Killnet: Inside the World’s Most Prominent Pro-Kremlin Hacktivist Collective

Within the realm of digital warfare, the threat actor group known as “Killnet” has established itself as a high-visibility force. Killnet is one of the most active and ambitious pro-Kremlin hacktivist collectives. Its volatility has intensified since Russia’s invasion of Ukraine.

While Killnet shows persistence, it is also notably fickle. The group constantly seeks new avenues for expansion. It evolves its tactics. It captures attention using its “army of cyber partisans.” The pro-Kremlin media aids this effort. It is eager to deliver storylines that align with the Russian government’s narrative. Killnet’s notorious alignment with pro-Kremlin ideological motives has fueled their collective drive since the start of the Russia-Ukraine conflict. This is alongside their pursuit of financial gain.

Understanding the inner workings of a prominent group like Killnet is vital. This is for organizations aiming to grasp the broader cyber threat landscape. By unraveling the operations of Killnet, organizations can strengthen their understanding and fortify their defenses against this evolving menace.

What is Killnet?

“Killnet” is a financially- and ideologically-motivated threat group. It is likely based in Russia. It has committed distributed denial-of-service (DDoS) and data exfiltration attacks against Western entities and Dark Web markets.

First emerging in October 2021, Killnet initially offered DDoS attacks for hire. Flashpoint observed the first ads posted by the group about its for-hire DDoS service in January 2022. These ads were on various Russian-language illicit forums.

Following Russia’s February 2022 invasion of Ukraine, the collective started conducting, threatening, and taking responsibility for attacks. These attacks targeted networks in Ukraine and in countries seen as supporting Ukraine. The group openly pledged allegiance to Russia. This was particularly in the context of the war. Killnet has stated its disdain toward NATO and Western weapons shipments to Ukraine.

Since February 2022, Killnet has targeted both state-owned and private websites. The group has also attacked networks in countries that provide assistance to Ukraine. It also targets those who have supported sanctions against Russia. The group’s associates have also carried out hack-and-leak attacks against Ukrainian systems.

The Killnet Group Identity

Killnet has a mostly negative image. This is based on posts from threat actors in illicit communities. Other threat actors have accused the group of corruption. This is due to reports of steady transfers to Killnet’s cryptocurrency wallets following the invasion of Ukraine.

On forums such as XSS and Breach Forums, users referred to Killnet as “a group of 10th-grade schoolkids” and “a script kiddie Russian group,” respectively. A member of the top-tier forum Exploit even shared a database of alleged Killnet documents as a “lesson.” Killnet’s image in sophisticated cybercriminal circles remains unchanged, despite media appearances on outlets like RT.

The Users Behind the Group

Killmilk

The founder and chief of Killnet is known as “Killmilk.” They have been an active member of the forum RuTor since October 2021. According to their own claims, Killmilk has been involved in various schemes since the age of fourteen. These schemes include extorting money from “pedophiles” online. However, the term can also refer to closeted gay men.

Killmilk asserts that they began launching attacks on foreign websites in 2019. But they faced financial setbacks due to cryptocurrency losses. In November 2021, Killmilk started offering DDoS services. These services had an intensity of 200 GB per second.

Officially, Killmilk departed from the group in late July 2022. However, they still maintain strong connections with Killnet. They often share messages and provide guidance as the founder.

BlackSide

In August 2022, the new leader of Killnet was identified as “BlackSide.” BlackSide was introduced as an administrator of a Russian hacker forum. This was likely the mid-tier Best Hack Forum. It is claimed that BlackSide possesses experience in cryptojacking and ransomware operations.

However, as of February 2023, there is no verifiable evidence indicating a notable enhancement in the group’s capabilities. Neither can be said about the group’s level of sophistication. This is despite claims of having executed several successful data exfiltration attacks. The group’s founder, Killmilk, seems to control and direct the activities of Killnet.

