Attivo Networks Blogs

Russia-Ukraine War: Threats Facing the Healthcare Sector

As Russia’s military invasion and cyberattacks on Ukraine escalate, critical infrastructure entities, including those in the health and public health sector of the U.S. and other countries condemning Russia’s actions, must also be on high alert for potentially disruptive cyber assaults, some experts warn.

“Any state-sponsored Russian attacks aiming to support the Russian invasion of Ukraine, or to retaliate for U.S., NATO, or other foreign measures taken in response to the Russian invasion of Ukraine, are most likely to be destructive or disruptive in nature, rather than aiming to steal data,” says Paul Prudhomme, a former U.S. Department of Defense threat analyst who is now a researcher with cybersecurity threat intelligence firm IntSights, a Rapid7 company.

Such types of attacks include distributed denial-of-service, website defacements and the use of ransomware or other destructive malware, he says.

“There have already been reports of DDoS attacks on Ukrainian websites, and Russia has historically used DDoS in support of operations against other former Soviet republics, such as Georgia, in the past,” he says.

It is a plausible scenario for state-sponsored Russian actors to expand the use of DDoS to include attacks against the U.S., NATO members and other foreign targets, such as government and financial services infrastructure, in retaliation for measures taken against Russia for its invasion of Ukraine, such as sanctions, he says.

“Healthcare is a potential target, but probably a much lower priority than the other more obvious ones, like government, financial services – particularly in response to sanctions against Russia – and utilities.”

Destructive Attacks

State-sponsored Russian actors previously used destructive malware to cause blackouts in Ukraine in 2015 and 2016, and state-sponsored Russian groups have also targeted the utility sectors of the U.S. and Europe, but without causing any disruptions, Prudhomme says.

“It was believed that these compromises of Western utility services aimed to maintain access to them in order to have the ability to disrupt them on demand in the event of a confrontation with NATO.”

The disruptive impact of such attacks would depend on the type of attack and also the location. For example, an attack on Ukrainian targets would probably have a more severe impact, Prudhomme says.

“Ransomware and destructive malware attacks would have the most disruptive impact on the provision of clinical services, if healthcare organizations are unable to access patient records and other information and systems that they need in order to treat patients,” he warns.

Prudhomme says that state-sponsored Russian actors could also pose as criminals by using ransomware to disrupt foreign targets, as they did in the 2017 NotPetya ransomware operation that targeted Ukraine.

“The attackers could simply refrain from decrypting files,” he says, “even if they receive ransom payments, in order to maximize and extend the disruptive impact on victims.”

Collateral Damage

As the conflict in the Ukraine worsens, a top concern for healthcare sector entities is potential “collateral damage” related to cyberattacks and corresponding kinetic attacks, says Erik Decker, CISO at Intermountain Healthcare.

“Right now, there’s no threat against the [U.S.] homeland directly that we’re aware of due to that conflict, but the ability for malware and other types of attacks that bleed over and come into the homeland is a concern,” says Decker, who is also co-lead of a U.S. Department of Health and Human Services cybersecurity task force and an executive council member of the Healthcare Sector Coordinating Council, a critical infrastructure advisory group to HHS.

Defacement Attacks

Website defacements “are often just a nuisance and probably the easiest to resolve,” Prudhomme says. “DDoS attacks could disrupt public-facing websites, but the duration would depend in large part on how long the attackers choose to sustain the attack,” he says.

Ukraine already has been experiencing website defacements, which provide attackers with an opportunity to spread messaging, he says.

“Website defacement is a more typically hacktivist tactic, but state-sponsored Russian actors could pose as hacktivists in order to disguise Russian state involvement and spread their strategic communication themes to international audiences by defacing Western websites,” according to Prudhomme.

Misinformation Incidents

On Wednesday, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center, or HC3, issued an alert for the healthcare and public health sector – based on a recent advisory from CISA.

The agencies warn about incidents involving malicious actors using influence operations, including tactics like misinformation, disinformation and malinformation – aka MDM – “to shape public opinion, undermine trust, amplify division and sow discord.”

Foreign actors engage in these actions to bias the development of policy and undermine the security of the U.S. and its allies, disrupt markets and foment unrest, the HC3 alert says. CISA’s warning is intended to ensure that critical infrastructure owners and operators are aware of the risks of influence operations leveraging social media and online platforms, HC3 says.

Taking Action

As the conflict in the Ukraine worsens, all critical sectors, including healthcare, should be reviewing response plans, increasing network and endpoint monitoring, says Michael Hamilton, CISO of security firm Critical Insight and former CISO of the city of Seattle.

Hamilton especially recommends that healthcare organizations ensure that vendor and business associates know to report their own compromises to covered entities. “An attack against a poorly-protected third party that has business relationships with lots of hospitals, for example, should initiate a response at those hospitals. If it happened to one of your suppliers, it may be headed toward you,” he warns.

Tony Cole, CTO at security firm Attivo Networks, offers similar recommendations. “Talking now with your internet and cloud service providers is a good first step to understanding how your offered services can be impacted and what should be done in your enterprise to counter an attack,” he says.

Cole says ransomware attacks are likely to increase significantly, and organizations need to “ensure that multifactor authentication is in place, identity services are managed and protected, proper cyber hygiene is being followed, and pristine backups are stored off-site and ready for use.”

Read the full article by Marianne Kolbasuk McGee on Healthcare Security Info.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

20 + 19 =

Ready to find out what’s lurking in your network?

Scroll to Top