’s healthcare industry by Russian hacktivists with the goal to target ventilators. Many of these attacks focused on countries Russia sees as antagonistic to its national interests, such as Ukraine. Killnet, a group of Russian hacktivists, already has claimed responsibility for more than a dozen DDoS attacks on U.S. healthcare organizations to date, including:

  • Abrazo Health, Phoenix, Arizona
  • Anaheim Regional Medical Center, Anaheim, California
  • AtlantiCare, Egg Harbor Township, New Jersey
  • Buena Vista Regional Medical Center, Storm Lake, Iowa
  • Cedars-Sinai Hospital, Los Angeles, California
  • Duke University Hospital, Durham, North Carolina
  • Heart of the Rockies Regional Medical Center, Salida, Colorado
  • Hollywood Presbyterian Medical Center, Los Angeles, California
  • Huntsville Hospital, Huntsville, Alabama
  • Stanford Health Care, Menlo Park, California
  • Jefferson Health, Philadelphia, Pennsylvania
  • Michigan Medicine, Ann Arbor, Michigan
  • C.S. Mott Children’s Hospital, Ann Arbor, Michigan
  • University of Pittsburgh Medical Center, Pittsburgh, Pennsylvania

Killnet DDoS Disruptions

The Killnet group largely utilizes script-driven, individually operated distributed denial-of-service (DDoS) attack tools that generate direct-path application-layer and TCP state-exhaustion attacks. The characteristics of DDoS attack vectors and methodologies Killnet has utilized in these attacks to date are well within established norms; organizations that have implemented and maintained comprehensive DDoS defense plans have successfully mitigated these attacks with minimal impact on operations. In most attacks, Killnet has caused some network disruption and may have stolen data, but it has yet to reach its stated goals of targeting ventilation machines, lab analysis applications, or medication prescription services that could result in real damage.

HHS’s Health Sector Cybersecurity Coordination Center (HC3) believes that the Killnet group exaggerates its capabilities and that its tool set remains relatively simple, so attaining its stated goals is a reach at best. However, leaning on this analysis, especially as other bad actors in the DDoS space with higher-level skills get involved, is simply not a risk that the healthcare industry can afford.

To its credit, HC3 has provided, among other things, lists of static mitigations for flood attacks and recommendations for DDoS defenses from internet service providers (ISPs) or cloud DDoS solutions, and suggested attaining an understanding of potential on-premises edge defenses. Although this guidance is a step forward, generally this level of mitigation is considered fundamental, especially in the face of the new adaptive DDoS attacks we have seen recently on healthcare organizations and other entities.

How to Defend Against Dynamic DDoS Attacks

The new DDoS attacks are more dynamic, enabling attackers to frequently change the attack vectors until the attack successfully clears the existing network defenses. To augment these efforts, attackers are also carrying out advanced reconnaissance to fine-tune the attacks so they are more effective in reaching priority targets such as specific services, applications, or sets of devices on the healthcare network. Attackers are also expanding their DDoS botnets and using them to launch devastating new direct-path attacks that defenders are not prepared for. As the name suggests, direct-path attacks target individual organizations directly, whereas reflection/amplification or volumetric attacks spoof a target’s IP address and send an information request to a UDP/TCP server. Direct-path attacks can choose to launch several different attack types, including state-exhaustion and application-layer attacks that are effective at much lower traffic volumes than before.

To be successful in defending against these DDoS attacks, healthcare organizations need to employ solutions built on dynamic traffic analysis technology and machine learning to inspect and analyze traffic at high-level of granularity and detect and classify specific attack vectors dynamically and intelligently. These types of solutions can detect zero-minute attacks and changes to attack vectors. Once the attack is detected and classified, the solution needs to understand the optimal method that can be used to block the specific attack. Unlike solutions that employ hard-coded logic, an adaptative DDoS defensive approach combines intelligent machine learning algorithms with dynamically updated actionable DDoS threat intelligence so it can adapt to changing attack vectors in real time based on both software and human security expertise.

DDoS attacks are challenging, and to some degree elusive, but focusing on static mitigations and upstream defenses may miss attacks specifically designed to evade these defenses. Defeating these attacks requires an on-premises edge defense solution that is designed to adapt defense strategies to the changing attacks and is backed by relevant, actionable threat intelligence to ensure effective DDoS protection.

Read more about active threat intelligence and our ATLAS Intelligence Feed (AIF) here.