At the beginning of October last year, a number of websites under the control of the German government, including those of the office of the German Chancellor – Olaf Scholz, the German military, and the German Ministry of Defense were targeted in a Distributed Denial of Service attack (DDoS).
The attacks were claimed by the pro-Russian “Killnet” group, which specializes in “overload attacks” – a catch-all phrase for different types of DDoS events.
These attacks weren’t the first ones for the group, a few weeks before, the hackers also targeted systems in Romania, the United States, Estonia, Poland, and the Czech Republic as well as a number of NATO run websites.
Who are Killnet?
Nothing was publicly known of the group calling itself Killnet until approx. March 2022 when a Five-Eyes1 warning was released about attacks on critical infrastructure by Russian-aligned groups, including one calling itself Killnet.
1An intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States.
KillNet is the most active of more than one hundred cyber mercenary groups spawned from the Russian-Ukraine proxy cyberwar.
KillNet conducts an aggressive and rhetorical misinformation campaign for its 90,000 Telegram subscribers which has included mocking its DDoS victims. They work in an emotional way, seeking revenge and retaliation against the wrongs they believe have been dealt against Russia and its people.
It is assumed KillNet has a structured organisational hierarchy and is believed to have worked with other pro-Russian hacktivist groups, including XakNet Team.
In July 2022, KillNet leader – Killmilk posted to social media that he was stepping away from the group to recruit a new group and a hacker dubbed Blackside—a self-proclaimed black hat hacker specializing in ransomware, phishing, and crypto theft—was announced to be the new head of the group.
This new regime might see a shift in KillNets attacks from simple DDoS ones to more devastating Ransomware attacks
Fast-gained notoriety
In the short time of their existence, they have been responsible for a number of attacks across the Internet.
- Romania
- Killnet were behind attacks on Romanian government websites from 29 April 2022 to 1 May 2022
- Moldova
- Following explosions in unrecognized Transnistria, the Information and Security Service of the Republic of Moldova reported that the pro-Killnet hacking group had launched a series of cyberattacks from abroad against websites of Moldovan official authorities and institutions. This was days after the attack on Romanian websites
- Czech Republic
- Killnet claimed responsibility for attacks on Czech state institution web sites in April 2022.[5]
- Italy
- The websites of the Istituto Superiore di Sanità and the Automobile Club of Italy were attacked on 14 May 2022 The Italian Senate website was also attacked and blocked for an hour in the same attack.
- Attack on Eurovision 2022
- Killnet hackers are suspected of having made an attempt to block the Eurovision Song Contest website during Ukraine’s performance at the 2022 contest with a DDoS attack, which was blocked by the Italian state police, however, the group denied on their Telegram channel that their attack had failed. They subsequently attacked the state police web site. Following the attack, they threatened to attack 10 European countries, including Italy.
- Lithuania
- The group claimed responsibility for a DDoS attack against Lithuanian network infrastructure. They said that the cyber attack on Lithuania was in retaliation for it stopping transit of goods to Russia’s Kaliningrad exclave.
- Norway
- The group targeted Norwegian organizations through various DDoS attacks on June 28, 2022
- Latvia
- Killnet targeted Latvia’s public broadcaster in the largest cyberattack in the country’s history. The broadcaster said the attack was repelled.
- United States
- On 1 August 2022, the group, and its founder called “Killmilk” claimed responsibility for a cyber-attack on the American defence corporation Lockheed Martin, as a retaliation for the HIMARS systems supplied by U.S. to Ukraine. The group said that the Lockheed Martin “is the actual sponsor of world terrorism” and that “is responsible for thousands and thousands of human deaths.” Shortly before the attack, the group announced it will carry out a new type of cyber-attack, different from their DoS and DDoS cyber-attacks carried out before. Killmilk said the attack targeted Lockheed Martin’s production systems as well as informations about the company’s employees for them to be “persecuted and destroyed around the world!”.
- Several US airport websites were attacked on 10 October 2022.
- Japan
- On September 6, 2022, Killnet announced that it had attacked 23 websites of four ministries and agencies, as well as the social network service “mixi”. On September 7, they also posted a video declaring war on the Japanese government and announced that they had attacked the Tokyo Metro and Osaka Metro.
- Georgia
- According to the Twitter post published by the threat research firm CyberKnow, Killnet and their founder, Killmilk threatened that they would attack the Georgian government if it continues to work against the Russian Federation
- Germany
- On January 26, 2023, the German Federal Office for Information Security (BSI) announced that a wide-ranging DDoS attack against various agencies and companies in Germany was taking place .
According to the BSI, websites from airports were particularly affected, as well as those of companies in the financial sector and those of the federal and state administrations. The attacks had been announced in advance by Killnet, supposedly as retaliation for the German government’s decision to send Leopard 2 battle tanks to the Ukraine.
- February 16, 2003 A large number of German airports had their websites taken offline in a coordinated DDoS attack which lasted for just over an hour.
Airports in Düsseldorf, Hanover, Dortmund, Erfurt, Nuremberg and Baden-Baden were all affected
- On January 26, 2023, the German Federal Office for Information Security (BSI) announced that a wide-ranging DDoS attack against various agencies and companies in Germany was taking place .
Gaining support
Killnet have been actively attacking anyone who supports Ukraine or has an anti-Russian view for almost 12 months now and have been dedicated to their cause.
During that time, they have had the time to build experience and increase their circle of influence across affiliate pro-Russian hacktivist groups which means that they are likely going to gain more support from other like-minded hacktivists in Russia and elsewhere, and possibly even fuel investments into its operations from others, making them more dangerous in the process.
KillNet also seem to have a bit of a cult following which includesa song in the gang’s honor, titled “KillnetFlow (Anonymous diss)” by a Russian rapper, and the sale of Killnet-related jewelry by a Moscow-based jewelry maker called HooliganZ.
Killnet have also received approx. $44,000 worth of financial support from a Dark Web marketplace called Solaris to help bolster their efforts.