KillNet: Who, What, Where, Why, How
KillNet is a pro-Russian hacktivist group that has made headlines in 2022 due to its attacks against governments and organizations in several countries that have sided with Ukraine in the Russia-Ukraine war. It commonly uses DDoS attacks to make websites unavailable for hours.
Who?
From January, 2002 until Russia’s invasion of Ukraine in February, 2022, KillNet was the name of a DDoS tool available on the dark web. Once the war began, the group that distributed the KillNet software became a hacktivist group, adopting the name KillNet for itself.
The group sides with Russia in the war, and attacks governments and organizations in countries that have sided with Ukraine. So far, these have been in Europe and the US.
KillNet has launched DDoS attacks against several government websites in Romania, the Czech Republic, Estonia, Germany, Poland, Italy, Latvia, Ukraine, and Japan. They’ve also hit government websites in the US states Colorado, Kentucky, and Mississippi.
The group has also defaced and launched DDoS attacks against the websites of airports in Atlanta, Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, and Missouri.
A group named Legion seems to be a subgroup of KillNet, and it has attacked organizations in Norway and Lithuania. The Legion has its own subgroups called squads, and these have targeted organizations in financial services, transportation, law enforcement, and technology, whereas KillNet has focused on government entitites.
KillNet doesn’t appear to have highly sophisticated capabilities, based on their operations and communications. They’ve been able to take websites down for hours using DDoS attacks, but haven’t done greater damage. It doesn’t appear that they use or develop custom tools.
It appears that KillNet is acting independently of the Russian government. The group has said that “[they] are not a state structure, [and their] activities are not paid by the President of the Russian Federation.” They have also requested donations, and have said that they are financed by enthusiasts and patriots who “have nothing to do with the authorities.” Even if they aren’t part of the Russian government, their messaging closely matches official Russian messaging.
What?
KillNet uses large-scale DDoS attacks to overwhelm web servers and make targeted websites unavailable for hours. It has also defaced websites.
These websites have belonged to governments and businesses in Europe, the US, and Japan, as well as US airports.
The attacks have not caused long-term damage.
Where?
Based on their loyalty to Russia and use of the Russian language, it seems likely many KillNet members are Russian, though the group frequently invites volunteers from around the world to join them in their attacks.
Why?
Hacktivists are motivated by ideology, and KillNet is motivated by its support for Russia against Ukraine and its allies. KillNet’s attacks are meant to impede efforts by Ukraine’s allies to support it with weapons and equipment, and to damage the economies of countries that have sanctioned Russia and aided Ukraine.
KillNet attacked Japanese public institutions and businesses after a dispute over the Kuril Islands.
The group’s attacks on American civilian targets, such as US airport websites, are intended to disrupt travel and everyday activities and thus annoy American citizens, so that those citizens will turn against the US government.
How?
KillNet communicates via several Telegram channels, which have over 100,000 subscribers. It announces its plans and invites subscribers to join in its attacks, listing domains and IP addresses of its targets.
The group also recruits via Telegram, seeking programmers, DDoS operators, and penetration testers.
The group uses botnets of hundreds of thousands of machines infected with Mirai malware to send huge amounts of traffic in its DDoS attacks. Analysts have also observed mentions of an “Aura DDoS” tool.
When KillNet attacked Italy, it used Mirai malware to perform a DDoS attack using a method known as Slow HTTP, which sends one HTTP request at a time to web servers, and sets the request at a very slow transmission rate or makes the request incomplete. When the server starts receiving the request, it allocates resources and waits for the remaining data. Once there are too many of these incomplete requests, the server runs out of resources and can’t serve anyone else, making the website inaccessible.
