Within the realm of digital warfare, the threat actor group known as “Killnet” has established itself as a high-visibility force. One of the most active and ambitious pro-Kremlin hacktivist collectives, Killnet’s volatility has intensified since Russia’s invasion of Ukraine.
While Killnet demonstrates persistence, it is also notably fickle. The group constantly seeks new avenues for expansion, evolving their tactics, and capturing attention using their “army of cyber partisans.” Aided by the pro-Kremlin media who is eager to deliver storylines that align with the Russian government’s narrative. Alongside their pursuit of financial gain, Killnet’s notorious alignment with pro-Kremlin ideological motives has fueled their collective drive since the inception of the Russia-Ukraine conflict.
Understanding the inner workings of a prominent group like Killnet is vital for organizations aiming to grasp the broader cyber threat landscape. By unraveling the operations of Killnet, organizations can bolster their understanding and fortify their defenses against this evolving menace.
What is Killnet?
“Killnet” is a financially- and ideologically-motivated threat group, likely based in Russia, that has committed distributed denial-of-service (DDoS) and data exfiltration attacks against Western entities and Dark Web markets.
First emerging in October 2021, Killnet initially offered for-hire DDoS attacks. Flashpoint observed the first ads posted by the group about its for-hire DDoS service in January 2022 on various Russian-language illicit forums.
Following Russia’s February 2022 invasion of Ukraine, however, the collective started conducting, threatening, and taking responsibility for attacks on networks in Ukraine and in countries seen as supporting Ukraine. The group openly pledged allegiance to Russia, particularly in the context of the war. Killnet has stated its disdain toward NATO and Western weapons shipments to Ukraine.
Since February 2022, Killnet has targeted both state-owned and private websites. The group has also attacked networks in countries that provide assistance to Ukraine, or who have supported sanctions against Russia. The group’s associates have also perpetrated hack-and-leak attacks against Ukrainian systems.
The Killnet group identity
Killnet has a mostly negative image based on posts from threat actors in illicit communities. Other threat actors have accused the group of corruption due to reports of steady transfers to Killnet’s cryptocurrency wallets following the invasion of Ukraine.
On forums such as XSS and Breach Forums, users referred to Killnet as “a group of 10th-grade schoolkids” and “a script kiddie Russian group,” respectively. A member of the top-tier forum Exploit even shared a database of alleged Killnet documents as a “lesson.” Despite media appearances on outlets like RT, Killnet’s image in sophisticated cybercriminal circles remains unchanged.
The users behind the group
The founder and chief of Killnet, known as “Killmilk,” has been an active member of the forum RuTor since October 2021. According to their own claims, Killmilk has been involved in various schemes since the age of fourteen. Such schemes including extorting money from “pedophiles” online. However, the term can also refer to closeted gay men.
Killmilk asserts that they began launching attacks on foreign websites in 2019 but faced financial setbacks due to cryptocurrency losses. In November 2021, Killmilk started offering DDoS services with an intensity of 200 GB per second.
Officially, Killmilk departed from the group in late July 2022. However, they still maintain strong connections with Killnet, often sharing messages and providing guidance as the founder.
In August 2022, the new leader of Killnet was identified as “BlackSide.” BlackSide was introduced as an administrator of a Russian hacker forum, likely the mid-tier Best Hack Forum. It is claimed that BlackSide possesses experience in cryptojacking and ransomware operations.
However, as of February 2023, there is no verifiable evidence indicating a notable enhancement in the group’s capabilities. Neither can be said about the group’s level of sophistication, despite claims of having executed several successful data exfiltration attacks. The group’s founder, Killmilk, seems to control and direct the activities of Killnet.
A firmly pro-Kremlin collective
Killnet considers the United States and its entities their primary adversaries. They actively promote data theft and disruptive attacks against them. The group has declared cyberwar on the governments of ten countries, including the US, UK, and Ukraine. Killnet aims to “liquidate” these governments while assuring no threat to ordinary citizens.
Although no direct operational connection between Killnet and Russian state structures has been proven, their goals align with those of the Russian government. Killnet seeks support from the Russian parliament and the State Duma. Potential links between the Kremlin and Russian cyber threat groups targeting Ukraine have also been identified.
The group often reacts to the news cycle, targeting countries designated as unfriendly or enemies by the pro-Kremlin Russian media. A primary objective is to shape domestic perceptions of Russia’s position in the cyber warfare landscape, while also showcasing DDoS capabilities through exposure and propaganda.
In an interview with the Russian news site Lenta, Killmilk claimed that the collective consists of “roughly 4,500 people” organized into various subgroups. While these subgroups operate independently, they occasionally coordinate their activities. Killnet has also claimed to have 280 members in the US, attributing an attack on Boeing to their US “colleagues.”
