Euro Security Watch with Mathew J. Schwartz

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government

KillNet DDoS Attacks Further Moscow's Psychological Agenda

More Evidence Suggests Self-Promoting 'Hacktivist' Group Is Tool of Russian State
KillNet DDoS Attacks Further Moscow's Psychological Agenda

Self-proclaimed Russian patriotic hacktivist groups continue to claim they've been wreaking havoc on anti-Moscow targets via an array of disruptive online attacks.

See Also: Realities of Choosing a Response Provider

Don't believe the hype, not least when it comes to KillNet, which is one of the most high-profile Russian groups wielding distributed denial-of-service attacks and boasting about how bad it is. Aside from rampant self-promotion that gets KillNet covered in the news and perhaps influences policymakers, experts see scant real-world cybersecurity impact from the group's activities.

"KillNet's activities have primarily centered around DDoS attacks that generate only shallow impacts lasting short periods of time," Google Cloud's Mandiant Intelligence division said in a new report.

Mandiant's assessment of the 500 DDoS attacks launched by KillNet and associated groups from Jan. 1 through June 20 offers further evidence that the collective isn't some grassroots assembly of independent, patriotic hackers. "KillNet's targeting has consistently aligned with established and emerging Russian geopolitical priorities, which suggests that at least part of the influence component of this hacktivist activity is intended to directly promote Russia's interests within perceived adversary nations vis-a-vis the invasion of Ukraine," Mandiant said.

Researchers said KillNet and its affiliates often attack technology, social media and transportation firms, as well as NATO. Targets have included German government agencies and financial services firms, the EU Parliament, trauma centers and airport websites, and typically the attacks cause little actual disruption.

To hear KillNet's recounting of its attacks via its Telegram channel, these hacktivists are nothing short of devastating. The same goes for other past and present members of the KillNet collective, including KillMilk, Tesla Botnet, Anonymous Russia and Zarya. Recent attacks by Anonymous Sudan have involved paid cloud infrastructure and had a greater impact, although it's unclear if this will become the norm.

Information Operations

In the early days of Russia's all-out war against Ukraine, Western cybersecurity officials warned that patriotic hackers might support substantial cyber operations in coordination with military campaigns. Analysts say that strategy failed to materialize, as did the use of combined cyber and kinetic operations by the Russian military.

Groups such as KillNet, which has claimed to be a "private military hacker company" and to partner with such well-known cybercrime groups such as REvil and Conti, still have made a lot of noise, threatening DDoS reprisals against anyone who disagrees with Russian President Vladimir Putin's policies.

Some groups' rampant self-promotion, which gives some ransomware groups a run for their money, might be their core skill. Earlier this year, Alexander Leslie, a researcher at Recorded Future who has been tracking over 200 independent hacktivist groups aligned with factions on every side of the conflict, reported that the hacktivist groups' bark was almost always bigger than their bite.

"The overwhelming majority of claims made by these groups were false, they were misleading or they were exaggerated in impact," he told Information Security Media Group.

The point of such attacks, he said, doesn't appear to be disrupting targets' cybersecurity but rather their psychology, by making the Russian war machine look scarier and more effective than it really is. One risk is that defenders and policymakers fall for the ruse.

"Pro-Russian hacktivists are really attempting to hack our attention by hitting flashy targets and taking on a number of identities," said John Hultquist, chief analyst at Mandiant Intelligence. "They may succeed in carrying out a serious incident but we have to remember that immediate effects aren't nearly as important to them as undermining our sense of security."

Anonymous Sudan Debuts

One notable change in the story of KillNet, which has been operating since January 2022, has been the rise of KillNet's Anonymous Sudan affiliate, which "accounted for 63% of total identified DDoS attacks claimed by the KillNet collective" in the first half of this year, Mandiant reported.

Anonymous Sudan has been bringing more effective online disruption capabilities to bear on big-name targets. Last month, Microsoft, confirmed reports that Azure and Microsoft 365 outages had been caused by Anonymous Sudan.

The group's disruptions have been more sophisticated than the typical KillNet attack. Australian cybersecurity firm CyberCX reported that Anonymous Sudan had been using "proxies to distribute and conceal the origin of DDoS traffic." Many of these proxies appeared to be paid services that it believed would have cost tens of thousands of dollars per month to access.

Anonymous Sudan's use of expensive online infrastructure to wage its DDoS war undercut its claims to be an all-volunteer group operating from an impoverished East African country. "Russian government-linked actors have historically employed false hacktivist facades as a means of obscuring their role in targeting Western countries," Mandiant said.

One of the best known was Guccifer 2.0, the supposed hacker who leaked data to WikiLeaks as part of an attempt to influence the 2016 U.S. presidential election. The U.S. government said that the hacktivist was none other than Russia's FSB military intelligence agency.

Who's been paying Anonymous Sudan's proxy bills? Perhaps the whole KillNet collective is being run directly by the FSB as a cutout. Or maybe Russian intelligence assembled a crack team of freelancers and supplies them with free vodka and a list of Moscow-approved targets.

However KillNet and its ilk are being run, the point of these efforts remains unclear. Perhaps the DDoS groups are designed as information operations to make Russia look scarier than it really is, in which case they're at least partially succeeding. Maybe they're cover for espionage operations. Perhaps the point is to distract from Moscow's continuing failure to conquer Ukraine or crash the country's critical infrastructure.

Accordingly, it's tough to know now if KillNet is killing it for Russia. As British intelligence official Paul Chichester warned earlier this year about attempts to gauge the success or failure of Russia's cyber operations, "Their view of success and ours may prove to be different in the future."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.