The Kings of Brute-Force and DDoS: Meet KillNet
killnet
  • Table of contents

The author

user_image
Adi Bleih

Table of contents

Related Articles

Akira Ransomware
Research

Akira Ransomware: Published Over 30 New Victims on their DLS

Akira, a rising ransomware-as-a-service star was discovered in March 2023. Since then its victim count...
Nov 18, 2024
Learn more
Coral
Research

Not Your Grandfather’s Hacktivists: How Hacktivism Has Evolved

Fig 1: Crowd Sourcing to campaign against Israel Fig 2: Crowdsourcing to campaign against Russia...
Nov 14, 2024
Learn more
Research

The Kings of Brute-Force and DDoS: Meet KillNet

Nov 13, 2023

Traditionally Hacktivists were thought of as ideologically motivated threat actors, unaffiliated with nation-states. However recently according the Cyberint research, the lines have blurred. There are now several Hacktivist groups who align with specific nation-states. One example is the KillNet Hacktivist Group.

KillNet is a hacktivist group aligned with Russia, who gained significant attention at the onset of the Russia-Ukraine conflict. During this period, they initiated a wide-ranging campaign involving Distributed Denial of Service (DDoS) attacks, alongside political rhetoric and misinformation.

While their tactics were relatively unsophisticated, KillNet’s focus was on supporters of Ukraine, including NATO nations and their allies. Although there is no confirmed link between KillNet and official Russian government entities such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR), this group is classified as a critical infrastructure threat according to a joint multinational cybersecurity advisory.

Emerging as a frontrunner among over a hundred cyber mercenary groups stemming from the Russian-Ukraine proxy cyberwar, KillNet has exhibited remarkable activity. Their primary strategies have revolved around conducting low-level Distributed Denial of Service (DDoS) attacks against vital infrastructure, government services, airport websites, and media enterprises in NATO nations. This includes countries like the U.S., Canada, Australia, Italy, and Poland, as well as supporters of Ukraine across various Eastern European, Nordic, and Baltic regions.

Figure 1: KillNet Group
Figure 1: KillNet Group

KillNet Victimology

KillNet is also known for its robust and confrontational misinformation efforts targeted at its 90,000 Telegram followers. These campaigns involve openly taunting the victims of their DDoS attacks and issuing threats that suggest the attacks could result in loss of human life, contradicting their proclaimed anti-war stance.

The Latvian government classified KillNet as a terrorist organization following its admission of responsibility for a cyberattack that caused a temporary disruption to the country’s parliamentary web services.

Following the European Parliament’s acknowledgment of Russia as a state sponsor of terrorism, KillNet directed its focus towards the Parliament’s website, resulting in the site becoming temporarily unavailable. Additionally, in response to an investigation initiated against KillNet due to its assault on the European Parliament, the group targeted Belgium’s Cybersecurity Center.

In fact, unsuprisingly the majority of KillNet’s victims have been from Europe with over 180 documented attacks. North America, on the other hand have been on the receiving end of less than 10.

The most commonly targeted industries appear to be the financial industry, transportation, governmental institutions and business services.

Cyberint Malware, Tools & TTPs

KillNet favors the utilization of DDoS attacks and employs brute-force dictionary attacks against public-facing services. Unlike malware installation, a DDoS attack doesn’t need the attacker to infiltrate the target’s network; instead, it inundates the service with malicious connection requests, leading to resource depletion. Through brute force credential attacks, KillNet utilizes prearranged wordlists to seek out exposed services that exploit weak or default passwords. Both these techniques lack a significant level of sophistication.

Key Tactics Employed by KillNet:

  • Conducting DDoS attacks on the OSI model’s layer 4 (SYN flood attacks) and layer 7 (high volume POST/GET requests) to induce resource exhaustion and system failure.
  • Executing brute-force dictionary attacks against services like FTP (port 21), HTTP (port 80), and HTTPS (port 443).
  • Employing brute-force dictionary attacks against SSH (port 22), with a primary focus on the root account.
  • Performing brute-force dictionary attacks against Minecraft and TeamSpeak servers.

The KillNet group uses various RaaS, for deploying a ransomware attack on various organizations such as: Vice Society, Yashma, Mirai, and their own developed ransomware KillNet.

KillNet Origins & Affiliates

KillNet operates with a well-defined organizational structure and is thought to have collaborated closely with other pro-Russian hacktivist collectives, such as XakNet Team. In July 2022, the leader of KillNet, known as Killmilk, announced via social media that he would be stepping down from his position to establish a new group. As his successor, Blackside, a self-proclaimed black hat hacker with expertise in ransomware, phishing, and crypto theft, was named as the new leader of KillNet.

The self-proclaimed hacktivist group Anonymous Sudan appears to have increased KillNet’s capabilities and the group has become the collective’s most prolific affiliate in 2023, conducting a majority of claimed DDoS attacks. Significantly, Anonymous Sudan has caused significant disruptions at a level not observed by KillNet affiliates previously. Killnet has also claimed to have 280 members in the US, attributing an attack on Boeing to their US “colleagues.”

Figure 2: Conti suspected members/affiliates
Figure 2: Conti suspected members/affiliates

KillNet Community

In November 2022, Killnet initiated the Infinity forum with the aim of organizing discussions and promoting collaboration between pro-Kremlin hacktivist groups and financially motivated threat actors. This forum was designed to function as a space for cooperation as well as a marketplace for cybercrime tools and pilfered data. However, in February 2023, Killmilk, the leader of Killnet, revealed that the group had decided to put the Infinity forum up for sale.

In March 2023, Killmilk made public the formation of “Black Skills,” a Private Military Hacking Company. This move was interpreted as an effort to reshape and organize the group, potentially opening doors for cooperation with the Russian government while maintaining involvement in cybercriminal endeavors. This new identity aimed to present a corporate façade and attract clientele interested in their cyber mercenary services.

Subsequently, in April, it was declared that Killnet would officially terminate its hacktivist actions and undergo a rebranding as Black Skills. The group stated its intention to continue targeting Western entities, albeit now for monetary compensation rather than altruistic motives. However, within a few weeks, Killnet reversed this decision, labeling it a “mistake.”

Learn About Cyberint Threat Intelligence

To learn more about how our threat intelligence research helps protect businesses against ransomware and other risks, request a demo.

Uncover your compromised credentials from the deep and dark web.

Fill in your business email to start.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start