Table of Contents
March 21, 2025
|8m
Killnet – Russian Hacktivist Group
Killnet is a pro-Russian hacktivist group that has gained notoriety for its Distributed Denial of Service (DDoS) attacks against government institutions, private companies, and critical infrastructure in countries perceived as hostile to Russia, particularly since the start of the Russia-Ukraine war in February 2022. While claiming to be hacktivists, the group's actions and rhetoric strongly align with the Kremlin's geopolitical agenda. This article provides a deep dive into Killnet's origins, tactics, targets, notable campaigns, and defense strategies to help security professionals better understand and mitigate this evolving threat. The group has also been identified as a financially motivated group, by offering its DDoS capabilities for hire and selling stolen data.
Origins & Evolution
Killnet reportedly emerged around March 2022, coinciding with the intensification of the Russia-Ukraine conflict. However, its alleged founder, Killmilk, claims the group's operations began in 2021, possibly to distance the group from direct Russian government ties. Initially, the group offered DDoS-for-hire services on Russian-language illicit forums starting in January of 2022.
While Killnet presents itself as an independent hacktivist collective, its targeting, timing, and rhetoric closely mirror Russian state interests. There's no direct public evidence proving control by Russian security services, but multiple cybersecurity firms (including Mandiant) assess that coordination or more substantial ties cannot be ruled out. Historically, the Russian government has used false-flag hacktivist operations to obfuscate its involvement in cyberattacks, a factor that adds to the suspicion surrounding Killnet. The group actively recruits members via Telegram, seeking individuals with various skill sets, including coders, network engineers, and OSINT specialists.
After the Russian invasion of Ukraine, Killnet became more overtly political, focusing its attacks on Ukraine and its allies. The group actively recruits members via Telegram, seeking individuals with various skill sets, including coders, network engineers, and OSINT specialists.
The group's internal structure has been described as decentralized, with Killmilk claiming around 4,500 members in various subgroups that act independently but coordinate actions. "Legions" are reportedly formed and dissolved depending on the targets. "Legion-Cyber Intelligence" initially held operational control, but now apparently focuses on intelligence gathering. Killnet has also incorporated smaller hacktivist groups, such as "Anonymous Russia," under the "Killnet Collective" umbrella. Killmilk stepped down as the formal leader in July 2022 (replaced by Blackside), but he remains a highly influential figure and continues to make public announcements.
The group, especially Killmilk, has faced criticism and accusations of corruption within some cybercriminal circles, being labeled as "script kiddies" due to their reliance on relatively unsophisticated DDoS attacks.
Recently Killnet has announced that they are restructuring to be a Private Military Hacking Company called "PMC KILLNET".
Tactics & Techniques
Killnet's primary tactic is Distributed Denial of Service (DDoS) attacks, aiming to overwhelm target servers with malicious traffic, rendering websites and services inaccessible. While initially relying on publicly available DDoS tools, the group has claimed to develop custom botnets and boasts of increasingly sophisticated capabilities. Protecting your online business from DDoS attacks is crucial.
Key tactics, techniques, and procedures (TTPs) include:
DDoS Attacks:
Methods: TCP-SYN, UDP, TCP SYN/ACK amplification, DNS amplification, IP fragmentation, ICMP flood, TCP RST flood, slow POST attacks.
Claimed Capability: Killmilk has claimed the ability to launch massive 2.4 Tbps DDoS attacks, although this has not been independently verified.
Tools: Publicly available scripts like "CC-Attack," and known DDoS scripts: "Aura-DDoS," "Blood," "DDoS Ripper," "Golden Eye," "Hasoki," and MHDDoS, as well as proprietary tools.
"Passion" Botnet: Used in attacks against medical institutions.
Reconnaissance: Brute-forcing credentials on FTP, HTTP, HTTPS, and SSH ports. What is brute force?
Operating Through Subgroups: Killnet's key tactic is operating through multiple subgroups, creating confusion and making defense more difficult. This division of labor is a core strength.
Social Engineering: They also engage in social engineering for credential harvesting, broadening their attack surface.
Verification: Uses check-host[.]net to verify the success of their attacks.
Botnet Access: Killnet has access to Titan Stealer and a new botnet, ‘TESLA,’ built by RADIS, a commander of one of the KILLNET sub-groups
No Attacks on Russia/CIS: Largest botnet owners are Russian and have blocked attacks on Russia/CIS at the setting level
Hack-and-Leak Operations: Beyond DDoS, Killnet also engages in hack-and-leak operations, stealing and publishing sensitive data.
Affiliates: Gaining capacity and capability through a network of affiliated hacktivist groups.
Killnet heavily relies on Telegram for communication, announcements, recruitment, and propaganda dissemination. They might use image phishing to trick users.
Targets or Victimology
Killnet's targeting overwhelmingly aligns with Russian geopolitical interests. Their primary targets are:
Government Institutions: Government websites and online services of countries supporting Ukraine and/or imposing sanctions on Russia.
Critical Infrastructure: Organizations in sectors like transportation (airports), finance (banks), healthcare (hospitals), and energy.
Private Companies: Businesses perceived as opposing Russia or supporting Ukraine.
