KillNet: Get Attention

While most cybercriminals from Russia avoid publicly participating in the invasion of Ukraine’s cyberspace, groups have formed that focus on creating problems for organizations and countries that have expressed solidarity and support for Ukraine.

One such organization is the pro-Russian group KillNet, which has turned its DDoS service into a tool for conducting hacking attacks coordinated through Telegram channels against organizations in European countries in many sectors of the economy, including finance, government, media and telecommunications.

Since the beginning of the Russian invasion of Ukraine in February 2022, the KillNet cyber group has grown into several units that have carried out their own attacks, and although the vast majority of their supporters are entry-level users with zero or limited experience with DDoS attacks, the public interest of the participants in ransomware indicates that KillNet may develop its own variant or purchase it on the underground market as a means of going beyond DDoS attacks.

To this end, KillNet publishes messages through various channels in an attempt to recruit a variety of ransomware to attack organizations on their behalf. The group also solicited cryptocurrency by directing Telegram channel users to specific wallets for donations. Killnet also launched its own NFT on web3’s world’s largest online marketplace for NFTs and cryptocurrency collectibles, OpenSea.

Since the creation of KillNet in February 2022, the group has incorporated several other groups into its activities. In March 2022, a group known as XakNet announced that it had teamed up with KillNet to launch DDoS attacks against critical infrastructure and the government. In May, another group known as FuckNet announced its intention to work with KillNet to conduct a DDoS campaign against public and private sector organizations located in countries that supported Ukraine. In April of this year the group created another branch called LEGION, which was created specifically to handle KillNet’s DDoS attacks.

It is noteworthy that the members of this group use a targeting strategy that is influenced by current events almost in real time, which indicates the possibility of directing their activities by the special services of Russia.

KillNet uses publicly available DDoS scripts (CC-attack, MDDoS, Low Orbit Ion Cannon (LOIC), KARMA, Dummy) and IP Stresser-for-hire tools (Crypto Stresser, DDG Stresser, Instant-Stresser, for most their operations. However, the group has some tools of its own to carry out attacks.

Over the past four months, the group has attempted to attack: the sites of 8 Polish airports; 12 organizations in the Czech Republic in the aviation, banking, government, military and telecommunications sectors; 9 Estonian organizations in the government, military and telecommunications sectors, including the database of the queue at the Estonian-Russian border crossing; 5 Romanian organizations in the aerospace and defense, banking, government and transport sectors; 13 airports, 2 news agencies and an oil and gas company in Romania; 8 main Internet service providers (ISPs), 2 traffic exchange networks, an electronic procurement platform in Ukraine; several entities in Lithuania, which included targets in the government, finance, transport, telecommunications and energy sectors; US Congress public website; Eurovision voting system during the performance of the representative of Ukraine in the semi-finals.

KillNet has been very active since its inception, expressing its desire to recruit members through several different online platforms. And although more than 50,000 members of several Telegram channels are associated with the group, the vast majority of them are not involved in active criminal activity in cyberspace.

As the war in Ukraine continues, entities inside or connected to our state will almost certainly remain highly sought-after targets for this group.

It is likely that pro-Russian groups or ransomware operators (such as the defunct Conti group) will heed KillNet’s call and lend their support, likely resulting in targets targeted by KillNet also being hit by the programs- by ransomware or DDoS attacks as a means of extortion.

The KillNet group will continue to grow, but given the tendency of its members to exaggerate, some of the announced cyber operations and developments may only be intended to attract the attention of both the public and the cybercriminal underground, as the group is limited in its capabilities.

Pavlo Kryvenko

Head of AI and Cyber Security Section

He has been working as a Head of the Information and Cyber Security Section, Coordinator of the Artificial Intelligence Platform at the Center for Army, Conversion and Disarmament Studies (Kyiv, Ukraine). Pavlo is the Founder of GODDL company.

He has worked as a member of the delegation of the Communication Administration of Ukraine at the World Radiocommunication Conference (Geneva, Switzerland), as a Cyber Security Consultant at the Bar Association Defendo Capital (Kyiv, Ukraine).

Pavlo has collaborated with the National Communications and Informatization Regulatory Commission and the Ukrainian State Radio Frequency Center for International Frequency Coordination.

He studied at the Institute of International Relations of the Kyiv International University (Ukraine), the Joint Frequency Management Center of the US European Command, the LS telcom AG Training Center (Grafenwöhr, Germany), the UN International Peacekeeping and Security Center (Kyiv, Ukraine).

Contact Us
July 2022
Translate »