Advanced Persistent Threat Groups Behind DDoS Attacks on Danish Hospitals

On Sunday 26 February the websites of several Danish hospitals were taken offline after being hit by Distributed Denial of Service (DDoS) attacks claimed by a group calling themselves ‘Anonymous Sudan’. According to reports on Twitter patient care was unaffected by the attacks and the sites were back online after a couple of hours. 

The attacks are thought to be linked to the burning of the Quran in Stockholm by Danish/Swedish national Rasmus Paludan and follow several other attacks claimed by the same group on Swedish infrastructure since January, including national airline operator SAS Airlines and the national television broadcaster.

According to research by cyber security firm TrueSec in collaboration with Baffin Bay Networks, the new Threat Group carrying out the recent attacks has nothing to do with the original ‘Anonymous Sudan’ group and lists several reasons why such as:

– the group only being active on the social media platform Telegram like Russian hacktivist groups with the user location for the Telegram account listed as Russia

– posts published only in English and Russian

– their operations are amplified by other pro-Russian hacktivist groups including Killnet and Anonymous Russia 

– there appears to be no traction for their operations in Islamic countries linked to Sudan

The report also found that, in addition, and unusually for hacktivist activity, the traffic in the DDoS attacks against the Danish healthcare providers was not generated by an illegal botnet but from a cluster of paid servers with traffic rerouted through open proxies to disguise the real origin of the attacks. While this is not evidence that the attacks were state-sponsored the use of paid infrastructure would indicate that someone is willing to finance the attacks. 

Why target healthcare?

The attack on the Danish hospitals this month followed a DDoS bombardment by Killnet Group against the healthcare and public health (HPH) sector in the United States throughout January and February resulting in the US’s Health Sector Cybersecurity Coordination Center issuing a warning and Cybersecurity and Infrastructure Security Agency (CISA) supporting many organizations in responding to the attacks.  

While there is still a lack of clarity about the connections or combined efforts between the threat actors orchestrating this recent spate of attacks in Sweden and Denmark, the attackers’ objectives are clear, and that is to cause maximum disruption by hitting Nato-backed countries where it hurts by taking their core healthcare services out of action. 

In a speech by NATO Secretary General Jens Stoltenberg at the SAMAK Nordic Summit in Helsinki on 28 Feb. 2023, he said that while ‘military forces are necessary to protect our security’, ‘they are not enough’ adding that, ‘to strengthen the resilience of our societies’, ‘we must secure our cyberspace, supply chains, and critical infrastructure’.

Imperva has previously reported how DDoS attacks targeting internet service providers are capable of paralyzing critical infrastructure, but politically-motivated hacktivists with the right financial backing are cutting out the middleman (ISP) and going straight for the core services of their target nation, including hospitals and crucial healthcare services. 

Spikes in layer 7 DDOS Healthcare

Critical infrastructure services including defense, healthcare providers, first responders, state television broadcasters, financial systems, national airlines, energy providers, and, as the COVID pandemic has demonstrated, food retail providers, require rigorous security measures in place to ensure they have a business continuity plan in the event of a cyber attack.

By implementing robust DDoS protection for your websites and networks you reduce the risk of being taken offline by an attack and ensure rapid recovery with minimal impact on operations.

Learn more about Imperva DDoS Protection here.

The post Advanced Persistent Threat Groups Behind DDoS Attacks on Danish Hospitals appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Grainne McKeever. Read the original post at: