Origin: February 2022

Aliases: Killnet Hacking Group, Kill[.]net

Targeted Sectors: Government, Transportation, Financial

Targeted Regions: Western Europe

Motive: Support Russia in the cyber war against Ukraine

Malware Used: Karma DDoS, Blood, Hasoki, DDoS Ripper, GoldenEye, MHDDoS

Introduction

Killnet, a pro-Russian hacker group, started as a hack-for-hire vendor for Distributed Denial-of-Service (DDoS) tools in January 2022. The group became more active since the Russian invasion of Ukraine in February 2022 where it attacked Ukrainian entities and crippled the networks of several private firms and government institutions in countries supporting Ukraine. It targeted European and Western governments, including Germany, Italy, Romania, Norway, Lithuania, and the United States.

According to experts, the group is not directly working with Russia but has extended its support through DDoS attack infrastructure. The highly aggressive group appears different from regular Russian hackers. The research also revealed that attacks by Killnet could peak at 40GBPS and last for more than 10 hours. Killnet is highly active on social media, frequently claims its victories online, and is often featured in Russian media for its attacks.

Attack Methods

Killnet, as some experts would say, is an online group of nationalists trying to pull off attacks using low-grade cyber-offensive tools and tactics. The group’s attack majorly consists of Layer 4 and Layer 7 DDoS attacks and the techniques used by them, according to the Italian Computer Security Incident Response Team (CSIRT), include:

• ICMP Flood
• IP Fragmentation
• TCP SYN Flood
• TCP RST Flood
• TCP SYN / ACK
• NTP Flood
• DNS Amplification
• LDAP Connection less (CLAP)

CSIRT Italy explains the attacks by Killnet in three phases:

Phase one: The first phase consists of a high-frequency of packs in TCP-SYN, UDP, TCP SYN / ACK Amplification attacks along with DNS Amplification and IP Fragmentation attacks.

Phase two: The second phase begins with IP Fragmentation attacks followed by previous attack types, except for DNS amplification.

Phase three: The last phase lasts the longest but has a lower frequency. It consists of volumetric attacks and state exhaustion.

Multiple groups operating within Killnet are believed to be getting direct attack orders via Telegram. Meanwhile, some fraudsters were also seen offering DDoS-as-a-Service piggybacking activities of Killnet.

Targeted Victims

North America:

• On March 29, 2022, the group claimed a successful attack on the Bradley International Airport (based in the U.S.).
• In April, the group announced a special attack, in which they DDoSed the website of the Devon Energy Corporation in the U.S. It was just an attack against the web-facing resources of the corporation, and the group called it a homage to the REvil hacking group.
• In August, the group attacked Lockheed Martin, the manufacturer of the HIMARS system supplied to Ukraine.
• In October, the group attacked state government websites in Colorado, Kentucky, and Mississippi.
• The same month, the group claimed to launch large-scale DDoS attacks aimed at the websites of multiple major airports in the U.S.
• In November, the U.S. Treasury Department thwarted a DDoS attack, which is attributed to the Killnet group.

Eastern Europe:

• The chronology of announced attacks on Telegram channels began March 3, 2022, onward with the takedown of the Ukrainian news service and the Ukrainian branch of Vodafone. These attacks were justified by the group as an action against propaganda.
• Attackers allegedly attacked the Ministry of Interior Affairs of Ukraine and other Ukrainian resources related to higher education on March 22.
• In May, the group targeted multiple organizations in the Republic of Moldova with DDoS attacks.

Northern Europe:

• On March 22, it launched an attack on the Ministry of the Interior of Latvia.
• The next day, the group targeted Poland, including the website of the Supreme Court in that country.
• Then, it claimed an attack against Narodowy Bank Polski (National Bank of Poland).
• Later, it attacked the Polish Investment and Trading Agency with the claim of a 20GB data leak.
• In the next few days, eight airports in Poland were also targeted by this group.
• Additionally, the group has targeted the Romanian government sites, Connecticut Airport Authority, Italian institutions, Italian organizations (such as the Italian Cyber Police and National Health Institute), Lithuanian government websites, NATO infrastructure, the public broadcasting center of Latvia, Lockheed Martin, and Ignitis Group in Lithuania.
• In June, the group targeted numerous Norwegian government authorities and businesses.
• Estonia's government successfully prevented a cyberattack that targeted both its public and private organization sectors.

Central Europe:

• In March, the group claimed a successful DDoS attack on the website of CYBERPOL, headquartered in Geneva, Switzerland.
• In April, the group claimed to attack ten websites, including the Leos Janá?ek Airport Ostrava, Karlovy Vary Airport, National Cyber and Information Security Agency, Komer?ní banka, O2 Czech Republic, Pardubice Airport, Ministry of Interior (Czech Republic), with DDoS attack.

Western Europe:

• On April 15, the group attacked Germany's Federal Ministry of Defense.
• Just after, several attacks on German airports (Köln-Bonn, Bremen, and Hamburg) were observed.
• Several German financial organizations (Commerzbank and KWF) were also targeted.

