Killnet: Russian Hacktivists DDoS US Airports, Government Websites

By Anthony Eich on October 18, 2022

Executive Summary

KillNet, a Russian-sympathizers and hacktivist group founded in January 2022 and known to attack Western governments and infrastructure, has launched a distributed denial of service attack (DDoS) on over 40 major United States airports. By flooding the websites for these airports with “garbage” internet traffic and user datagram port (UDP) requests, the websites are essentially rendered useless, or “down” which can have major impacts on consumers. The non-Russian government affiliated group, which has made public a declaration of war against enemies of Russia and Ukrainian supporters alike, targeted the US airports as a retaliation for US involvement in the Russian invasion of Ukraine. The group is responsible for attacks against other government and financial institutions in recent weeks as well, such as JP Morgan-Chase, and dozens of US Department of Defense websites such as TRICARE, army.mil, DS Logon, and several state government websites as well. Damages caused have been minimal, but the takeaway from these attacks is that both Russian and Ukraine have non-sanctioned cyber-war combatants that are willing and able to act on behalf of their loyalties and increasing the size of the battlegrounds to a world-wide network.

Background

KillNet was originally devised as a DDoS tool that was launched in January of 2022. The service was advertised on Telegram as a subscription for a botnet that could be rented on a monthly basis. Soon though, the platform morphed into what is now a legion of hacking groups with Telegram member subscriptions exceeding 100,000 that have dubbed themselves the “Cyber Special Forces RF (Russian Federation)” with loyalty to Russia and bent on disrupting or taking down websites of North American Treaty Organization (NATO) nations and other organizations sympathetic to Ukraine. The group is organized, and has developed rules and regulations for participation, such as users being required to report for duty at least every two days, as well as adhering to strict rules of engagement. On 16 May 2022 Killnet officially declared a cyber war on 10 NATO countries. The United States, United Kingdom, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland, and Ukraine were all listed as targets. In addition to these countries, any other hacktivist groups such as Anonymous or the state-sanctioned IT Army of Ukraine have also been declared as enemies of KillNet.

Impact

To orchestrate attacks, KillNet advertises targets on its Telegram channels, directing their legion when and where to direct their DDoS attacks. Some methods of attack that are being used are ICMP Flood, IP Fragmentation, TCP SYN Flood, TCP RST Flood, TCP SYN / ACK, NTP Flood, DNS Amplification, and LDAP Connection-less (CLAP). The group has been successful in shutting down websites and disrupting operations of many different targets since the beginning of the Ukraine-Russia conflict, across NATO nations. While these attacks to not threaten flights or air traffic control, they do cause a major disruption to business operations which can potentially have a high cost in lost revenues. In addition to financial damages, the group seems to be working towards disrupting communications and possibly testing targets that could have potentially more disruptive results, such as their attack on an election website in Kentucky, or the exfiltration of personally identifiable information (PII) of Lockheed Martin employees which could be used to target individuals. This points to an escalation of sorts, in that the cyberwarfare tactics being used by these groups breaches the norm of targeting only battlefield combatants, and instead seeks to draw industry targets from the industrial military complex into the line of fire. No longer does an individual need to pick up a weapon and enlist in the military to be considered a target, as these hacker groups do not adhere to the rules of engagement or conventions of wartime, such as those that define what is to be considered a non-combatant.

Significance

While none of these attacks have long lasting effects, it does show a trend that, in addition to state-sponsored threat actors such as Fancy Bear and Sandworm, Russia has a vast following of unsanctioned hackers that are growing increasingly more organized and which continue to carry out attacks against any targets that these fringe groups perceive to be enemies. This trend—which manifest on both sides of the Russia-Ukraine conflict, and includes groups that act in favor of Ukraine or Russia like KillNet, or the afore mentioned Anonymous—shows that cyberwarfare is escalating to a world-wide stage and involves any volunteers that have access to the internet. There are no borders or boundaries that cannot be traversed by these organizations, and their missions are self-prescribed based on loyalties that may or may not be rooted in citizenship, nationality, residency, or any other conceived connection, making identification of enemy cyber-combatants much more difficult for security professionals and strategists. It is hard to say how this change in cyberwarfare can affect the traditional battlefield but given the rate that the levels of sophistication that are being employed by these smaller, less funded, all volunteer groups is increasing, it is safe to say that their actions could be significant enough to sway a battle towards one side or the other. Enemy forces are no longer clearly stationed behind a front line of combat. Instead, combatants are now able to participate in wars from their living room or an internet café from within the borders of the country the support, or while residing in the nation that they are targeting and using the very infrastructure that their mission calls for them to takedown. And these hacktivists, or cyber warriors, do not have to pass any tests or meet any requirements, other than to have a willingness to participate and a desire to support the mission. All of this leads to the question as to whether or not cyberwarfare can continue to be looked at as a lesser form of battle, and to decide if these acts are to be considered acts of war in the truest sense, and met with response in kind. For NATO nations, that means whether or not to invoke the 5^th Article, which is a call to arms in collective defense, stating that an attack on one NATO nation is an attack on all NATO nations, and potentially thrusting the world into a very real war in response to attacks in cyberspace.

References

AFP. (2022, October 10). US Airport Websites Hit by Suspected Pro-Russian Cyberattacks. Retrieved October 11, 2022, from securityweek.com: https://www.securityweek.com/us-airport-websites-hit-suspected-pro-russian-cyberattacks

Bradford, C. (2022, October 6). CYBER WARFARE Killnet Russian hackers ‘knock down US government websites in several states including Kentucky Board of Elections page’. Retrieved October 12, 2022, from the-sun.com: https://www.the-sun.com/tech/6380553/killnet-russian-hackers-knock-us-government-websites/

HOPE, A. (2022, October 12). Russian Hackers Shut Down Dozens of State Government Websites in DDoS Attacks. Retrieved October 12, 2022, from cpomagazine.com: https://www.cpomagazine.com/cyber-security/russian-hackers-shut-down-dozens-of-state-government-websites-in-ddos-attacks/

Niket, N., & Lananh, N. (2022). JPMorgan says it is not seeing any impact from alleged hack. Retrieved from reuters.com: https://www.reuters.com/business/finance/jpmorgan-says-it-is-not-seeing-any-impact-alleged-hack-2022-10-11/

Righi, I. (2022, June 8). Killnet: The Hactivist Group That Started A Global Cyber War. Retrieved October 11, 2022, from digitalshadows.com: https://www.digitalshadows.com/blog-and-research/killnet-the-hactivist-group-that-started-a-global-cyber-war/

ROUSSI, A. (2022, September 9). Meet Killnet, Russia’s hacking patriots plaguing Europe. Retrieved October 11, 2022, from politico.eu: https://www.politico.eu/article/meet-killnet-russias-hacking-patriots-plaguing-europe/

Toulas, B. (2022, October 10). US airports’ sites taken down in DDoS attacks by pro-Russian hackers. Retrieved October 11, 2022, from bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/us-airports-sites-taken-down-in-ddos-attacks-by-pro-russian-hackers/

Townsend, K. (2022, August 12). Killnet Releases ‘Proof’ of Its Attack Against Lockheed Martin. Retrieved October 11, 2022, from securityweek.com: https://www.securityweek.com/killnet-releases-proof-its-attack-against-lockheed-martin