Russia’s Killnet Group Declares War on the West

On May 15, 2022, Killnet, a pro-Russian hactivist group, declared war on 10 nations.

“Greetings to all our enemies, today we officially declare cyber war on the government of ten countries. From now on, our attacks will include the United States, Great Britain, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland and Ukraine.”

So, I suppose the big question is: Should we care?

Originally, Killnet was a DDoS hacking tool that promised to supply a botnet that could launch a 500Gps attack on an unsuspecting victim. The botnet could be rented for $1350 a month. In other words, the hackers renting it had no political affiliation at this time. It was simply a way to make money.

But all that changed when Russia invaded Ukraine. Ukraine organized its volunteer cyber hactivist group, IT Army of Ukraine, which eventually amassed 400,000 members. They began a series of successful DDoS attacks on Russian government sites, media outlets, and other targets which probably encouraged the Russian government to seek help in launching similar attacks on Ukraine and its allies. This must have brought Killnet to their attention because, suddenly, Killnet was recruiting hackers who supported the Russian cause. What cause could that be? Stopping the so-called aggression against Russia from the West.  

Killnet then began recruiting in a manner more consistent with military mobilization than hacking. They broke new recruits into ‘legions’ and designated geographic regions for their attacks. Members were required to follow strict rules; top among them was constant communication with the leadership. They would also not accept recruits from non-Russian countries. All of this smacks of Russian government and military involvement in this cyber army.

Killnet claims to have recruited over 100,000 members. It is more likely they’ve recruited people who give moral support to their cause. It’s unlikely all of them are active participants, but the same can be said about the IT Army of Ukraine. On the other hand, you don’t need a lot of people if you have a collection of botnets that will do most of the work for you.

DDoS attacks can be aggravating but, since they only block access to a website, they don’t normally lead to more serious problems like data loss. They can, however, have a financial impact if the site is a major source of income. And Killnet can claim some success in this way. They, not surprisingly, target government sites, but they also target banks, military sites, and media. In this manner, they have attacked sites in Romania, Moldavia, The Czech Republic, Italy, Lithuania, Norway, Latvia, and the Eurovision Song Contest. The latter attack was due to the exclusion of Russia and the nearly pre-determined outcome that Ukraine would be crowned as champion. Recently, on July 8th, Killnet temporarily brought down the U.S. website, which must have taken a large number of bots, unless the U.S. government has awfully poor security. Killnet posted this.

The growing concern is that Killnet may take this to the next level. It may align itself with the Russian government supporting Conti ransomware group or the Trickbot team. In this way, Killnet may make their attacks far more serious and cause far more disruption than just taking a site offline.  Bloomberg reported on how the Russian government hides behind these hacktivist groups. They quote Mandiant’s vice president as saying, “It’s important we scrutinize the actors who claim to be Russian hacktivists because the intelligence services regularly use that façade to carry out their operations. If we wait until after a major attack to ask who is really behind these personas, it may be too late.” In other words, Russian intelligence may be complicit in these attacks, which may be why they were able to hack the site. Here is the most recent list of those hacking groups supporting the Russian government. (Green indicates new members.)

And here is a list of the Russian government sponsored groups joining in the battle.

This is the highest number of cyber attack groups that the Russian government has ever had working for it, either directly, or indirectly. They should not be taken lightly as they have some of the best hackers in the world.

It is often said that war makes strange bedfellows and this observation certainly applies here. On May 21, 2022, The hactivist group, Anonymous, aligned itself with NATO and the West by declaring war on Killnet and, by extension, Putin and the Russian government. Almost immediately, they took down the site with the usual DDoS attack. They then posted this.

They then published email addresses, usernames, and passwords of every member of Killnet. This list is open to public viewing and you can see it here. No doubt, this caused a lot of problems for Killnet. Their website closed down and everyone on this list probably had to change their email addresses and passwords on all of their sites.

Countries are always reluctant to launch cyber attacks against other nations. The reason is the fear of retribution. The best they can do is hide behind ‘unaffiliated’ groups and claim that they had no idea that the hack occurred. This is what happened in the Colonial Pipeline and SolarWinds attacks. In fact, Killnet recently posted a comment that makes it seem that they are changing their strategy to emulate these attacks.

This seems to suggest that Killnet will begin some sort of supply chain attack, possibly augmented with ransomware. In this way, they could make money and work with the Russian government at the same time. It is time to prepare for a more disruptive cyber attack from these Russian groups. Sure, DDoS attacks will continue, but they may be used as more of a distraction as the more serious attack takes place. It’s definitely something to be prepared for.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s