The core group of Killnet likely comprises members from a DDoS-for-hire group first seen on RuTor in October 2021. Attack coordination occurs in real-time via Killnet’s Telegram channel. “Legions” are formed and dissolved depending on the focus of specific targets or countries.
Since February 2022, Killnet has been actively engaging in recruitment efforts to expand its support base. For example, in September 2022, a Killnet representative created a Telegram supergroup for the purpose of recruiting new members. Their recruitment drive targeted individuals with diverse skill sets—including coders, network engineers, penetration testers, system administrators, and social engineers. This indicates the group’s desire to bolster their team with a range of expertise.
Frequent restructuring, expanding, and shrinking
Killnet has undergone reorganizations, with divisions becoming inactive over time. While the DDoS group “Phoenix” was previously associated with Killnet, it is now regarded as a separate but allied group. Divisions such as “Mirai”, “Sakurajima” and “Zarya” gained operational independence, with Zarya focusing on attacks against Ukrainian networks.
Historically, the group “Legion-Cyber Intelligence” had operational control over Killnet’s subgroups, occasionally assigning them specific countries as targets. More recently, they have taken on an “intel-gathering” functionality.
Killnet has expanded its influence by integrating at least fourteen smaller hacktivist groups, including “Anonymous Russia.” The “Killnet Collective” has been established as an umbrella organization for pro-Kremlin hacktivist groups.
The group firmly denies any affiliation or financial support from state-backed entities. Killnet asserts that funding comes from “enthusiasts and patriots.” However, assessments of the group indicate with high likelihood that they generate income through other services. DDoS-for-hire services and the sale of stolen data via data breaches are believed to be their main sources of revenue.
In November 2022, Killnet launched the Infinity forum to structure discussions and foster cooperation among pro-Kremlin hacktivist groups and financially motivated threat actors. The forum was intended to be both a platform for collaboration and a marketplace for cybercrime tools and stolen data. In February 2023 it was announced by Killmilk that Killnet would be selling the forum.
In March 2023, Killmilk announced the establishment of “Black Skills,” a Private Military Hacking Company. This was seen as an attempt to rebrand and structure the group, inviting the Russian government and engaging in cybercrime. The group’s new identity seeks to establish a corporate image and attract clients for their cyber mercenary activities.
In April it was announced that Killnet would be officially ending its hacktivist activities and rebranding as Black Skills. According to the group, it will continue attacking Western entities. However, instead of doing so “altruistically” it will instead take orders from private and public entities for money. Weeks later, Killnet called the move a “mistake” and retracted it.
Killnet’s modus operandi
Killnet employs a variety of methods in their operations, primarily focusing on DDoS attacks. Killmilk, the group’s founder, has claimed their capability to conduct massive 2.4 Tbps DDoS attacks using a predominantly foreign botnet. with Russian devices comprising no more than 6 percent.
In addition to DDoS attacks, Killnet also takes credit for data exfiltration from targeted networks, including high-ranking officials’ email inboxes and bank data. One tool used by Killnet is the “CC-Attack,” a publicly available attack script shared in their Telegram channel. This script, likely authored by an unrelated student in 2020, automates the use of open proxy servers and incorporates randomization techniques to evade signature-based solutions. The CC-Attack toolkit requires minimal expertise and offers three layer 7 attack types: GET flood, HEAD flood, and POST flood. It employs randomization of entities within HTTP requests, such as user-agent, accept header, and POST data.
Killnet has also utilized several known DDoS scripts, including “Aura-DDoS,” “Blood,” “DDoS Ripper,” “Golden Eye,” “Hasoki,” and “MHDDoS,” alongside their proprietary tools.
A Killnet attack in action
One notable attack by Killnet was observed by the Italian Computer Security Incident Response Team (CSIRT) on May 30, 2022. Lasting over ten hours, the attack peaked at 40 Gbps and consisted of three phases. The initial phase involved TCP-SYN, UDP, and TCP SYN/ACK amplification attacks, along with DNS amplification and IP fragmentation attacks. The second phase mirrored the intensity of the first, featuring IP fragmentation attacks followed by the aforementioned attack types but without DNS amplification. The last and longest phase exhibited a lower frequency and alternated between volumetric attacks and state exhaustions.
CSIRT identified specific techniques employed by Killnet during their attacks, including ICMP flood, IP fragmentation, TCP SYN flood, TCP RST flood, TCP SYN/ACK, NTP flood, DNS amplification, and LDAP connectionless (CLAP) attacks.
Killnet has also been observed using slow POST DDoS attacks against Italian government sites, employing a continuous stream of incomplete HTTP requests to tie up server resources.
Through honeypot servers and monitoring IP addresses associated with Killnet, researchers at Forescout confirmed the group’s preference for brute-forcing credentials on TCP ports 21 (FTP), 80 (HTTP), 443 (HTTPS), and 22 (SSH), as well as their use of SSH tunneling. The observed attacks included 381 instances from 58 IP addresses, with 56 of them being dictionary attacks targeting common default credentials.
