Killnet Group Targeting Ukraine Supporters with DDoS Attacks
The Russia-Ukraine conflict has produced a monumental shift in the threat landscape. It’s motivated state-sponsored groups around the world to try to capitalize on the conflict. A month after Russia's invasion of Ukraine, for example, Check Point Research observed state-sponsored groups in Latin America, the Middle East, Asia, and elsewhere launch new campaigns or restructure old ones using the war as a theme. Many of those operations leveraged malicious macros as an infection vector to try to establish an initial foothold in targeted organizations.
The war has also driven cyber threat actors (CTAs) to take sides. Some ransomware gangs and hacking groups responded to the news by announcing their allegiance to Russia or Ukraine on social media, reported The Record. Some even went so far as to vocalize threats against critical infrastructure organizations and other potential targets in the opposed country.
In this blog, we'll examine Killnet. It's one such state-sponsored group that's acting on Russia's behalf.
A Survey of Killnet's Activity
Killnet began its pro-Russian wartime effort on March 1, 2022, when it released the following video on Twitter:
#Killnet group aligned to #Russia sent out a warning recently and a declaration of war on #anonymous. #cybersecurity #threatintelligence #infosec #UkraineRussiaWar #cyberattacks https://t.co/HNCVNYBJxO— CyberKnow (@Cyberknow20) March 3, 2022
Since then, it's mainly used distributed denial-of-service (DDoS) attacks to carry out its goals. These attacks have targeted entities supportive of Ukraine. Additionally, they have often functioned as a response to a perceived action that's hindered Russia's wartime efforts.
Let's take a look at some recent examples of Killnet's attacks.
On March 3, Killnet used a DDoS attack to bring down "En-marche.fr," the website of the leading political party in France. 24 News Responder wrote that the state-sponsored group used the attack to punish French President Emmanuel Macron for sending aid to Ukraine.
Several weeks later, Killnet once again targeted En-march.fr. This attack was different than the first in that the group released a message on its Telegram channel congratulating a specific candidate for making it to the next round of the French presidential election. The group said that the candidate would help "to establish a real friendship between Russia and France" if elected.
Near the end of June, Infosecurity Magazine reported on Killnet having struck several Lithuanian government websites. The group released a video explaining that they had launched the attack as a response to Lithuania's sanctions against Russia for having invaded Ukraine. Killnet went on to demand that Lithuania resume the transit of goods into Kaliningrad, a Russian region located between Lithuania and Poland, if it wanted to avoid further disruption.
Lithuania ultimately lifted sanctions on the transit of vodka, steel, and other non-military good from Russia into the EU a few weeks later, noted U.S. News.
The United States
One of Killnet's first attacks against a U.S. target occurred in March. According to Newsweek, the attack involved an attempt to crash the website for the Bradley International Airport. Killnet released a message at the time explaining that "when the supply of weapons to Ukraine stops, attacks on the information structure of your country will instantly stop."
Three months later, Flashpoint shared that Killnet had claimed responsibility for an attack against the website of the U.S. Congress. Specifically, Killnet used a DDoS attack to affect public access to the Library of Congress website. The group later celebrated its efforts on its Telegram channel, stating that “[Congress] has the money to fund weapons across the world, but not enough for its own defenses.”
Killnet has since threatened to target other U.S. entities. Chief among them is Lockheed Martin, an operation which HackRead explains might have resulted in the theft of employee data.
Around this same time, news emerged that "KillMilk" – one of Killnet's founders – was planning to leave. The group explained to its followers that KillMilk was making the move to protect his fellow attackers against law enforcement. But per SC Magazine, new KillMilk channels have since surfaced, leading some to suspect that the individual is planning on starting a new group while distancing themselves from the international attention received by Killnet.
Understanding the Risks Posed by Killnet
Commenting on the attacks discussed above, the Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC) said that the risks confronting U.S. State, Local, Tribal, and Territory (SLTT) government organizations are minimal.
"Right now, we don't see much affecting SLTTs," the team explained. "Killnet is primarily hitting U.S. national entities that are directly related to the Russia-Ukraine war, such as organizations that are funding weapons and creating sanctions.."
That doesn't mean SLTTs can't get caught in the crossfire, however.
"If we see a DDoS attack with a specific type of federal entity, there could be a secondary or domino effect to our members," CTI went on to note.
In response, SLTTs along with other organizations should consider taking steps to protect themselves going forward. They can begin by following our advice on defending against Russian cyber attacks. From there, they should then look to defend themselves against Killnet specifically by making sure they're prepared for a DDoS attack.