Pro-Russian hacktivist group Killnet has kept very busy since Russia invaded Ukraine. After declaring war against organizations in Ukraine-allied countries, Killnet carried out attacks in Lithuania, Norway, and Italy, to name a few. These attacks have left many wondering if their organizations will be next.
During the week of July 18, GroupSense analysts noted an announcement from Killnet. The group claimed that they would attack Lockheed Martin, a US defense contractor, with a new cyber tool. This attack would be different than most others that Killnet carries out: they will not be using a DDoS (distributed denial of service) attack. GroupSense analysts believe that Killnet continue shifting away from DDoS attacks, and instead carry out hack-and-release attacks. GroupSense analysts provided screenshots and translations from hacking forums with evidence supporting the move from DDoS to hack-and-release.
On July 12, a Killnet affiliate group called Zarya Squad posted six files to Telegram they claim to have stolen from the State Archival Service of Ukraine.
Figure 1: Zarya Squad post leaking files supposedly from State Archival Service of Ukraine. Source: t[.]me/ddos_channel_rus/371
Translation of material from Figure 1:
Let's give you a little treat.
Here is some of the data we pulled from the archive (archives.gov.ua)
Several days later on July 16, Zarya Squad claimed to have gained control over several Ukrainian government networks, including the statistics department. The group claimed that the statistics department lies about Ukrainian military losses and the health of the economy.
Figure 2: Zarya Squad post claiming to have control over Ukrainian government networks. Source: t[.]me/ddos_channel_rus/371
Translation of material from Figure 2:
The operator was hacked and gained control over Ukraine's state apparatus control systems.
Among these is the statistics department, responsible for reducing the statistics of Ukrainian army losses and overstating the stability of the country.
Publicly claiming to have carried out hacks and stealing data represents a significant and concerning departure from previous Killnet operations. So far, the group appears to only be taking credit for hacks against Ukrainian targets, but that ended with the threat against Lockheed Martin.
On July 27, GroupSense analysts observed a surprising new message from Killnet. The founder of Killnet, known as KillMilk, will leave the gang to conduct his final attack on Lockheed Martin. Killnet claims that KillMilk has been preparing for this final stand for a long while. In their main Telegram channel, Killnet shared a new channel that belongs to founder KillMilk. In KillMilk’s new channel, GroupSense analysts observed the following message:
Figure 3: Telegram announcement.
Translation of material from Figure 3:
“😕 Founder of Killnet hacktivist movement, Legion - cyber special forces, Cyber Army of Russia alias "KillMilk" leaves our group by his own convictions! (Don't be fooled by any other news from the Fraudsters, if KillMilk wants to come back, we will certainly notify everyone via our official channel @killnet_reservs)
⚡️ His words dedicated to all KILLNET members:
""I created you to Defend our Homeland, I showed you how fragile Europe and its mentality is, now your way out - don't fail ! ""
<<KillMilk won't just go away, he will conduct his final attack on Lockheed Martin for which he has been preparing for a very long time...>>
⚡️Killnet remains in defense of the Russian Federation and continues to operate 24/7.
⚡️⚡️KillMilk didn't just establish us and give a decent fight to Europe and America. He gave millions of young people in Russia and the CIS an opportunity, ideas and a place to fulfill themselves!!!
☝️On behalf of our Hack movement Killnet and all our supporters in the online space. All of our supporting Hack communities and web resources - Let's support this post with tens of thousands of reposts and hearts! He deserves it....”
The message from Killnet shows a strong commitment to defending Russia against its adversaries abroad, sharing an anti-European sentiment and a call to action for other hactivists to continue on in the name of the homeland.
On July 28, KillMilk posted the following message:
Figure 4: KillMilk's message.
Translation of material from Figure 4:
“What I would do for my country now would be dangerous enough for my team. So I made the decision to withdraw from Killnet for their own safety. But that doesn't mean I'm leaving them without my help. Nothing changes, folks! Killnet is in full swing to win!
Didn't someone say, "One man standing alone in the field"? 😈”
In the past few years, GroupSense analysts have observed many high-profile members of organized cybercrime groups leaving larger groups to avoid law enforcement scrutiny or due to in-fighting within the gangs. Most recently, we have seen the Conti ransomware group splinter into smaller cells to avoid notoriety and law enforcement. As scrutiny over cyber attacks increases throughout Russia’s prolonged invasion of Ukraine, GroupSense analysts expect this trend to continue.
The Future of KillMilk
Since KillMilk stepped down, Killnet elected a new leader, a threat actor known as BlackSide. There is no evidence to tell us what KillMilk will do next, but GroupSense analysts believe that the actor’s strong commitment to hacktivism and to Russia will compel him to continue working with other hacktivist groups. GroupSense will continue to monitor the situation for new information.
Figure 5: Killnet announces new leader.
Translation of material in Figure 5:
🔥KillMilk blesses the hacker "BlackSide" and gives him the title of Killnet control!
🇺Hacker BlackSide "BlackSide"
Specification: Ransomware, crypto phishing "USA/EC", Brilliant robber of European crypto exchanges, Owner of DarkNet hack forum in the "onion" zone - forum information is hidden.
😈Welcome "BlackSide" and wish you success!