While the majority of the cybercrime underground has publicly avoided involvement in Russia’s invasion of Ukraine, there are factions that have formed that are concentrating on causing issues for any organization that is perceived to be siding with Ukraine.
One such organization Intel 471 has observed is KillNet, a pro-Russian group that turned its DDoS-for-hire service into a hacktivist operation. Since February, KillNet has targeted organizations in European countries perceived to be hostile to Russia. The group’s attacks have hit entities in a plethora of sectors — including financial, government, media and telecommunication — coordinated through several Telegram channels.
Since first emerging earlier this year, the group has grown into several divisions that have conducted their own attacks. The group continues to be very active recruiters; KillNet has posted messages on various channels attempting to recruit ransomware gangs to attack entities on their behalf. This public interest in ransomware indicates KillNet may develop its own variant or purchase one from an underground market as a means to move beyond DDoS attacks.
Even with these possible aspirations, the vast majority of KillNet supporters are entry-level users with zero or limited experience with DDoS attacks, carrying out a targeting strategy that appears to be influenced by current events on a near-real-time basis. Yet the group is very active and will continue to target particular organizations, especially ones it perceives to be a threat to Russian interests.
Intel 471 researchers first spotted KillNet in late January when one of its core members advertised a DDoS-for-hire service, dubbed KillNet. KillNet was promoted as a decentralized botnet that leveraged blockchain technology across approximately 700,000 bots. In February, the group pivoted toward hacktivism, launching attacks in response to Anonymous targeting Russian entities following Russia’s invasion of Ukraine. Over the invasion’s first 48 hours, KillNet claimed to take down the official website of the president of Ukraine and 25 other Ukrainian state websites in DDoS attacks.
Since then, the group has taken aim at organizations that have expressed solidarity with or operate in countries which have sided with Ukraine. Over the last four months, the group has targeted:
The websites of eight Polish airports, allegedly in response to Poland’s materiel support of Ukraine
12 entities in the Czech Republic across the aviation, banking, government, military and telecommunications sectors
Nine Estonia-based entities in the government, military and telecommunications sectors, including the Estonia-Russia border crossing queue database
Two separate attacks on Romanian organizations: one that impacted five entities across the aerospace and defense, banking, government and transportation sectors, and another that allegedly impacted 13 airports, two news agencies and an oil and gas company. The group stated the attacks were in response to the Romanian government’s commitment to aid Ukraine.
Eight major internet service providers (ISPs) and two traffic exchange networks based in Ukraine
An electronic procurement platform used in Ukraine to facilitate government contracts
Multiple entities in Lithuania, which included targets in government, financial, transportation, telecommunications and energy sectors.
The public-facing website of the United States Congress
Even with these attacks, the most noteworthy incident to date is one in which the group failed to cause any disruption. In May, KillNet tasked their followers with launching DDoS attacks against the Eurovision Song Contest website and several of its subdomains. The aim of the attack was to render Eurovision’s voting systems inaccessible when a representative of Ukraine performed in the semi-finals. The attempt failed, and the Ukrainian representatives went on to win the contest.
Since KillNet’s formation in February, the group has folded several other groups into its operation as it looked to gain prominence.
In March, a group known as XakNet announced that it had joined up with KillNet to launch DDoS attacks against critical infrastructure and government. In May, another group, known as FuckNet, announced their intention to work with KillNet in order to wage a DDoS campaign against public and private sector organizations located in countries that supported Ukraine.
In April, the group created another offshoot, dubbed LEGION, that was set up specifically to carry out KillNet’s DDoS efforts. To date, Intel 471 has observed six separate groups under the LEGION division, with each group carrying out its own attacks. In early July, the group announced that it was dismantling the LEGION division with the aim to restructure and relaunch the division as “LEGION 2.0” in the future.
Intel 471 researchers have also observed a team under the name “Zarya” that is specifically set up to conduct hacks separate from the teams responsible for DDoS attacks.
While senior members of the group likely have extensive experience launching DDoS attacks — leadership has previously operated their own DDoS services and botnets — KillNet has been using publicly available DDoS scripts and IP stressers for most of its operations.
In various Telegram channels, members have been told to use various scripts to help launch attacks, including:
Low Orbit Ion Cannon (LOIC)
Members have also been instructed to use IP stresser-for-hire tools such as:
However, the group does have some of its own tools to launch attacks. One particular LEGION offshoot has introduced their own DDoS malware, dubbed VERA 1.0. It is unclear if this botnet has been used for any particular attacks.
KillNet has been very vocal since launching its operation, expressing a desire to recruit members via several different online platforms. The group first advertised its launch on several Telegram channels, which had tens of thousands of subscribers at the time. In early March, the group’s leaders announced a “global recruitment plan” for graphic designers, hackers, penetration testers, phishers, spammers and people with DDoS experience to aid in the war against Russia’s perceived enemies.
Alleged representatives of KillNet have also given interviews that have been posted on YouTube or broadcast on Russian-owned news networks, which have largely served as recruitment commercials. In one of those interviews posted in March, a member of KillNet claimed the group had 1,890 members.
Intel 471 cannot access a true figure when it comes to the amount of people in the group. While the crew has certainly added members since its inception, KillNet tends to sensationalize a lot of its operations; including its membership figures. While there are over 50,000 members of multiple Telegram channels associated with the group, the vast majority of those subscribers are not involved in KillNet’s operations. A Telegram channel associated with LEGION has grown from 2,800 members at the beginning of May to 7,600 members at the beginning of June. However, of the channels dedicated to the six LEGION teams, none have crossed 300 members.
The group also has asked for cryptocurrency, pointing Telegram channel subscribers to particular wallets for donations. Killnet also launched its own NFT on OpenSea.
Entities within or aligned with Ukraine almost certainly will remain highly sought-after targets for the group. As the war continues to unfold, the group will continually look to attack organizations that are newly supportive, while continuing to go after organizations that have been supportive of Ukraine since the beginning of the war.
It’s likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet’s call and provide support. This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic we have seen several ransomware groups use.
Yet, even with the recruitment rise, it is worth taking any claims KillNet makes about its attacks or operations with a grain of salt. Given the group’s tendency to exaggerate, it’s possible some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground.