Ukraine at D+341: Killnet hits US hospitals.
N2K logoJan 31, 2023

Cyber operations continue in the hybrid war, but again without obvious signs of coordination with kinetic action at the tactical or operational levels.

Ukraine at D+341: Killnet hits US hospitals.

Russian forces continue to push toward Bakhmut, scene of heavy fighting for the past six months, but there are conflicting reports on how the local attacks are progressing. The UK's Ministry of Defence this morning reported: "In the last three days, Russia has likely developed its probing attacks around the towns of Pavlivka and Vuhledar into a more concerted assault. The settlements lie 50km south-west of Donetsk city, and Russia previously used the 155th Naval Infantry Brigade in an unsuccessful assault on the same area in November 2022. Elements of the 155th are again involved as part of an at least brigade sized force which has likely advanced several hundred metres beyond the small Kashlahach River which marked the front line for several months. Russian commanders are likely aiming to develop a new axis of advance into Ukrainian-held Donetsk Oblast, and to divert Ukrainian forces from the heavily contested Bakhmut sector. There is a realistic possibility that Russia will continue to make local gains in the sector. However, it is unlikely that Russia has sufficient uncommitted troops in the area to achieve an operationally significant breakthrough."

Killnet is active against the US healthcare sector.

At least fourteen US medical centers (among them Duke University Hospital in North Carolina, Stanford Healthcare and Cedars-Sinai in California, University of Pittsburgh Medical Center, and Jefferson Health, Philadelphia, in Pennsylvania, according to the Carolina Journal) were hit by distributed denial-of-service (DDoS) attacks yesterday. The incidents are being attributed to the Russian cyber auxiliary Killnet. The American Hospital Association warned its members yesterday that, "The hacktivist group ‘KillNet’—has targeted the U.S. healthcare industry in the past and is actively targeting the health and public health sector. The group is known to launch DDoS attacks and operates multiple public channels aimed at recruitment and garnering attention from these attacks." This week's DDoS attacks seem to have been quickly contained and mitigated, which has normally been the case with earlier Killnet actions.

An alert issued by the US Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) assessed the implications of the threat. "KillNet has been using publicly available DDoS scripts and IP stressers for most of its operations." These have been an offer for some time in the criminal-to-criminal underground markets. Law enforcement organizations have been able to take down some of those services and indict some of the operators, but HC3 cautions that the threat's far from over: "Despite this success, it remains unknown if (and how) this law enforcement action might impact KillNet which turned its DDoS-for-hire service into a hacktivist operation earlier this year. Furthermore, it is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet’s call and provide support. This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used."

(Added, 2:00 PM, January 31st, 2023. Daniel Selig, Security Automation Architect at Swimlane, offered comments to put the DDoS attacks in perspective. While such attacks have generally not risen above a nuisance level, nonetheless they probably constitute a violation of the laws of war:

"Notorious Russian cybergang Killnet has claimed responsibility for a cyberattack that took down more than a dozen U.S. hospitals and medical centers’ online systems. While the direct connection has not yet been confirmed, the attack comes soon after President Biden’s decision to send 31 M1A2 Abrams tanks into Ukraine. This is not the first time that Killnet has launched cyberattacks on countries that have aided Ukraine in the war against Russia—last week, a plethora of German financial sector organizations, airports and public administration bodies were targeted by the cybercrime group in an extensive DDoS campaign. 

"It goes without saying that cyberattacks on hospitals and medical centers are some of the most dangerous—these attacks have the ability to knock systems offline in their entirety and keep patients from receiving the care that they require. As tensions between Russia and Ukraine continue to heat up, it is essential that outside parties involved with defending Ukraine are properly prepared for Russian backlash as Killnet continues to target allies. 

"It is important to be sympathetic to the challenges that these hospitals and medical institutions face—odds are stacked against many of these organizations, and it can be extremely difficult for them to keep up with ever-evolving threats and defend their critical systems. In fact, it is legally prohibited by the fourth convention of the Geneva Convention to attack civilian hospitals and medical transports, yet hospitals continue to face these threats far too often. Fortunately, automation continues to play a larger role in helping these organizations prioritize security and round out their defenses. To mitigate the repercussions of similar incidents and eliminate them entirely, organizations must prioritize robust security controls to thwart cybercriminals attempting to cause widespread disturbance. Leveraging low-code security automation enables these organizations to streamline security protocols and implement proper incident response to ensure complete protection, while also eliminating the chance of human error that may lead to internal access."

We also heard from Aleksandr Yampolskiy, Co-Founder and Chief Executive Officer, SecurityScorecard, who offered some insight into Killnet's organization and its place in the hacktivist and criminal ecosystem. "The Killnet group is considered hacktivists as they are very much driven by nationalistic tendencies to go after the West (because of support for Ukraine)," he wrote. "They provide Denial-of-Dervice (DDoS) instructions showing what scripts users need to install to run DDoS attacks against hospitals. Killnet solicited about 14 other Russian hacker groups to join in. Killnet organizes in an encrypted chat group hosted on the Telegram service. There are over 92,000+ subscribers in the Telegram channel for Killnet (who are eager to help participate - mostly from Russia). They share training tutorials for newbies to turn them into hackers. They also actively share passwords for compromised WordPress websites (and wp-login credentials ) to use them as jumping pods."