International Organizations: Bodies like NATO and the European Parliament.
Geographic Focus: The United States, Europe (particularly countries providing substantial aid to Ukraine), and other allies like Japan. Specific countries frequently targeted include Romania, Moldova, Czech Republic, Italy, Lithuania, Norway, Latvia, Japan, and Germany.
Killnet's attacks are often retaliatory, responding to specific events or policy decisions. For example, attacks on Lithuania followed its restriction of goods transit to Kaliningrad, and attacks on Germany followed its decision to send tanks to Ukraine.
Attack Campaigns
Killnet has been associated with numerous high-profile DDoS campaigns. Some notable examples include:
Early 2022: Attacks on government websites in Romania and Moldova.
May 2022: Attacks on Italian institutions, including the Istituto Superiore di Sanità, the Automobile Club of Italy, and the Italian Senate. Attempted attack on the Eurovision Song Contest website during Ukraine's performance, followed by an attack on the Italian state police website.
June 2022: DDoS attacks against Lithuania in response to the transit restrictions to Kaliningrad. Attacks on organizations in Norway and Latvia.
August 2022: Claimed attack on Lockheed Martin in retaliation for supplying HIMARS systems to Ukraine, accompanied by rhetoric accusing the company of "sponsoring world terrorism."
September 2022: Attacks on Japanese government ministries, agencies, and social networks.
October 2022: Attacks on multiple US airport websites.
January 2023: Wide-ranging DDoS attack against various agencies and companies in Germany in retaliation for the German government's decision to send Leopard 2 battle tanks to Ukraine.
2023: Widespread campaign against US healthcare institutions.
November 2022: Hacked Russia's largest dark web drug site.
November 2022: Attacked western governments’ and companies’ websites, targeted Poland (Warsaw Airport, Gdansk Airport, and Rzeszow Airport).
December 2022: Threatened the US Congress, claimed attacks on BACS, the London Stock Exchange, and the Prince of Wales official website.
February 2023: Called for attacks on the United States.
Ongoing: Killnet has continued to launch attacks and issue threats, often in coordination with its affiliates. The Microsoft and European Investment Bank (EIB) attacks, attributed to the Killnet affiliate Anonymous Sudan, demonstrate an increase in capabilities.
Ongoing: Claims of collaboration with actors claiming to be from the REvil ransomware group. The group might use fake Google Ads.
Defenses
Defending against Killnet requires a multi-layered approach focused on mitigating DDoS attacks and enhancing overall cybersecurity posture:
DDoS Mitigation Services: Employ specialized DDoS mitigation services (cloud-based or on-premise) to absorb and filter malicious traffic. These services use techniques like traffic scrubbing, rate limiting, and behavioral analysis.
Web Application Firewall (WAF): Implement a WAF to filter malicious HTTP requests and protect against application-layer attacks.
Network Segmentation: Segment networks to limit the impact of a successful breach and prevent lateral movement.
Intrusion Detection and Prevention Systems (IDPS): Deploy IDPS to monitor network traffic for suspicious activity and automatically block or alert on potential threats.
Rate Limiting: Configure rate limiting on servers and network devices to restrict the number of requests from a single source within a specific timeframe.
Traffic Analysis: Continuously monitor network traffic for anomalies and patterns indicative of DDoS attacks.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a swift and effective response to attacks.
Employee Training: Train employees to recognize and avoid phishing attempts and other social engineering tactics.
Vulnerability Management: Regularly scan for and patch vulnerabilities in systems and applications.
Threat Intelligence: Leverage threat intelligence feeds to stay informed about Killnet's latest TTPs, targets, and associated infrastructure (IP addresses, domains).
Strong Password Policies: Implement strong password policies and use multi-factor authentication.
Regular Security Audits: Conduct regular security audits to identify and fix vulnerabilities. A strong patch management strategy is also recommended.
Conclusion
Killnet represents a significant, albeit not always highly sophisticated, cyber threat, driven by pro-Kremlin motivations and fueled by the ongoing conflict in Ukraine. While primarily relying on DDoS attacks, the group is evolving, potentially increasing its capabilities through collaboration with affiliates and a shift towards more financially driven cybercrime. Their actions, closely aligned with Russian geopolitical objectives, necessitate a proactive and multi-layered defense strategy focusing on DDoS mitigation, threat intelligence, and robust cybersecurity hygiene. The potential for escalation and the blurring lines between hacktivism and state-sponsored activity make Killnet a threat that organizations, particularly those in targeted sectors and countries, must take seriously. What is threat intelligence?
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Pro-Russian Hackers Target Italian Government and Airport Websites in Cyberattack
• Russian Hackers Launch Sophisticated Wi-Fi Attacks, Using Neighbors as a Covert Entry Point
• Russian Cyber Attacks on Ukrainian Defense Sector Double in First Half of 2024
• Ukrainian Hackers Destroy Russian Internet Providers Network in Cyberattack
• EU Imposes Sanctions on Russian GRU Hackers for Cyberattacks on Estonia
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 22, 2025
- March 22, 2025
- March 22, 2025
- March 22, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 22, 2025
- March 22, 2025
- March 22, 2025
- March 22, 2025