A Firmly Pro-Kremlin Collective

Killnet considers the United States and its entities their primary adversaries. They actively promote data theft and disruptive attacks against them. The group has declared cyberwar on the governments of ten countries. This includes the US, UK, and Ukraine. Killnet aims to “liquidate” these governments. It assures no threat to ordinary citizens.

No direct operational connection between Killnet and Russian state structures has been proven. However, their goals align with those of the Russian government. Killnet seeks support from the Russian parliament and the State Duma. Potential links between the Kremlin and Russian cyber threat groups targeting Ukraine have also been identified.

The group often reacts to the news cycle. It targets countries designated as unfriendly or enemies by the pro-Kremlin Russian media. A primary objective is to shape domestic perceptions of Russia’s position in the cyber warfare landscape. It also showcases DDoS capabilities through exposure and propaganda.

Killnet’s Structure

In an interview with the Russian news site Lenta, Killmilk claimed that the collective consists of “roughly 4,500 people.” These people are organized into various subgroups. These subgroups operate independently. They occasionally coordinate their activities. Killnet has also claimed to have 280 members in the US. It attributes an attack on Boeing to its US “colleagues.”

The core group of Killnet likely comprises members from a DDoS-for-hire group. This group was first seen on RuTor in October 2021. Attack coordination occurs in real-time via Killnet’s Telegram channel. “Legions” are formed and dissolved. This depends on the focus of specific targets or countries.

Since February 2022, Killnet has been actively recruiting. This is to expand its support base. For example, in September 2022, a Killnet representative created a Telegram supergroup. The purpose was to recruit new members. Their recruitment drive targeted individuals with diverse skill sets. This included coders, network engineers, penetration testers, system administrators, and social engineers. This indicates the group’s desire to strengthen their team with a range of expertise.

Frequent Restructuring, Expanding, and Shrinking

Killnet has undergone reorganizations. Divisions become inactive over time. The DDoS group “Phoenix” was previously associated with Killnet. It is now regarded as a separate but allied group. Divisions such as “Mirai”, “Sakurajima” and “Zarya” gained operational independence. Zarya focused on attacks against Ukrainian networks.

Historically, the group “Legion-Cyber Intelligence” had operational control over Killnet’s subgroups. It occasionally assigned them specific countries as targets. More recently, they have taken on an “intel-gathering” function.

Killnet has expanded its influence. It integrated at least fourteen smaller hacktivist groups, including “Anonymous Russia.” The “Killnet Collective” has been established as an umbrella organization for pro-Kremlin hacktivist groups.

Recommended Reading: Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama

The group firmly denies any affiliation or financial support from state-backed entities. Killnet asserts that funding comes from “enthusiasts and patriots.” However, assessments of the group indicate with high likelihood that they generate income through other services. DDoS-for-hire services and the sale of stolen data via data breaches are believed to be their main sources of revenue.

Infinity Forum

In November 2022, Killnet launched the Infinity forum. This was to structure discussions and foster cooperation among pro-Kremlin hacktivist groups and financially motivated threat actors. The forum was intended to be both a platform for collaboration and a marketplace for cybercrime tools and stolen data. In February 2023, Killmilk announced that Killnet would be selling the forum.

Black Skills

In March 2023, Killmilk announced the establishment of “Black Skills,” a Private Military Hacking Company. This was seen as an attempt to rebrand and structure the group. It aimed to invite the Russian government and engage in cybercrime. The group’s new identity seeks to establish a corporate image. It aims to attract clients for its cyber mercenary activities.

In April, it was announced that Killnet would be officially ending its hacktivist activities. It would rebrand as Black Skills. According to the group, it will continue attacking Western entities. However, instead of doing so “altruistically,” it will instead take orders from private and public entities for money. Weeks later, Killnet called the move a “mistake” and retracted it.

Killnet’s Modus Operandi

Killnet employs a variety of methods in its operations. It primarily focuses on DDoS attacks. Killmilk, the group’s founder, has claimed their capability to conduct massive 2.4 Tbps DDoS attacks. This uses a predominantly foreign botnet. Russian devices comprise no more than 6 percent.