He also described some of Killnet's characteristic tactics: "A common theme with Killnet is the continued exploitation of MikroTek routers. Most of the proxy servers used by the CC-Attack tool are obtained from publicly available free proxy websites. A significant amount of the proxies harvested from those resources consist of misconfigured, vulnerable, and exploited devices that run MikroTik RouterOS. This attack is another example of how the proliferation of OT/IOT devices creates extra avenues for attack (e.g. a baby camera or refrigerator) that are improperly configured - can now be used by hackers. Currently, threat actors continue to target medical facilities in the US.")

Further reflections on the GRU's SwiftSlicer wiper.

The SwiftSlicer wiper ESET researchers found in some Ukrainian systems is being associated with Russia's GRU, specifically with the Sandworm group controlled by that military intelligence service. Cyber Security Connect observes that Sandworm has a history. "In particular, the group targeted Ukraine’s power grid in 2015, which saw experts from the University of California’s Berkeley School of Law call upon the International Criminal Court in The Hague to label the attack — and other Russian cyber aggressions — a war crime."

Dmitry Bestuzhev, Most Distinguished Threat Researcher, BlackBerry, offered some comments on this reappearance of wiper malware in Ukrainian systems.

"If we take a look at the Ukrainian threat landscape in 2022-2023, three leading malware families are targeting them: ransomware (massive), wiper (targeted), and backdoors with info stealing capabilities (targeting). Most of those malicious families apparently come from Russia and are used in the context of the war. While ransomware encrypts data, its massive propagation makes it possible to disrupt a significant number of computers. One of the most active groups targeting Ukraine is the Conti group. Wipers have not been used widely as they’re targeted weapons. However, the same threat actor called Sandworm has been actively working on developing wipers and ransomware families used explicitly for Ukraine. Sullivan Ransomware is an example of this. Finally, the backdoors with info stealers revolves around RomCom RAT, which is also coded to target Ukraine. Threat actors behind the attacks in Ukraine have two main goals: data destruction or information theft. Sometimes the second one is the first stage of more extensive operations leading to data destruction weeks or months later.

"In the case of the latest wiper attack against Ukraine, the original file name used by the threat actor is "Total Commander." That's a very popular file manager in Eastern European countries. It is unclear how that would end up on the infected machines; however, it's obvious the threat actor behind it relies on the filenames of the most popular apps. When we think about RomCom RAT, its initial infection vector is through a fake website that looks like a legitimate one. So malvertising is something to take care of, and social engineering is too. I would say that those two infection vectors are important to watch.

"In this case, the wiper used was GoLang, which has been increasingly covered in the media. GoLang is a cross-platform language, which is not simple to reverse. That makes it a solid choice when developing weapons. On one hand, it can be easily used to code for both Windows and Linux environments. On the other hand, when those samples end up in the hands of the researchers, it is time-consuming to reverse them."

SVR activity in the hybrid war.

The GRU and FSB have both recently been seen to be active in Russia's war against Ukraine. Researchers have also observed SVR activity, SecurityWeek reports. Russia's foreign intelligence service (tracked variously as Cozy Bear, the Dukes, Nobelium, Yttrium, and APT29) has used diplomatic-themed lures as phishbait, Recorded Future's Insikt Group concluded late in 2022. It's not clear who the targets are, but diplomatic bait seems particularly effective against a range of prospects, included but not limited to embassies and diplomatic staff, during periods of heightened international tension. Recorded Future follows the subgroup responsible as BlueBravo, and notes that it overlaps APT29 and Nobelium. "In October 2022 we identified BlueBravo staging GraphicalNeutrino malware within a malicious ZIP file," their report says, adding, "The staging and deployment of this ZIP file overlaps with the previously employed dropper EnvyScout, the use of which is linked to APT29 and NOBELIUM." BlueBravo is notable for its abuse of legitimate services.

Russia insists that it's the real victim here.

In fairness, TASS presents a very different picture of the cyber phases of Russia's hybrid war. Remarks by Russia's Deputy Foreign Minister are worth quoting at length. "In 2022, Russia faced unprecedented external cyberattacks. In fact, we became the target of coordinated aggression involving intelligence agencies, transnational IT corporations and ‘hacker activists' from the collective West and its puppets.... Not only are we recording a rise in attacks, but their complexity is also growing.... Our ill-wishers seek to cause as much damage as possible, using all the possible tools to hit our country’s critical infrastructure. The government sector took the main blow in 2022. The number of such attacks doubled and even tripled in the past year. We recorded numerous attacks on the Russian Foreign Ministry’s information resources. Ukraine, which has long lost its independence, is used by its sponsors as a springboard for cyberattacks on Russia and its partners." That's one way of looking at it.