A large coordinated hacker attack took place on the European Parliament website in the early afternoon on Wednesday 23 November. The cyberattack – of the DDoS type – had caused the site to go down, and it had arrived only a few hours after the MEPs had voted positively on resolution declaring Russia a “state sponsor of terrorism”. A strange coincidence, which had already raised some hypotheses from security experts. Confirmation came a few hours later. Those responsible are in fact a group of pro-Russian hackers known as KillnetHere’s who they are and how they operate.
Check Point experts tell us that Killnet is just one of many hacker groups sided with the Russian geopolitical narrative. Other collectives such as Xaknet, From Russia with Love (FRW), NoName057(16) and still others are notorious for their ongoing strategic attacks on websites deemed to be opponents of the Putin regime. They are to all intents and purposes hacktivists, in their own way, that is, groups of hackers who act in the name of an ideal or a cause, whether right or wrong.
During the war between Russia and Ukraine, the activities of these collectives greatly intensified. After all, this is a war that is also fought with narrative and technological means. The attacks have affected various governments and first-tier companies, both in the United States and in Europe, including Italy, as well as Lithuania, Estonia, Norway, Finland, Poland and Japan.
Killnet but not only: who are the pro-Russian “hacktivists”.
The Killnet group began stepping up its aggressive activities in March, immediately following the Russian invasion, with targets primarily Ukrainians. Already in April, however, the group has completely changed the object of its attention. The attacks have in fact extended to the whole world, always with the aim of supporting Russian geopolitical interests. Between late February and September, the group claims to have completed more than 550 attacks. Of these, only 45 were addressed to Ukraine.
Killnet primarily targeted high-profile targets. Government sites, big companies, financial giants, airports and much more. Check Point experts have compiled a few examples for us.
Killnet cyber attacks: some examples
- In March, theBradley International Airport in Connecticut (US), suffered a DDoS attack affecting its website. US authorities have confirmed an attempted large-scale DDoS attack on the airport site.
- In April, some websites belonging to the Romanian government, such as that of the Ministry of Defense, that of the Border Police, that of the National Railway Transport Company and a commercial bank, were made unreachable for several hours. These attacks occurred in response to a statement made by the Romanian leader of the Social Democratic party Marcel Ciolacuwho offered to send weapons to Ukraine.
- In May, massive DDoS attacks hit several German targets and Italians. In particular, in Germania, the site of the party to which Chancellor Olaf Scholz belongs, the site of the German Ministry of Defense, that of the German Parliament, that of the Federal Police and various state police authorities were affected. In Italia the attacks involved the websites of the Italian Senate, the Ministry of Defense and the Higher Institute of Health
- In June, cyberattacks hit Lithuania e Norwayin response to the worrying geopolitical developments that have taken place between these countries and Russia, again following the sanctions imposed against Moscow.
- In July, Killnet focused its efforts on Polandresulting in the unavailability of many Polish government, tax authorities and law enforcement websites.
- August was a pretty busy month for Killnet. The month began with an attack in Latvia, which had called Russia “a representative country of terrorism”. The Latvian Parliament website went down following a DDoS attack. Later (in the same month), Estonia faced the largest attack since 2007, carried out in response to the removal of Soviet monuments. However, Estonia proved to be well prepared in managing the attack.
Also in August, Killnet attacked the USA. In particular by targeting the American manufacturing giant Lockheed Martin, as a result of supporting the Ukrainian military system. Also targeted was the US Electronic Health Monitoring and Tracking System and the US Senate, which was debating the possibility of sending additional aid to Ukraine.
- In September the group also hit Asia for the first time, mainly hitting Japan, again in retaliation after supporting Ukraine.
How is Killnet structured and who are its members?
Currently Killnet account more than 89,000 subscribers on his Telegram channel. The organization is structured exactly like a military hierarchy, top-down, with leaders, “generals” and “soldiers”. Just like an army, Killnet therefore consists of a set of operational teams prepared to carry out attacks that respond to a main order.
Currently the group has a dozen sub-groups among which the primary is Legion. All of these groups are led by an anonymous hacker with nickname KillMilk, who announced his intention to leave the group in July, but still remains involved in the activities. Legion and the squads (known as: “Jacky”, “Mirai”, “Impulse”, “Sakurajima”, “Rayd”, “Zarya”, “Vera”, “Phoenix”, “Kajluk”, “Sparta” and “DDOSGUNG ”) are considered Killnet’s special forces, with Legion identified as its cyber-intelligence force.
It is therefore KillMilk that assigns attack orders to each group leader, creating independent infrastructures that significantly improve the chances of survival of the entire organization. This method has proven effective as the team continues to recruit members, growing in numbers. Their Telegram group contains rules, discussions regarding goals and instructions on creating/joining new teams.
The answer to the question “who are the Killnet people?” it is definitely more complex. Unlike Anonymous, which prides itself on welcoming everyone, without imposing any prerequisites regarding specific skills or plans, Killnet only accepts members who meet minimum prerequisites.The group is constantly investing in recruitment programs advertised on their Telegram channels. Some groups have set up a process of pre-screening to hire only competent or experienced hackers in a particular field. This dynamic reduces the risk of making mistakes that could compromise the entire operation.
How Killnet works: mass DDoS attacks
Check Point Software recently noted that KillNet leaves DDoS attack instruction to the masses. This is due to the lack of manpower needed to carry out the planned actions.
“On multiple occasions we have also seen KillNet offer rewards to individuals responsible for physical and non-virtual vandalism in Ukraine”reports a Check Point expert
In addition to expert hacker teams, Killnet boasts extremely advanced tools, which allow them to carry out elaborate and more damaging attacks. “The more devastating an attack is, the more notoriety the group becomes,” Check Point explains. DDoS attacks themselves are conducted using huge botnets (network of computers connected to the telematic network which pass under the control of a single entity).
According to Avast some similar groups like NoName057(16) use a RAT known as Bobik, which has been around since 2020 alongside Redline stealer. Recent reports state that those Bobik-infected devices are part of a botnet performing DDoS attacks on behalf of NoName057(16).
In a press release, Check Point tried to take stock of the situation, writing:
“What is worrying is that many hacktivist groups have an agenda of state-related activities. They are subservient to specific interests and specific governments. While this dynamic initially manifested itself in specific areas of conflict, we already see it spreading westward and beyond. We also expect hacktivist operators to deploy their arsenal and unleash nuisance attacks for a country. Another growing concern is represented by the inspiration generated by hacktivist groups in governments, which could mean the evolution of this activity into a long-term phenomenon”.