Killnet Threat Actor Profile

Killnet is a pro-Russian hacktivist group that engages in hacktivism and other hacking operations. The group gained notoriety during the first month of the Russia-Ukraine conflict when they began a widespread, although relatively unsophisticated, campaign of distributed denial-of-service (DDoS) attacks, political rhetoric, and misinformation.

The group primarily utilises DDoS attacks and website defacement to target nations that support Ukraine. They have been active in targeting various countries, including Ukraine, Lithuania, Poland, Romania, Germany, Australia, and the United States. Killnet has been known to use social media and messaging platforms such as Telegram to communicate and coordinate their attacks. They have also been linked to other threat actor groups such as Anonymous Russia and Anonymous Sudan.

Killnet has claimed responsibility for various attacks on government and civilian entities, including military organisations, healthcare, marine terminals and logistics facilities, other forms of transportation, and online trading systems. Furthermore, reporting indicates that Killnet is expanding its sphere of influence by merging lesser groups (such as Zarya, Phoenix, Anonymous Russia, Anonymous Sudan and Infinity Hackers BY) into its circle that share the same goals of action on behalf of Russia.

This is likely designed to enhance the effectiveness of their attacks as it becomes increasingly difficult for targets to determine when and from which group to expect an attack to originate from.

Killnet has recently rebranded as ‘Black Skills’, which has been classified as a “private military hacking company”. While their credibility is generally considered low, Killnet remains a cause for concern as they provide a blueprint for other groups to become paid “hackers for hire”.

Sources indicate that cyber operations undertaken by Killnet have had minimal to intermediate impact, as their attack efforts often only last for a brief period of time and sometimes even fail whilst in mid-operation . Although Killnet are not considered to be as impactful as other threat actor groups, they still implement persistent mechanisms via DDoS attacks and so are a legitimate threat. Killnet’s operations tend to be sporadic and compulsive in nature with direct links to the developing landscape of the Russia-Ukraine conflict. Killnet’s primary impact is therefore related to manipulating the cognitive perception of, and narrative surrounding, the war, whilst demonstrating their DDoS capabilities through media exposure and propaganda.

Targeted Sectors

Killnet have historically targeted organisations that hold strong visibility within the public eye which are associated with nations opposing Russia’s invasion of Ukraine. Additionally, organisations that make up the Critical National Infrastructure (CNI) of these nations are almost certainly desired targets based on the objective of maximum impact. The following areas have witnessed targeting by Killnet since the group’s inception:

• Government services
• Government websites
• Media and news outlets
• Healthcare applications
• NATO allies.

Threat Actor Motivations

The motives of Killnet can be evaluated by observing the strategies they apply within the context of their campaigns.

Based on Killnet’s activity and historical rhetoric, it is highly likely that their goals align with those of the Russian government as the group has sought support from the Russian parliament, the Duma, and potential links between the Kremlin and Russian cyber threat groups targeting Ukraine have been identified.

However, despite their nationalistic agenda, Killnet has primarily been driven by financial motives, leveraging the Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services.

Threat Actor Activity Timeline

• May 2022: The websites of the Istituto Superiore di Sanità and the Automobile Club of Italy were attacked on 14th May 2022. The Italian Senate website was attacked and blocked for an hour in the same attack. On 29th May 2022, they announced an “irreparable damage” attack on Italy scheduled for the following day. On 30th May 2022, Killnet attacked Italy and managed to block a few websites, while the attack on the Cyber Security Incident Response Team (CSIRT) site was unsuccessful. The attack was not as devastating as predicted. Killnet later complimented the CSIRT for their defensive work, mocking the government to raise a few thousand dollars to the team for their work.
• May 2022: Killnet hackers were suspected of making an attempt to block the Eurovision Song Contest website during Ukraine’s performance with a DDoS attack, which was blocked by the Italian state police. However, the group denied on their Telegram channel that their attack had failed. They subsequently attacked the state police site emphasising how they blocked the attack on Eurovision. Following the attack, they threatened to attack 10 European countries, including Italy.
• June 2022: The group claimed responsibility for the DDoS attacks against Lithuanian network infrastructure. They stated that the cyber-attack on Lithuania was in retaliation for it stopping transit of goods to Russia’s Kaliningrad exclave.
• June 2022: The group targeted Norwegian organisations through various DDoS attacks on 28th June 2022.
• August 2022: Killnet targeted Latvia’s public broadcaster in the largest cyber-attack in the country’s history. The broadcaster said the attack was repelled.
• August 2022: Killnet and its founder, ‘Killmilk’, claimed responsibility for a cyber-attack on the American defence corporation Lockheed Martin, as a retaliation for the HIMARS systems supplied by the US to Ukraine. The group stated that Lockheed Martin “is the actual sponsor of world terrorism” and that the organisation “is responsible for thousands and thousands of human deaths.” Shortly before the attack, the group announced that they were going to carry out a new type of cyber-attack, different from their typical DoS and DDoS vectors.
• September 2022: Killnet announced that they attacked 23 websites of four Japanese ministries and agencies including e-Gov, a portal site for administrative information administered by the Digital Agency, and eLTAX, a local tax website administered by the Ministry of Internal Affairs and Communications. They also posted a video declaring war on the Japanese government and announced that they had attacked the Tokyo Metro and Osaka Metro. At a press conference on the same day, Chief Cabinet Secretary Hirokazu Matsuno explained that no information had been leaked as a result of this attack at this time.
• September 2022: According to the Twitter post published by the threat research firm CyberKnow, Killnet and their founder Killmilk threatened that they would attack the Georgian government if it continued to work against the Russian Federation.
• January 2023: The German Federal Office for Information Security (BSI) announced that a wide-ranging DDoS attack against various agencies and companies in Germany was taking place since the night before. According to the BSI, websites from airports were particularly affected, as well as those of companies in the financial sector and those of the federal and state administrations. The attacks had been announced in advance by Killnet, supposedly as retaliation for the German government’s decision to send Leopard 2 battle tanks to Ukraine.
• June 2023: European Investment Bank (EIB) successfully targeted by Killnet. This comes days after a video was published by the group stating their intentions to target the European banking sector.

