The war in Ukraine has brought about many changes – and not least in the cyberworld is the apparent transformation of the criminal gang behind Killnet into a pro-Russia hacktivist group.
When it debuted at the beginning of the year, Killnet was not even the name of an outfit – rather it was the moniker given to a distributed denial of service (DDos) tool offered at a price to other threat actors, according to cyber-analyst Digital Shadows.
“According to their advertisement, users could rent a botnet for $1,350 per month,” it said, “which had a capacity of 500GB per second and included 15 computers.” Botnets are virtual armies of compromised ‘zombie’ machines that can be marshaled to carry out DDos attacks on victims.
But soon after releasing the version 2.0 update, the cybercriminals behind Killnet pulled it offline and declared that the name was now an umbrella term applied to hacktivism against Russia’s enemies. So far, Killnet has proved good to its word – launching DDos attacks against pro-Ukraine group Anonymous in Italy last month, as well as declaring “cyberwar” on other key allies including the US, the UK, and the Baltic states.
“Since the beginning of the Russia-Ukraine war, hacktivism has experienced a substantial resurgence, with many hacktivist groups being created in support of either Ukraine or Russia,” said Digital Shadows. “We have observed an explosion in DDoS, defacement, and data-leakage attacks over the past few months, targeting governments, critical sectors, and organizations in key industries.”
But what makes this wave of cyberattacks distinctive is the level of public support garnered, with virtual combatants on both sides mimicking conventional armies in their command structure.
“Killnet received an overwhelming amount of support from users in Russia, which likely encouraged the group to continue launching more attacks,” said Digital Shadows, adding that the group has spawned many sub-divisions numbering an estimated “100,000 subscribers across all its Telegram channels.”
Ukraine is not bereft of support either. The IT Army of Ukraine has garnered support from an estimated 400,000 volunteers.
“The administrators of these groups dictate orders, and members carry out the attacks,” said Digital Shadows. “Killnet developed a ‘legion’ called Cyber Special Forces RF (Russian Federation), which is made up of volunteers who perform DDoS attacks.”
The legion is subdivided into squads, which Killnet calls its “special forces”, who also try to recruit programmers, “DDoSers”, and penetration testers on Telegram. These squads have their own personalized nicknames, such as Jacky, Mirai, Impulse, Phoenix, and Sakurajima, with new units created on a weekly basis.
“Each squad conducts DDoS attacks in waves – often based on targets announced in the Legion Telegram channel – and squads are often assigned different regions to attack,” said Digital Shadows. “For example, on 11 May 2022, Sakurajima and Jacky were told to oversee the targeting of Germany and Poland, without restrictions in the choice of targets.”
Killnet also uses its Telegram channel to list the domains and IP addresses of targets, exhorting them “to take the victims’ websites offline using DDoS attacks and cripple the economy of targeted countries.”
That’s an order!
And, just like the conventional armed forces, there are strict rules volunteers must abide by. These include not being absent for more than two days without informing the “commander” and not targeting allied Commonwealth of Independent States members – although it is stipulated that Russian nationals are preferred when it comes to recruiting ‘legionnaires.’
The legion prohibits other acts, “including failure to report on attacks, spreading misinformation, disobedience [and] breaking into groups for other forms of attacks.”
Killnet has sustained cyber-casualties of its own. After attacking the Italian chapter of Anonymous, the group struck back, publicly releasing the email addresses and passwords of 146 legionnaires. And cyber-authorities in Romania have made public some 11,000 IP addresses associated with the hacktivist movement.
Digital Shadows assessed Killnet as “not considered to be highly sophisticated” but warned that its DDos attacks “may cause disruptions to targeted organizations.” One convenient clue to an impending assault was the group’s tendency to declare attacks on Telegram before launching them: “it is important that organizations monitor these channels for any mentions of their domains.”
More from Cybernews:
Subscribe to our newsletter