Danish hospitals latest target of DDoS attacks on NATO-backed countries
A relatively new hacking group known as Anonymous Sudan late February 26 attacked nine hospitals in Denmark’s H region with DDoS attacks, shutting down their website for several hours.
Officials took to Twitter to alert patients to the outage and shared an emergency page with the hospital’s relevant contact information for emergencies while the IT team worked to recover affected sites. The apparent DDoS attack had no impact on the rest of the digital infrastructure.
The broadcaster Anonymous Sudan Telegram warned of an attack on the Danish health infrastructure after a suspected far-right activist burned a Koran in front of the Turkish embassy in Stockholm on Saturday. The hackers warned the attacks would continue in retaliation for what they see as anti-Islamic behavior.
However, the attack on the Danish hospital had only a limited impact as the capital region and hospital websites were fully operational again after a few hours of downtime.
It’s the latest nation-backed cyberattack on a country with NATO ties, a growing risk to critical infrastructure of countries actively supporting Ukraine amid the Russia conflict. Since the beginning of the year, Russian-backed threat groups have plagued the critical infrastructure of NATO members with what appear to be highly coordinated DDoS attacks.
Anonymous Sudan surfaced a month ago and, according to TrueSec research, is said to have nothing to do with a group of the same name that carried out attacks in 2019. The politically motivated hacktivist group is believed to be based in Russia and reinforced by the country’s hacktivism sphere – including Killnet and Passion Net.
These groups recently enacted the US health care sector. Killnet has already met nearly 50 US healthcare organizations this year and launched a collaborative marketplace designed to secure funding for future attacks. Anonymous Sudan announced on February 19 that it had joined the Russian collective Killnet.
But unlike hacktivist groups like Killnet, Anonymous Sudan does not use an illegal botnet to generate the necessary volume of traffic for a successful DDoS attack. Research by TrueSec and Baffin Bay Networks revealed that the group uses a paid cluster of 61 servers hosted in Germany.
The attacks are then “routed through open proxies to obscure the true origin of the attacks,” according to the investigation. The result suggests that Anonymous Sudan is funded through paid infrastructure. “Additional evidence” shows the operation is being carefully funded by a willing donor and not “a spontaneous action by activists.”
On February 23, IBM’s known servers used by the group were shut down – shortly after IBM warned it would attack Denmark.
First, the Cybersecurity and Infrastructure Security Agency found that DDoS attacks would have limited impact. But in healthcare, there is a risk to patient safety when DDoS attacks are deployed against patient-centric technologies.
“This is war,” Carter Groome, founder and CEO of First Health Advisory, said earlier this month. The first round of Killnet attacks “cleaned our clocks.” These attacks and their potential impact on “the vital portion of the nation’s critical infrastructure cannot be overstated.”
His comments were followed by a supplemental resource on DDoS attacks on healthcare, warning of the need for remedial action given the risks to patient safety.
As for Anonymous Sudan, his recent Telegram post explains that the group does not sell their DDoS attack module or “anything”. However, the group will “search with great vigor for the best botnet for you,” which includes a list of three botnets that it is willing to test on behalf of interested parties.
The post, combined with its affiliation with Killnet, suggests there is more to come.