Associated Malware

• Chaos Ransomware: Chaos ransomware is a malware family that has been active since at least June 2021 and has undergone several iterations, with the latest being Yashma. It is a Ransomware-as-a-Service programme that has been advertised on underground forums, and it is often used by low-tier threat actors.
• Killnet Ransomware: Killnet ransomware is a rebrand of the infamous Chaos Ransomware, a Malware-as-a-Service (MaaS) programme that was advertised on the top-tier Russian-language forum XSS before a cracked version was published on Telegram by the Arvin Club ransomware gang on or around 2nd May 2022. Chaos is often used by low-tier threat actors that practice a single-extortion ransomware encryption technique.
• Mirai: The Mirai botnet has been active since 2016 and has spawned several variants, including the IZ1H9 variant, which was first discovered in August 2018 and has since become one of the most active. The IZ1H9 variant spreads via SSH, Telnet, and HTTP channels and uses default login credentials for brute-forcing network devices. It also leverages several vulnerabilities, including CVE-2023-27076, CVE-2023-26801, and CVE-2023-26802, to gain remote code execution and compromise various IoT devices for use in DDoS attacks.
• Passion Malware: DDoS-as-a-Service platform that supports attack methods, such as web protocols, browser data, DNS hijackers, obfuscation techniques, and TCP redirection.
• Raccoon Stealer: Raccoon Stealer is an information-stealing malware that has been active for several years and has gained popularity among cybercriminals. It steals various data from infected computers, including browser history, saved passwords, and cryptocurrency wallets.
• Vice Society Ransomware: Vice Society is a notorious ransomware group that has been active for several years and has been responsible for a significant number of attacks globally. The group uses a variety of tactics, including phishing, compromised credentials, and exploits for initial access, to gain entry into victim networks. Once inside, they use legitimate tools like Windows Management Instrumentation (WMI) for post-intrusion activity and deploy ransomware to encrypt files and demand payment for their release.
• Yashma Ransomware: Yashma is a ransomware family that was first discovered in May 2022 and is a variant of the Chaos ransomware builder. It is a weaponised ransomware builder that was promoted on underground forums in June 2021, claiming to be a . NET version of Ryuk ransomware.

Indicators of Compromise

Killnet Associated File Hashes (SHA256):

• db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50
• dfcb800f74b602edc3dfd3fad3bdbedc981fbff895dc3b907decd8b4b889fdc4

Killnet Associated Domains:

• delta[.]mil[.]gov[.]ua
• killnet[.]cc

Mitre Methodologies

Execution
T1059.007 – Command and Scripting Interpreter: JavaScript

Persistence
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Privilege Escalation
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Discovery
T1057 – Process Discovery
T1083 – File and Directory Discovery

Collection
T1005 – Data from Local System
T1185 – Browser Session Hijacking

Command and Control
T1071.001 – Application Layer Protocol: Web Protocols
T1095 – Non-Application Layer Protocol

Impact
T1486 – Data Encrypted for Impact
T1489 – Service Stop
T1490 – Inhibit System Recovery
T1491 – Defacement
T1496 – Resource Hijacking
T1498 – Network Denial of Service
T1498.001 – Network Denial of Service: Direct Network Flood
T1499 – Endpoint Denial of Service
T1498.002 – Network Denial of Service: Reflection Amplification

Killnet Attack Chain

As Killnet primarily engage in hacktivist operations, their primary mode of offense involves DDoS attacks at layers 4 and 7 of the Open Systems Interconnection (OSI) model. The associated techniques implemented by Killnet have been classified as follows :

• ICMP Flood
• IP Fragmentation
• TCP SYN Flood
• TCP RST Flood
• TCP SYN / ACK
• NTP Flood
• DNS Amplification
• LDAP Connection less (CLAP)

These attack techniques are implemented within the following three phases:

• Phase 1:
  High frequency of TCP-SYN, UDP, TCP SYN / ACK Amplification attacks along with DNS Amplification and IP Fragmentation attacks.
• Phase 2:
  Initiated by IP Fragmentation attacks followed by previous attack types, except for DNS amplification.
• Phase 3:
  This is the longest, but with the lowest frequency of attacks, and consists of volumetric attacks and state exhaustions.

Additional information

• CSIRT Italy Killnet Advisory
• Flashpoint Blog – Killnet
• Cyfirma Killnet Analysis