Many threat actors have taken side in support of either Russia or Ukraine since the beginning of the invasion in February 2022, with many hacktivist groups and individuals joining the activity that is taking place in the digital environment, be it in the form of DDoS attacks, website defacement, or data leaks. One of these hacktivist groups is Killnet, which pledged its support to Russia. The group was initially founded as a cyber gang, rather than a hacktivist collective, which offered DDoS-as-a-service, in the form of a tool named Killnet that would allow other threat actors to launch DDoS attacks. Following the Russian invasion of Ukraine however, the group declared that Killnet would now be used as a name to describe the groups’ hacktivist activity in support of Russia. It appears that Killnet was established as a response to the formation of the IT Army in Ukraine, which called on volunteers with cyber skills to coordinate their action and help Ukraine launch attacks against Russian targets.

Who is Killnet?

Killnet has been active on the threat landscape since January 2022, when the group created its Telegram channel. As a pro-Russian threat group, its focus is on foreign states, in particular NATO countries and countries that support Ukraine, economically, militarily, and ideologically. The group was responsible for launching DDoS attacks against numerous targets including the websites of the United Nations, The Organisation for Security and Cooperation, and against several airports in the US and UK. The threat actor Killnet, which is divided into other subgroups, including the subgroup Legion, has over 100K subscribers across all its Telegram channels. The group typically starts its operations on Telegram, where the administrators dictate the orders and the targets, following which the members launch the attacks. It appears that the group follows strict rules, including not targeting members of the Commonwealth of Independent States, and not being absent for more than two days without informing the administrators.

Targeting Western countries

In mid-May, Killnet launched a DDoS campaign against targets in Italy, Germany, and Poland. As is typical for the group, its members claimed responsibility for the attacks, and published the list of affected targets on their Telegram channel. The attack on Italy targeted the websites of the Italian government, Italian judiciary institutions and ministries, the Italian state police, in addition to the website of the Italian embassy in London. Earlier in the month, it appeared that Killnet had also targeted the Eurovision voting system, in order to disrupt the Song Contest that was being hosted in Italy. In a message on their Telegram channel, Killnet disclosed that the group was undergoing cyber training by attacking systems in Italy and Spain, and that it would soon move to offensive attacks. The hacktivist collective Anonymous, which since the beginning of the war has launched attacks on Russian targets to support Ukraine, responded to these attacks on European institutions by declaring cyber war against Killnet. While the term cyber war is being increasingly used by hacktivist groups, the activities carried out in these attacks, like DDoS attacks, do not fall under the umbrella of cyber war.

On May 15, Killnet posted a video where it declared cyber war against 10 countries: Italy, the UK, the US, Germany, Latvia, Romania, Lithuania, Estonia, Poland and Ukraine. Keeping its promise, at the end of June, the pro-Russia threat group launched intense DDoS attacks for over 10 days, against the websites of Lithuanian government entities and private businesses. The attacks are believed to be retaliation following the Lithuanian government’s announcement that it would close routes between the country and the Russian exclave of Kaliningrad, which are used to transport materials. Killnet claimed on its Telegram channel, that the group would stop the attacks only if the Lithuanian government removed the blockade and reinstated the transit route. Lithuania was also described as a testing ground for the cyber capabilities of the pro-Russia threat group and to test new cyber tools to use in attacks. As claimed on Killnet’s Telegram channel, the prolific ransomware group Conti, which pledged its support to Russia from the beginning of the invasion, was eager to join the fight, raising concerns that it would start working alongside Killnet in targeting Western countries. Shortly after however, the Conti gang, which had been active in the threat landscape since 2020, officially shut down its operation and took their infrastructure offline, effectively disbanding one of the most prolific ransomware campaigns of the past two years.  

Since before Russia’s invasion, cyber security experts have warned of the high possibility of cyber-attacks targeting Western countries. This is especially the case with the emergence of hacktivist groups, working to support the country they pledged their allegiance to without being backed by the country. As a matter of fact, already in April, the Five Eyes, the intelligence group made up of the UK, US, Australia, Canada and New Zealand, had warned of the threat of anti-Western cyber action by the Killnet threat group in particular. According to experts, Killnet will carry on with its attacks against countries that support Ukraine, by launching DDoS attacks, which are not sophisticated attacks, but are able to paralyse governmental and private websites, nonetheless.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List

https://www.ansa.it/sito/notizie/cronaca/2022/05/11/attacco-hacker-russi-a-siti-italia-anche-difesa-e-senato_b4520edb-3dd5-4632-bd1e-d6c22671a176.html

https://arstechnica.com/information-technology/2022/06/pro-russia-threat-group-killnet-is-pummeling-lithuania-with-ddos-attacks/

https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://cybernews.com/editorial/killnet-the-crooks-turned-crusaders-who-fight-for-russia/

https://cybernews.com/cyber-war/hacker-wars-heat-up-as-the-pro-russian-killnet-attacks-italy/

https://www.emcrc.co.uk/post/killnet-declare-war-on-the-uk-and-nine-other-nations

https://www.infosecurity-magazine.com/news/killnet-hacks-lithuania-government/

https://www.infosecurity-magazine.com/news/five-eyes-agencies-russian/

https://www.infosecurity-magazine.com/news/anonymous-declares-war-on-killnet/

https://intel471.com/blog/killnet-xaknet-legion-ddos-attacks

https://threatpost.com/killnet-pummels-lithuania/180075/

https://www.theitaliantimes.it/2022/05/12/allarme-cyberwar-attacco-hacker-russi-siti-italiani/

https://www.wired.co.uk/article/russia-hacking-xaknet-killnet

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.