Killnet: don't underestimate the “script kiddies,” experts say


Politically motivated cybercriminals with unsophisticated tools can swiftly adopt far more destructive weapons. Experts say it would be a mistake to underestimate groups such as Killnet, which are often not taken seriously.

Pro-Russian hacker group Killnet has been in the headlines since Russian tanks poured into Ukraine, kickstarting Europe’s largest armed conflict since the end of the Second World War.

Even though some of the group’s earlier targets, such as the Eurovision song contest, seemed almost comical, Killnet’s attacks rapidly escalated. Mid-June, pro-Russian hackers struck Lithuania, a NATO member bordering Russia, in an attempt to pressure the nation into dropping EU-imposed sanctions.

ADVERTISEMENT

In August, Killnet targeted the online government services of another NATO member Estonia, which the country’s Government Chief Information Officer, Luukas Ilves, called the largest attack since 2007.

“I would caution all organizations to take the threat from Killnet and other pro-Russia groups very seriously. Don’t discount them because they are “only” using DDoS,”

Brian Contos, CSO of cybersecurity company Phosphorus, said.

Most recently, Killnet stormed the headlines by coordinating an attack against the websites of major US airports. Websites of three of the top five American airports went down for several hours, signaling a pro-Russian effort to initiate attacks against nations supporting Ukraine.

Since Killnet almost exclusively uses DDoS attacks against their victims, pundits often rush to label the attacks as unsophisticated. Some even call them ‘script kiddies,’ a derogatory term in the hacking world, meant to ridicule the lack of coding expertise.

Humble beginnings

It’s not entirely accurate to call Killnet “script kiddies” since the group was a known criminal service provider before the war broke out, thinks Nataliia Zdrok, threat intelligence analyst at cybersecurity firm Binary Defense.

“They were offering a tool to launch DDoS attacks, but after the war started in Ukraine, the gang transformed from a criminal service provider to a hacktivist group. Their motivation is political,” Zdrok explained to Cybernews.

According to an analysis by Digital Shadows, before turning to pro-Russian hacktivism, operators of the Killnet botnet offered their services for $1,350 per month – a single botnet had a capacity of 500GB per second and included 15 computers.

ADVERTISEMENT

Killnet has come a long way since then, targeting multiple Western nations and bathing in attention few Russian hacktivist groups have received. The group also amassed over 90,000 followers on their Telegram channel, a primary location to publicly coordinate attacks and boast about every drop of press coverage.

Beware of change

While Killnet’s criminal past shows the group’s members are no ‘script kiddies,’ claims Brian Contos, Chief Security Officer of cybersecurity company Phosphorus, they are yet to exhibit sophistication in employing other attack vectors besides DDoS.

However, he adds, DDoS attacks can be impactful to organizations, like financial institutions, that can’t afford any downtime. So far, Killnet’s attempts to crash the websites of such American organizations have been unsuccessful.

For example, a couple of days after attacks on US airports, Killnet’s Telegram channel was abuzz with gee to attack and disable websites of JP Morgan Chase Bank. At the time of writing, the attempts remain fruitless. Nonetheless, Contos advises against having a false sense of security.

“I would caution all organizations to take the threat from Killnet and other pro-Russia groups very seriously. Don’t discount them because they are “only” using DDoS. Their tactics and technical capabilities could change over time, or even very quickly, as new members join,” Contos said.

Nothing prevents Killnet from recruiting members who could deploy far more destructive cyber capabilities than we have seen. Given Russia’s track record in cooperating with cybercriminal gangs such as Conti, Killnet’s ranks could be filled with seasoned threat actors.

“They were offering a tool to launch DDoS attacks, but after the war started in Ukraine, the gang transformed from a criminal service provider to a hacktivist group. Their motivation is political,”

Nataliia Zdrok, threat intelligence analyst at cybersecurity firm Binary Defense, said.

While Killnet presents themselves as hacktivists, aiming to mirror the example of the pro-Ukrainian IT Army, supported by likes of Anonymous, there’s no guarantee that the group will start serving as a veil for plausible deniability, conducting attacks on the Kremlin’s behalf.

ADVERTISEMENT

“Russia’s government could use the group to launch more damaging attacks under diplomatic cover. Don’t underestimate any of these groups, even if what we’ve seen so far has been limited in terms of skill level and effectiveness. I would be careful about downplaying the threat potential of any pro-Russia hacking group,” Contos said.

Blame the media

It’s hardly a secret that Killnet loves the attention they receive. Details of their attacks gathered from local media coverage often appear on their Telegram feed. The attention almost seems to convince Killnet’s followers that their work matters.

“I know that KillNet is seeking attention, and when the media publishes information about the KillNet group, it makes them proud of themselves and what they are doing. They gladly give interviews to the Russian media, and they are trying to build a reputation as a significant threat to the West among their subscribers,” Zdrok explained.

Hardly sophisticated attacks create media headlines that fuel an inflated sense of significance, leading to further attacks. However, the attention Killnet receives comes with the targets the group selects. After all, DDoS attacks focus on public-facing websites, the most visible part of internet infrastructure for outsiders.

“Their goal is to undermine the public’s confidence in cybersecurity professionals and to make US companies look weak against the danger that the [Russian] hackers pose,” said Zdrok.

Unsophisticated does not mean ineffective

Even though DDoS’ing requires far less sophistication than attacks that, for example, involve tampering with updates of a third party to infect its clients, it doesn’t mean they can’t cause damage. According to Randy Pargman, Senior Director of Threat Hunting and Counterintelligence at Binary Defense, unsophisticated does not mean ineffective.

“The very fact that threat actors continue to go to a lot of trouble to organize enough bots or pay someone who has enough bots to launch a DDoS attack is evidence enough that it is impactful, or at the very least annoying, to companies that are targeted,” Pargman explained.

ADVERTISEMENT

Given that Russia still has significant cyber capabilities and possibly an extensive understanding of its adversaries, hacktivist groups performing DDoS attacks can serve a secondary purpose. Contos explained that a severe DDoS attack could serve as a distraction for IT teams before launching a secondary attack.

“With winter just around the corner, the ground war in Ukraine is likely to slow down due to weather conditions. This could provide an opportunity for Russia to stage new operations in the cyber domain, as it tries to put pressure on Ukraine’s allies,” Contos said.