KillNet Group

KillNet is a Russia-aligned hacktivist group that gained notoriety during the first month of the Russian-Ukraine conflict when they began a widespread—although relatively unsophisticated—campaign of Distributed Denial of Service (DDoS) attacks, political rhetoric, and misinformation. KillNet's self-proclaimed anti-war axiom states that their primary targets are supporters of Ukraine, including NATO countries and their allies. Although KillNet's ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) are unconfirmed, the group is considered a threat to critical infrastructure by a multi-national joint cybersecurity advisory. 

KillNet is the most active of more than one hundred cyber mercenary groups spawned from the Russian-Ukraine proxy cyberwar. KillNet’s tactics have consisted chiefly of nuisance-level DDoS attacks against critical infrastructure, airport websites, government services, and media companies within NATO countries, including the U.S., Canada, Australia, Italy, and Poland, as well as Ukrainian supporters in practically all Eastern European, Nordic, and Baltic countries. 

KillNet’s attacks do not employ particularly sophisticated tools or strategies. While DDoS attacks are typically accompanied by extortion, KillNet cyberattacks don’t include ransom demands. In most instances, KillNet’s attacks have caused only short-term downtime, or less: Though KillNet claimed to have compromised Lockheed Martin’s servers and stolen sensitive data, the U.S. military contractor never confirmed it.

KillNet also stages an aggressive and rhetorical misinformation campaign for its 90,000 Telegram subscribers. This has included publicly mocking its DDoS victims and even threatening that their attacks will cause loss of human life (in contradiction to their so-called anti-war tenet). 

KillNet was designated a terrorist organization by the Latvian government after taking credit for a cyberattack that temporarily crippled the nation’s parliamentary web services. The group has also spatted publicly with the hacktivist group Anonymous.

KillNet has a structured organizational hierarchy and is believed to have worked in tandem with other pro-Russian hacktivist groups, including XakNet Team. In July 2022, KillNet leader Killmilk posted to social media that he was stepping away from the group to recruit a new group; a hacker dubbed Blackside—a self-proclaimed black hat hacker specializing in ransomware, phishing, and crypto theft—was announced to be the new head of the group.

KillNet strongly prefers DDoS attacks and brute-force dictionary attacks against public-facing services. A DDoS attack does not require the attacker to gain access to a target’s network to install malware. Instead, it floods a target service with malicious connection requests, causing resource exhaustion. In its brute force credential attacks, KillNet uses predefined wordlists to hunt for exposed services that seek to exploit default or weak passwords. Neither of these tactics demonstrates a high degree of sophistication.

Primary KillNet Tactics

• DDoS attacks on OSI model layer 4 (SYN flood attacks) and layer 7 (high volume POST/GET requests) to cause resource exhaustion and system failure
• Brute-force dictionary attacks against FTP (port 21), HTTP (port 80), and HTTPS (port 443) services
• Brute-force dictionary attacks against SSH (port 22) that primarily target the root account
• Brute-force dictionary attacks against Minecraft and TeamSpeak servers

Defending against a KillNet attack depends on two primary defensive tactics:

1. Enforcing strong password policies which can withstand basic brute-force credential attacks
2. Preparing to defend against DDoS attacks

Defensive tactics to defend against KillNet’s offensive strategies include:

• Require strong passwords and multi-factor authentication (MFA) for all remote access services and ensure all default passwords are changed
• Preemptively block KillNet’s brute force credential attacks by blocklisting known KillNet IP addresses
• Utilize a Demilitarized Zone (DMZ) for public-facing servers and employ robot detection and per-connection rate limiting to deter short-term resource exhaustion attacks 
• Minimize public-facing attack surfaces by configuring strong firewall policies and removing all unrequired services
• Configure web servers and APIs with security modules to optimize performance during a traffic spike
• Purchase DDoS mitigation services from an Internet Service Provider (ISP), Content Delivery Network (CDN), or Web-Application Firewall (WAF) provider
• Subscribe to cyber threat intelligence feeds that monitor dark web communication to identify and predict potential risks to your organization and industry
• Stress test all critical services for their ability to handle resource exhaustion attacks
• Prepare and practice Incident Response Plans (IRP) to prepare for managing temporary service downtime