Killnet also takes credit for data exfiltration from targeted networks. This includes high-ranking officials’ email inboxes and bank data. This is in addition to DDoS attacks. One tool used by Killnet is the “CC-Attack,” a publicly available attack script shared in their Telegram channel. This script was likely authored by an unrelated student in 2020. It automates the use of open proxy servers. It incorporates randomization techniques to avoid signature-based solutions. The CC-Attack toolkit requires minimal expertise. It offers three layer 7 attack types: GET flood, HEAD flood, and POST flood. It uses randomization of entities within HTTP requests. This includes user-agent, accept header, and POST data.

Killnet has also used several known DDoS scripts. These include “Aura-DDoS,” “Blood,” “DDoS Ripper,” “Golden Eye,” “Hasoki,” and “MHDDoS.” It uses these alongside its proprietary tools.

A Killnet Attack in Action

The Italian Computer Security Incident Response Team (CSIRT) observed one notable attack by Killnet on May 30, 2022. The attack lasted over ten hours. It peaked at 40 Gbps. It consisted of three phases. The initial phase involved TCP-SYN, UDP, and TCP SYN/ACK amplification attacks. It also included DNS amplification and IP fragmentation attacks. The second phase mirrored the intensity of the first. It featured IP fragmentation attacks followed by the aforementioned attack types. It was done without DNS amplification. The last and longest phase showed a lower frequency. It alternated between volumetric attacks and state exhaustions.

CSIRT identified specific techniques employed by Killnet during its attacks. These include ICMP flood, IP fragmentation, TCP SYN flood, TCP RST flood, TCP SYN/ACK, NTP flood, DNS amplification, and LDAP connectionless (CLAP) attacks.

Killnet has also been observed using slow POST DDoS attacks against Italian government sites. It employs a continuous stream of incomplete HTTP requests to tie up server resources.

Researchers at Forescout confirmed the group’s preference for brute-forcing credentials on TCP ports 21 (FTP), 80 (HTTP), 443 (HTTPS), and 22 (SSH). They did this through honeypot servers and monitoring IP addresses associated with Killnet. They also confirmed its use of SSH tunneling. The observed attacks included 381 instances from 58 IP addresses. 56 of them were dictionary attacks targeting common default credentials.

Forescout noted that IP addresses not involved in dictionary attacks sustained their attacks for a maximum of three days. This indicates varied goals associated with each IP address. During SSH sessions, the attackers attempted to create a proxy towards “google[.]com.” They did this by establishing SSH tunnels. Targeted attacks on FTP ports suggested reconnaissance efforts. The threat actors repeatedly used the SYST command, which returns the system type.

In December 2022, Killnet shared a script hosted on GitHub. This encouraged its followers to deface websites. This indicates its potential inclination towards such attacks.

In January 2023, researchers at Radware identified the “Passion” botnet as one of the tools employed by Killnet in attacks against medical institutions. The botnet maintained a Telegram channel named “PASSION BOTNET CHAT.” This was present in Flashpoint collections.

After successfully executing an attack, Killnet frequently uses check-host[.]net to verify and confirm the operation on its official Telegram channel.

Notable Killnet Attacks

Killnet has targeted numerous organizations and institutions, with heightened activity since February 2022.

Attacks on Medical Institutions

Killnet initiated a widespread campaign, collaborating with multiple hacktivist groups, to target healthcare institutions in Western countries, particularly the United States. The Phoenix hacktivist group claimed responsibility for impacting two hospitals in the US. Killnet shared lists of hospitals’ websites on their Telegram channel, calling for a massive attack on the US healthcare system.

Attack on Germany

Killnet spearheaded a DDoS campaign against German websites after Germany’s decision to send Leopard tanks to Ukraine. Sixteen pro-Kremlin hacktivist groups joined the attack, although its impact remained low.

