While most cybercriminals from Russia avoid publicly participating in the invasion of Ukraine’s cyberspace, groups have formed that focus on creating problems for organizations and countries that have expressed solidarity and support for Ukraine.
One such organization is the pro-Russian group KillNet, which has turned its DDoS service into a tool for conducting hacking attacks coordinated through Telegram channels against organizations in European countries in many sectors of the economy, including finance, government, media and telecommunications.
Since the beginning of the Russian invasion of Ukraine in February 2022, the KillNet cyber group has grown into several units that have carried out their own attacks, and although the vast majority of their supporters are entry-level users with zero or limited experience with DDoS attacks, the public interest of the participants in ransomware indicates that KillNet may develop its own variant or purchase it on the underground market as a means of going beyond DDoS attacks.
To this end, KillNet publishes messages through various channels in an attempt to recruit a variety of ransomware to attack organizations on their behalf. The group also solicited cryptocurrency by directing Telegram channel users to specific wallets for donations. Killnet also launched its own NFT on web3’s world’s largest online marketplace for NFTs and cryptocurrency collectibles, OpenSea.
Since the creation of KillNet in February 2022, the group has incorporated several other groups into its activities. In March 2022, a group known as XakNet announced that it had teamed up with KillNet to launch DDoS attacks against critical infrastructure and the government. In May, another group known as FuckNet announced its intention to work with KillNet to conduct a DDoS campaign against public and private sector organizations located in countries that supported Ukraine. In April of this year the group created another branch called LEGION, which was created specifically to handle KillNet’s DDoS attacks.
It is noteworthy that the members of this group use a targeting strategy that is influenced by current events almost in real time, which indicates the possibility of directing their activities by the special services of Russia.
KillNet uses publicly available DDoS scripts (CC-attack, MDDoS, Low Orbit Ion Cannon (LOIC), KARMA, Dummy) and IP Stresser-for-hire tools (Crypto Stresser, DDG Stresser, Instant-Stresser, Stresser.ai) for most their operations. However, the group has some tools of its own to carry out attacks.
Over the past four months, the group has attempted to attack: the sites of 8 Polish airports; 12 organizations in the Czech Republic in the aviation, banking, government, military and telecommunications sectors; 9 Estonian organizations in the government, military and telecommunications sectors, including the database of the queue at the Estonian-Russian border crossing; 5 Romanian organizations in the aerospace and defense, banking, government and transport sectors; 13 airports, 2 news agencies and an oil and gas company in Romania; 8 main Internet service providers (ISPs), 2 traffic exchange networks, an electronic procurement platform in Ukraine; several entities in Lithuania, which included targets in the government, finance, transport, telecommunications and energy sectors; US Congress public website; Eurovision voting system during the performance of the representative of Ukraine in the semi-finals.
KillNet has been very active since its inception, expressing its desire to recruit members through several different online platforms. And although more than 50,000 members of several Telegram channels are associated with the group, the vast majority of them are not involved in active criminal activity in cyberspace.
As the war in Ukraine continues, entities inside or connected to our state will almost certainly remain highly sought-after targets for this group.
It is likely that pro-Russian groups or ransomware operators (such as the defunct Conti group) will heed KillNet’s call and lend their support, likely resulting in targets targeted by KillNet also being hit by the programs- by ransomware or DDoS attacks as a means of extortion.
The KillNet group will continue to grow, but given the tendency of its members to exaggerate, some of the announced cyber operations and developments may only be intended to attract the attention of both the public and the cybercriminal underground, as the group is limited in its capabilities.