Throughout the Russian invasion of Ukraine, the pro-Russian hacktivist group Killnet has captured the attention of cybersecurity experts. Killnet originally began as a DDoS botnet service. In January 2022, a threat actor posted an advertisement for the Killnet botnet in Duplikat, a dark web forum for carding, botnets, and other illegal activities. According to the ad, the botnet allowed users to direct traffic without the target’s knowledge. It also claimed that the botnet uses the latest WEB3 technology and that the data is stored throughout the Blockchain. Since January, the nationalist group has targeted pro-Ukrainian countries and organizations in a slew of attacks and experienced organizational shake-up after their leader left.
Killnet isn’t slowing down over the holidays. In late November, GroupSense analysts found a new Telegram channel named Killnet Collective created by the hacktivist group. According to the description, this channel will primarily be used for defacements, email dumps of European organizations, DDoS attacks, tutorials of SQL injections, and general cyber intelligence. The channel also provided instructions for all actors willing to carry out DDoS attacks. Their first target was the Latvian Ministry of Foreign Affairs website. Though the new channel offers different attacks than Killnet previously perpetrated, the new attacks are not very sophisticated.
Figure 1: instructions posted to the Killnet Collective channel
Translation: Everybody hit L7/4 on the targets in this LIST (https://t.me/killnet_collective/8). Use 443/80/53 PORT if you are working on level four.
In a showcase of their newer attack styles, Killnet accessed a database containing almost 1 gigabyte of information with photos of the 92nd Army Brigade of the Armed Forces of Ukraine and shared it to the original Killnet channel We Are Killnet. They claimed to take the data from Brigade Commander Fedosenko’s email account. It seemed that, because this was posted before Killnet Collective was created, Killnet was practicing their new TTPs and showing their members what was possible.
Figure 2: Images of the leak on the Killnet channel.
Translation: Almost 1 gigabyte of data with photos of all the personnel of the 92nd Army Brigade of the AFU.
➡️ Data taken from the email of Brigade Commander Fedosenko of the 92nd Army Brigade of the AFU(Аrmed forces of Ukraine)
Over the last few months, GroupSense analysts have noted a higher volume of Killnet attacks on US entities, some of which belonged to the US government and major media outlets. The targets included whitehouse.gov, bbc.com, cnn.com, washingtonpost.com, and usa.gov. GroupSense analysts note that these sites were used as a training ground for the new Killnet Collective channel, allowing members to get up to speed on new attack techniques.
Figure 3: Screenshot from Killnet Collective with US targets.
Another US victim of Killnet is JOOJ technologies, an American software company. On November 28, the company’s website was defaced by Killnet, and displayed a photo of a child killed in Donbas, Ukraine, with the following message, “Hello friend! This child named Vlad Shikhov, he is killed by the Kyiv regime like thousands of other children of Donbas. You are sending money not to help Ukraine, you have been deceived. Your money go to the business of the Kyiv officials. Stop the war - stop your power, go to the street and burn beat the police. Take power into your hands! I am waiting for you my friend!” The next post in the channel included a leak of email correspondence from the company. While the message posted to the defaced site might be linked to alleged donations to the Ukrainian cause, it could be a general message sent to the American people about supporting Ukraine. GroupSense can’t confirm either theory at this time.
Figure 4: A screenshot of the defaced websites of the American software developer
Translation: American company, software developers🤗
On November 30, Killnet claimed that they gained access to a senior customer support expert at the state labor inspectorate of Latvia named Aija Berkold. In their new attack style, they claimed to gain access through an email address and then got into the governmental system, ultimately gaining VPN access, where they were allegedly able to get gigabytes of documents. They are now ransoming that data, requesting 10 bitcoin from the Latvian government.
Figure 5: Posts in the Telegram channel claiming the Latvian attack.
On November 28, Killnet conducted an attack in collaboration with Deanon Club against Black Sprut, a deep web marketplace used for drug trading. GroupSense believes this attack to be significant because it shows a successful collaboration that is more effective than either group can be on its own. Together, they were able to DDoS the form and steal a database containing username data, histories, logging, and communication. This attack shows the broadened horizons of Killnet’s hacktivism, and GroupSense analysts expect more sophisticated attacks like this in the future.
As Killnet continues to evolve, GroupSense analysts are interested to see if attacks continue to be collaborative, and as the war in Ukraine trudges on, we know attacks won’t be slowing down. If you’re interested in receiving cyber intelligence like this, learn more about our Digital Risk Protection Services offering today.