Forescout noted that IP addresses not involved in dictionary attacks sustained their attacks for a maximum of three days, indicating varied goals associated with each IP address. During SSH sessions, the attackers attempted to create a proxy towards “google[.]com” by establishing SSH tunnels. Targeted attacks on FTP ports suggested reconnaissance efforts, as the threat actors repeatedly used the SYST command, which returns the system type.
In December 2022, Killnet shared a script hosted on GitHub that encouraged its followers to deface websites, indicating their potential inclination towards such attacks.
In January 2023, researchers at Radware identified the “Passion” botnet as one of the tools employed by Killnet in attacks against medical institutions. The botnet maintained a Telegram channel named “PASSION BOTNET CHAT,” which was present in Flashpoint collections.
After successfully executing an attack, Killnet frequently utilizes check-host[.]net to verify and confirm the operation on their official Telegram channel.
Notable Killnet attacks
Killnet has targeted numerous organizations and institutions, with heightened activity since February 2022.
Attacks on medical institutions
Killnet initiated a widespread campaign, collaborating with multiple hacktivist groups, to target healthcare institutions in Western countries, particularly the United States. The Phoenix hacktivist group claimed responsibility for impacting two hospitals in the US. Killnet shared lists of hospitals’ websites on their Telegram channel, calling for a massive attack on the US healthcare system.
Attack on Germany
Killnet spearheaded a DDoS campaign against German websites after Germany’s decision to send Leopard tanks to Ukraine. Sixteen pro-Kremlin hacktivist groups joined the attack, although its impact remained low.
Attacks on dark web markets
Killnet played a role in an ongoing conflict between Dark Web markets following law enforcement takedowns of Hydra Market, a dominant Russian-run market. Killnet supported WayAWay and attacked RuTor, a major forum allied with OMGOMG. The group justified its attacks on Dark Web markets as a stance against narcotics trade. However, financial motivations and ideological justifications were also identified.
Attacks on European institutions
Killnet targeted the website of the European Parliament after the institution recognized Russia as a state sponsor of terrorism. The attack briefly made the Parliament’s website unavailable. They also attacked Belgium’s Cybersecurity Center after an investigation was opened against the group due to the attack on the European Parliament.
Attacks on US websites
Killnet has claimed responsibility for various attacks on US government websites. They targeted the National Geospatial-Intelligence Agency, US tax resources, government websites of several states, airports (including O’Hare International Airport), and a major US bank. While these attacks caused visibility issues, they had limited impact on operations.
Recommended Reading: Advanced Persistent Threat (APT) Groups: What They Are and Where They Are Found
Attacks on Lithuania and the US
Killnet has conducted DDoS attacks on Lithuanian government and private institutions. They demanded the reinstatement of transit routes between the Russian exclave of Kaliningrad and the rest of Russia. Killnet also threatened the US energy and financial sectors, claiming they could conduct similar attacks in five US states or European countries simultaneously.
These notable attacks provide a glimpse into Killnet’s activities, targeting various sectors and countries. The group’s motivations range from geopolitical disputes and ideological justifications to financial interests and opposition against specific industries.
The future of Killnet
Killnet, despite its nationalistic agenda, is primarily been driven by financial motives, utilizing the eager support of the Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services. Killnet has also partnered with several botnet providers as well as the Deanon Club—a partner threat group with which Killnet created Infinity Forum—to target narcotics-focused darknet markets.
While there is no evidence of Killnet acquiring more sophisticated tactics, their recent shift towards becoming paid “cyber mercenaries” raises concerns. This move could serve as a blueprint for other groups seeking to monetize their activities. Formerly associated groups like Phoenix, AKUR, and Legion have already made clear strides towards cybercrime. Phoenix established a Telegram channel for advertising and selling unauthorized access and exfiltrated data, while Legion created its own private military hacking company.
The extent of the connection between pro-Kremlin hacktivist groups and Russian security services remains uncertain and likely varies. Earlier reports from Mandiant linked XakNet and the Cyber Army of Russia to Russian security services, suggesting that these groups acted as fronts for sharing illegally obtained information by state-backed entities. This arrangement allowed the groups to gain fame while providing plausible deniability for state actors. A more pronounced shift towards cybercrime could lead to state-backed groups using “cyber mercenaries” as proxies to probe the cyber defenses of Western organizations. The interest in such arrangements is evident, as demonstrated by ransomware attacks on Polish logistics companies in late 2022, attributed to Russian APT groups.
Killnet has shown interest in such arrangements as long as they bring financial gains, indicating a future trajectory for the group.
Identify and mitigate cyber risks with Flashpoint
Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Get a free trial today and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.