On March 17, Microsoft published a blog regarding distributed denial-of-service (DDoS) attacks by KillNet and affiliate activist groups in the healthcare sector. The U.S. Department of Health and Human Services (HHS) has called KillNet Pro-Russia hacktivists and the group has been launching attacks against western countries targeting governments and focusing on the healthcare sector.
According to the blog, KillNet uses DDoS as its main tool as DDoS attacks are a considerably easy and low-cost method of disruption. Additionally, DDoS attacks draw attention to the situation and, therefore, are a popular choice with hacktivists. DDoS attacks can be launched anonymously, making it harder for authorities to track down the attackers.
The blog post states that “We measured the number of attacks daily on healthcare organizations in Azure between November 18, 2022 and February 17, 2023. We observed an incline from 10-20 attacks in November to 40-60 attacks daily in February.”
Further, “We tracked attack statistics through the same time period and observed that DDoS attacks on healthcare organizations didn’t demonstrate severely high throughput. There were several attacks hitting 5M packets per second (pps), but majority of attacks were below 2M pps. These attacks, although not extremely high, could take down a website if not protected by a network security service like Azure DDoS Network Protection.”
The types of organizations, according to the blog, attacked included:
- Pharma and life sciences – 31 percent
- Hospitals – 26 percent
- Health insurance – 16 percent
- Health services and care – 16 percent
“We also observed a combination of multi-vector layer 3, layer 4, and layer 7 DDoS attacks. Attacks are primarily targeting web applications, and intertwined TCP and UDP attack vectors,” the blog adds. “We observed layer 7 DDoS attacks consuming many TCP connections and keeping them alive long enough trying to deplete memory state resources to render the application unavailable. This is a repeated pattern noticed in several cases for attacks attributed to KillNet. Another common attack pattern tries to establish many new TCP connections over short intervals to hit CPU resources.”
For those hosting web applications in Azure, the blog recommends the following actions to defend against DDoS attacks:
- Enable DDoS network protection
- Design applications with DDoS best practices in mind
- Create a DDoS response plan
- Do not hesitate to ask for help during an attack
- Adapt post-attack by applying learnings to improve DDoS response strategies
