The Russia-affiliated hacktivist group known as KillNet has been observed targeting healthcare applications hosted using the Microsoft Azure infrastructure for over three months.
The tech giant unveiled details about the new campaign in an advisory published on Friday. The Azure Network Security Team said it saw between 10 and 20 attacks in November 2022 and between 40 and 60 daily attacks in February 2023.
“We tracked attack statistics through the same time period and observed that DDoS attacks on healthcare organizations didn’t demonstrate severely high throughput,” reads the Microsoft technical write-up.
“There were several attacks hitting 5M packets per second (PPS), but [the] majority of attacks were below 2M PPS. These attacks, although not extremely high, could take down a website if not protected by a network security service.”
The tech company also observed a variety of multi-vector layer 3, layer 4 and layer 7 DDoS attacks.
Read more on DDoS attacks here: 2022: DDoS Year-in-Review
“In contrast to overall DDoS attack trends for 2022, in which TCP was the most common attack vector, 53% of the attacks on healthcare were UDP floods, and TCP accounted for 44%, reflecting a different mixture of attack patterns used by adversaries on healthcare,” reads the advisory.
In terms of targeted healthcare organizations during these attacks, Microsoft said KillNet’s main focus was on pharma and life sciences (31%), followed by hospitals (26%), healthcare insurance/health services and care (16% each). Geography-wise, most KillNet attacks came from the US, Russia or Ukraine.
“These attacks were successfully mitigated for customers enrolled in Azure DDoS Network Protection and Web Application Firewall services,” Microsoft clarified.
At the same time, the Azure Network Security Team warned that, through the use of DDoS scripts and stressors, botnets and spoofed attack sources, KillNet could easily disrupt websites and apps, if not adequately protected.
The tech giant’s advisory comes a few months after KillNet hacktivists reportedly targeted and brought down several hospital websites across the US and the Netherlands.