Attacks on dark web markets

Killnet played a role in an ongoing conflict between Dark Web markets following law enforcement takedowns of Hydra Market, a dominant Russian-run market. Killnet supported WayAWay and attacked RuTor, a major forum allied with OMGOMG. The group justified its attacks on Dark Web markets as a stance against narcotics trade. However, financial motivations and ideological justifications were also identified.

Attacks on European institutions

Killnet targeted the website of the European Parliament after the institution recognized Russia as a state sponsor of terrorism. The attack briefly made the Parliament’s website unavailable. They also attacked Belgium’s Cybersecurity Center after an investigation was opened against the group due to the attack on the European Parliament.

Attacks on US websites

Killnet has claimed responsibility for various attacks on US government websites. They targeted the National Geospatial-Intelligence Agency, US tax resources, government websites of several states, airports (including O’Hare International Airport), and a major US bank. While these attacks caused visibility issues, they had limited impact on operations.

Recommended Reading: Advanced Persistent Threat (APT) Groups: What They Are and Where They Are Found

Attacks on Lithuania and the US

Killnet has conducted DDoS attacks on Lithuanian government and private institutions. It demanded the reinstatement of transit routes between the Russian exclave of Kaliningrad and the rest of Russia. Killnet also threatened the US energy and financial sectors. It claimed it could conduct similar attacks in five US states or European countries simultaneously.

These notable attacks provide a glimpse into Killnet’s activities. It targets various sectors and countries. The group’s motivations range from geopolitical disputes and ideological justifications to financial interests and opposition against specific industries.

The Future of Killnet

Killnet, despite its nationalistic agenda, is primarily driven by financial motives. It uses the eager support of the Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services. Killnet has also partnered with several botnet providers, as well as the Deanon Club. This partner threat group helped Killnet create Infinity Forum. They target narcotics-focused darknet markets.

There is no evidence of Killnet acquiring more sophisticated tactics. However, its recent shift towards becoming paid “cyber mercenaries” raises concerns. This move could serve as a blueprint for other groups seeking to monetize their activities. Formerly associated groups like Phoenix, AKUR, and Legion have already made clear strides towards cybercrime. Phoenix established a Telegram channel for advertising and selling unauthorized access and exfiltrated data. Legion created its own private military hacking company.

The extent of the connection between pro-Kremlin hacktivist groups and Russian security services remains uncertain. It likely varies. Earlier reports from Mandiant linked XakNet and the Cyber Army of Russia to Russian security services. This suggests that these groups acted as fronts for sharing illegally obtained information by state-backed entities. This arrangement allowed the groups to gain fame while providing plausible deniability for state actors. A more pronounced shift towards cybercrime could lead to state-backed groups using “cyber mercenaries” as proxies. This would be to probe the cyber defenses of Western organizations. The interest in such arrangements is evident. This is demonstrated by ransomware attacks on Polish logistics companies in late 2022, attributed to Russian APT groups.

Killnet has shown interest in such arrangements as long as they bring financial gains. This indicates a future trajectory for the group.

Identify and Mitigate Cyber Risks with Flashpoint

Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Request a demo today and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.

Frequently Asked Questions (FAQ)

Q: What is Killnet, and what is its primary motivation?

A: Killnet is a high-visibility, pro-Kremlin hacktivist collective. It is primarily motivated by financial gain through DDoS-for-hire services and data sales. However, it also uses strong ideological alignment with the Russian government’s narrative.

Q: What are Killnet’s main attack methods?

A: Killnet’s primary method of attack is Distributed Denial-of-Service (DDoS) attacks. It also engages in data exfiltration. The group uses simple tools like the publicly available “CC-Attack” script, which requires minimal expertise.

Q: Why is understanding Killnet important for organizations?

A: Understanding Killnet is important because the group targets entities in countries supporting Ukraine, including critical infrastructure. Its shift toward becoming paid “cyber mercenaries” sets a trend that could see state-backed actors using such groups as proxies to attack Western organizations.