Microsoft details DDoS attacks against healthcare, recent campaigns from KillNet

Microsoft on Friday shared details about the distributed denial-of-service (DDoS) attack landscape against healthcare applications hosted in Azure whilst highlighting the recent attack campaigns launched by KillNet or its affiliated hacktivist groups.

Killnet is a pro-Russia hacktivist group known for its DDoS campaigns against western countries, targeting governments and companies with a focus on the healthcare sector. According to Microsoft’s security researchers, the group attempted to evade DDoS mitigation strategies by changing their attack vectors, such as utilizing different layer 4 and layer 7 attack techniques and increasing the number of sources participating in the campaign.

Microsoft measured the number of daily DDoS attacks on healthcare organizations in Azure between November 18, 2022, and February 17, 2023, and observed a significant increase in the frequency of attacks, with the number of daily attacks rising from 10-20 in November to 40-60 in February.

Among the various types of healthcare organizations, pharmaceutical and life sciences organizations were attacked the most, accounting for 31% of all attacks. Hospitals were the second most targeted with 26%, followed by healthcare insurance with 16% and health services and care organizations with 16% of all attacks.

The Microsoft Azure Network Security Team also observed a combination of multi-vector layer 3, layer 4, and layer 7 DDoS attacks. These attacks primarily focused on web applications and utilized a combination of TCP and UDP vectors. The researchers observed layer 7 DDoS attacks consuming many TCP connections and keeping them alive long enough trying to deplete memory state resources to render the application unavailable – a repeated pattern noticed in several cases for attacks attributed to KillNet.

Here’s the distribution of DDoS attack types targeting healthcare:

  • UDP floods – 53.16%
  • TCP – 44.42%
  • IP flood – 1.78%
  • Packet anomaly – 0.36%
  • UDP amplification – 0.28%

As for the campaigns launched by KillNet and affiliate hacktivist groups, the attack targeted a healthcare provider. The attack lasted less than 12 hours and included TCP SYN, TCP ACK, and packet anomalies. The attack throughput wasn’t very…