HC3 TLP Clear Analyst Note: Pro-Russian Hacktivist Group Threat to HPH Sector January 30, 2023

HC3 TLP Clear Analyst Note: Pro-Russian Hacktivist Group 'KillNet' Threat to HPH Sector January 30, 2023

Executive Summary

The hacktivist group ‘KillNet’—has targeted the U.S. healthcare industry in the past and is actively targeting the health and public health sector. The group is known to launch DDoS attacks and operates multiple public channels aimed at recruitment and garnering attention from these attacks.


KillNet is a pro-Russian hacktivist group active since at least January 2022 known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack employed by the group which can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems. While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days. Although KillNet’s ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) are unconfirmed, the group should be considered a threat to government and critical infrastructure organizations including healthcare.

Impact to HPH Sector

KillNet has previously targeted, or threatened to target, organizations in the healthcare and public health (HPH) sector. For example, Killmilk, a senior member of the KillNet group, has threatened the U.S. Congress with the sale of the health and personal data of the American people because of the Ukraine policy of the U.S. Congress. In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based healthcare organization that supports members of the U.S. military and claimed to possess a large amount of user data from that organization. In May 2022, a 23-year old supposed KillNet member was arrested in connection with attacks on Romanian government websites. In response to the arrest, KillNet reportedly demanded his release and threatened to target life-saving ventilators in British hospitals if their demands were not met. The member also threatened to target the UK Ministry of Health. It is worth taking any claims KillNet makes about its attacks or operations with a grain of salt. Given the group’s tendency to exaggerate, it’s possible some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground. On January 28, 2023 an the alleged Killnet attack lists for hospitals and medical organizations in several countries was found by users and publically shared.

View the detailed report below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272