Euro Security Watch with Mathew J. Schwartz

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Red Cross Tells Hacktivists: Stop Targeting Hospitals

Of Course, KillNet and Its Ilk Don't Care - They're Likely Proxies for Moscow
Red Cross Tells Hacktivists: Stop Targeting Hospitals
An emergency medical evacuation team operating in Myanmar in 2012 (Image: International Committee of the Red Cross)

Hackers who disrupt healthcare services are violating international humanitarian law.

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

So says the International Committee of the Red Cross, which is calling on hacktivists to stop targeting civilians, as well as for governments to crack down on any such groups operating from inside their borders. Concerns over such attacks have risen since Russia in February 2022 launched a war of conquest against Ukraine.

"Civilian hackers and 'armies' have disrupted various civilian objects - including banks, companies, pharmacies, hospitals, railway networks and civilian government services," ICRC advisers Tilman Rodenhäuser and Mauro Vignati said in a recent European Journal of International Law blog post that lays out eight rules for hacktivists to follow.

"Civilian hackers must respect the law of the countries they operate in," the two said, adding that this includes a prohibition on conducting "any cyber operation against medical and humanitarian facilities."

For the past three years, Rodenhäuser has spearheaded an initiative the ICRC says is designed to "find a way to digitally mark the assets, services and data of medical and humanitarian operations," to provide a digital equivalent to the globally recognized red cross or red crescent symbol.

"For medical personnel and medical facilities, and for the humanitarian operations of the International Red Cross and Red Crescent Movement, the red cross and red crescent emblems - a simple red cross or red crescent painted on the roof of a hospital or vehicle - have long served as a sign of protection," said Robert Mardini, ICRC director-general, in a report published last year.

In it, he asked: "Is it possible to use this reliable and battle-proven emblem in the digital space?"

This question has gained importance with the rise of so-called populist hacktivist armies after the Kremlin sent troops across the Ukrainian border.

In response, Kyiv raised an "IT Army" perhaps composed of 400,000 individuals who pledged to back the country's cause via distributed denial-of-service attacks, which have disrupted Russian banks and the Moscow Stock Exchange, among other targets. Western intelligence officials quickly warned that, while they wanted to root for the good guys, the IT Army posed legal concerns, not least for civilian participants Russia might opt to treat as enemy combatants.

Analysts say the IT Army group is likely no longer very ad hoc and that by June 2022 it "had evolved into two sections: a public call to action, mobilizing anyone willing to participate in coordinated DDoS attacks against Russian infrastructure targets, and an in-house team supposedly consisting of Ukrainian defense and intelligence personnel," Aiden Render-Katolik wrote in a recent Center for Strategic and International Studies report.

The group appears not to have launched attacks affecting healthcare in Russia or elsewhere. The CyberPeace Institute, an independent organization that has been monitoring how cyberattacks and operations tied to the conflict have been affecting civilians since Russian Federation forces first invaded Ukraine, reported that through the end of July, third parties have attributed 76 of 2,356 known online attacks or cyber operations to the IT Army, although CSIS suggested the figure might be much higher. "The group primarily engages in DDoS attacks against Russian organizations deemed to have a stake in the war," the CyberPeace Institute reported, saying this included the finance, government, military and telecommunications sectors.

KillNet Vows to Keep Breaking Rules

On the pro-Russia side, the CyberPeace Institute said third parties have attributed 924 attacks to NoName057, 221 to the People's CyberArmy, 135 to Anonymous Russia and 95 to KillNet. These self-proclaimed hacktivist groups target both government and corporate infrastructure, including healthcare, in any country they see as working counter to President Vladimir Putin's regime.

KillNet, which has called for the targeting of hospitals in Ukraine and allied countries, said it has no plans to abide by the Red Cross rules. "Why should I listen to the Red Cross?" the leader of the group - who goes by "KillMilk" - told the BBC.

Another group with the moniker "Anonymous Sudan," which security firms assess is likely a Russian information operation or a KillNet component, told the BBC that the ICRC red lines were "not viable and that breaking them for the group's cause is unavoidable."

This is no surprise, especially because KillNet and its ilk may be directly or indirectly run by Russian intelligence as deniable propaganda engines. "Who can control these Putin-loving yet crazy patriot hacktivists?" Russian authorities can say, while potentially using them as cutouts to make the country's war machine look mightier than it really it (see: Expensive Proxies Underpin Anonymous Sudan DDoS Attacks).

Of course these supposed hacktivist groups won't care about Red Cross rules, since their remit includes disrupting critical infrastructure - or at least being a nuisance - without having Moscow be seen as doing so directly.

The use of DDoS attacks by hacktivists oftentimes remains a PR exercise, not least when targets have included the Eurovision song contest last year or, more recently, the official website of Britain's Royal Family, which was briefly knocked offline. So too were arrival kiosks at Canadian airports for about an hour last month, due to a DDoS attack launched by NoName057. The success of that attack likely says more about the state of the Canada Border Services Agency's defenses than NoName057's hacking prowess.

Nevertheless, it's important to hold to account anyone who targets civilians, as well as nations that fail to rein in domestic bad actors, not just during the Russia-Ukraine War but in future conflicts.

Just as ransomware-wielding criminals ignore computer crime laws, issuing red lines to supposed hacktivists may have little impact, at least in the short term. With luck, perpetrators will eventually be brought to justice. Until then, their list of crimes against civilians keeps growing.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.