Russian hacktivist group Killnet, well-known for its flair for publicity, made more news today when it reportedly blocked J.P. Morgan’s infrastructure, but failed to impact the bank’s operations.
These reports came one day after Killnet attacked airport websites in 24 states, disrupting service, but causing no real business damage or serious data exfiltration.
Security researchers said Killnet’s attacks remain relatively unsophisticated and unchanged, but the group is nonetheless persistent with its DDoS attacks.
“While DDoS attacks can be classified as a nuisance, if successful, these attacks can result in websites or services being taken down for long periods of time,” said Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows. “This threat is notably higher for critical sectors, where even short downtimes can have significant consequences.”
Killnet was not initially created to be a hacktivist group. Rather, the moniker stems from a tool that hackers could use to launch DDoS attacks, Righi noted. The tool was advertised on the Killnet Telegram channel in January 2022, and then Killnet transformed from a criminal service provider to a hacktivist group with the Russia-Ukraine war.
“Killnet now launches DDoS attacks against countries supporting Ukraine, opposing Russia, and NATO countries,” Righi said. “DDoS attacks by Killnet have resulted in websites being taken down temporarily, but attacks do not typically last more than a few hours or, in very rare cases, a couple of days. Killnet typically switches targets daily.”
Take much of this with a grain of salt
Pascal Geenens, director of threat intelligence for Radware, said the incendiary rhetoric of KillMilk, the founder of Killnet, must be taken with a grain of salt.
“KillMilk wants to prove that U.S. cyber defenses are not what they claim to be,” said Geenens. “KillMilk, a self-proclaimed hero of Russia, is known to be very media hungry and an attention seeker. He likes to be in the spotlight.”
The criticism among security pros has been that Killnet are a bunch of young hacktivists that do mostly ineffectual, low-level DDoS attacks. But Geenens maintains that they are not teenagers.
“Their oldest member recently celebrated his 60th birthday,” Geenens said. “Killnet was already on underground forums, advertising a DDoS-as-a-service before the war started. I’ve seen Killnet asking for donations to fund their attack servers. They are not your typical script kiddy. Many of the people behind hacktivist groups have day-time jobs in IT – some are database administrators, others network admins, and some even work in security.”
However, Geenens said he wouldn’t give Killnet too much credit, pointing out that they are not a sophisticated actor.
“At some point, over the summer, they wanted to pivot from DDoS to breaching and destroying systems with wipers,” Geenens said. “Lockheed Martin was supposed to be their turning point, but that did not end well for Killnet, so they have returned to mainly using DDoS.”