East Asia:

• In September, the group attacked Japanese firms and 20 websites across four government ministries.

Besides, the Killnet group made multiple announcements between April 19 and May regarding successful attacks aimed at targets in Europe (including the Czech Republic, Lithuania, Latvia, Estonia, Poland, Romania, France, and the U.K.), and North America (including the U.S.). It mostly chose political targets (e.g., UN and OSCE), claiming that the agencies were spreading lies about war crimes committed by Russia in Ukraine.

Associations and Connections

Law enforcement: A Romanian was arrested by the British police in May 2022 on behalf of a request made by Romanian authorities. The suspected person allegedly supported the activity of the Killnet group.

Claims: In June, a new group named Cyber Spetsnaz was observed targeting NATO infrastructure. Later, the group created a new division named Sparta, which officially confirmed itself to be a part of the Killnet group. Security experts also observed some messages mentioning the U.S. branch of Killnet. Sparta campaigns used proprietary tools along with Karma DDoS, Blood, Hasoki, DDoS Ripper, GoldenEye, and MHDDoS to generate malicious traffic.

Ownership: In July, the founder and leader of the Killnet group, KillMilk, announced his plans to quit the group to start a new group. The claim was made on the Telegram channel after a hack operation against Lockheed Martin was accomplished. A few days later, the Killnet group announced a new leader, identified as the BlackSide.

Mitigation

According to the 1H2022 DDoS Threat Intelligence Report by NetScout, there were 6,019,888 global DDoS attacks globally. A majority of DDoS attacks this year could be attributed to geopolitical aspiration spurred in the light of the Ukraine-Russia war.

DDoS attacks hurt an organization in various ways, including compromising its services’ uptime, hampering user interaction on the site, and impacting overall business operations. Automation changes the game for organizations hit with DDoS threats. Security teams utilizing an automated DoS response playbook can successfully standardize the response process from detection to blocking malicious attack attempts. Moreover, it is necessary to incorporate the latest insights on the tactics, techniques, and procedures (TTPs) employed by the Killnet threat group in its attack campaigns. The command-and-control (C2) infrastructure behind such attack campaigns also evolves over time as defenders keep exposing the stealthy maneuvers of the adversaries. Through continuous operationalization of the latest threat intelligence on Killnet, security teams can refine their detection, containment, and mitigation strategies in real-time to prevent DDoS threats.

Other than that, organizations must limit access within the organization, follow the principle of the least privileged, use HTTPS, have a strong password, regularly audit for vulnerabilities, and keep all software updated, to mitigate DDoS threats.

Conclusion

The Killnet group has played a major role in the ongoing Ukraine war. Further, the group has carried out mass attacks against random websites within Ukraine. For example, the group attempted to block the services related to news and media. Thus, government and private entities falling in the Killnet’s most targeted regions are urged to stay vigilant for future attacks (which are expected to last till the Ukraine war continues) and be ready with adequate counter-measures.

Indicators of Compromise

IP address using TTPs similar to Killnet

5[.]2[.]69[.]50

92[.]255[.]85[.]237

92[.]255[.]85[.]135

IP addresses used in Killnet attacks

173[.]212[.]250[.]114

144[.]217[.]86[.]109

156[.]146[.]34[.]193

162[.]247[.]74[.]200

164[.]92[.]218[.]139

171[.]25[.]193[.]25

171[.]25[.]193[.]78

185[.]100[.]87[.]133

185[.]100[.]87[.]202

185[.]129[.]61[.]9

185[.]220[.]100[.]241

185[.]220[.]100[.]242

185[.]220[.]100[.]243

185[.]220[.]100[.]248

185[.]220[.]100[.]250

185[.]220[.]100[.]252

185[.]220[.]100[.]255

185[.]220[.]101[.]15

185[.]220[.]101[.]35

185[.]220[.]102[.]242

185[.]220[.]102[.]243

185[.]220[.]102[.]253

185[.]56[.]80[.]65

185[.]67[.]82[.]114

185[.]83[.]214[.]69

195[.]206[.]105[.]217

199[.]249[.]230[.]87

205[.]185[.]115[.]33

209[.]141[.]57[.]178

209[.]141[.]58[.]146

23[.]129[.]64[.]130

23[.]129[.]64[.]131

23[.]129[.]64[.]132

23[.]129[.]64[.]133

23[.]129[.]64[.]134

23[.]129[.]64[.]137

23[.]129[.]64[.]139

23[.]129[.]64[.]142

23[.]129[.]64[.]147

23[.]129[.]64[.]148

23[.]129[.]64[.]149

23[.]129[.]64[.]210

23[.]129[.]64[.]212

23[.]129[.]64[.]213

23[.]129[.]64[.]216

23[.]129[.]64[.]217

23[.]129[.]64[.]218

23[.]129[.]64[.]219

45[.]153[.]160[.]132

45[.]153[.]160[.]139

45[.]154[.]255[.]138

45[.]154[.]255[.]139

45[.]227[.]72[.]50

72[.]167[.]47[.]69

81[.]17[.]18[.]58

81[.]17[.]18[.]62

91[.]132[.]147[.]168