Final Act? Killnet Rallies Attackers to DDoS NATO Targets

While much of the world anticipated hunts for colored eggs, chocolate bunnies and family dinners on Sunday, Black Kite was busy sounding the alarm about an expected swan song from Killnet that could involve “high-impact” DDoS attacks on NATO critical infrastructure targets.

“A serious and potentially highly damaging cybersecurity threat has been announced by a threat actor group called Killnet,” Ferhat Dikbiyik, head of research at Black Kite, wrote in a company blog post. “They have publicly stated their intention to carry out what they claim to be their ’last’ and most impactful attack on NATO targets tomorrow, utilizing their notorious DDoS attack capabilities.”

Black Kite referred to a post purportedly from Killnet that said, “Glory to Russia, let this be the last Killnet attack, and we will all be killed and jailed after this event – but know one thing, brothers and sisters: I am Russian, my people are Russian – we are for you, we are for Russia – f*** all the infidels!!”

The poster added, “We suddenly appeared, and we will also suddenly leave! WE ARE KILLNET!!!”

The group also tried to drum up support from other black hat hackers. It asked organizations that support them to post a #F***Nato hashtag on their channels. “All hack groups should expect direct target notification on the official @killnet_reservs within 48 hours!” according to one post. “All hacktivists and simple observers need to remain calm? We declare everyone who is subscribed to [the hackers’ official site] hacktivists (supporting our activities)[.] All who are here, multinational people–you are all Killnet!”

In a separate blog post on Medium, Dikbiyik noted that Killnet “has become popular with its influence on other groups for organized DDoS attacks. They organize in Killnet’s Telegram channel, not only for cyberattack coordination but also as a propaganda machine.”

That channel, called We Are Killnet, has swelled to more than 90,000 followers. “It seems that they only conduct DDoS attacks, at least under the name of Killnet,” he wrote.

But while the group will sometimes claim “to possess sensitive data,” Dikbiyik said, “We know that they can exaggerate for the sake of propaganda and [there is] not solid evidence provided for the stolen data.”

Noting that Killnet is “well-known for its attacks on critical infrastructure, health care organizations, airports and public institutions,” Dikbiyik said, “There is a high probability that similar targets will be affected by their upcoming campaign.”

During the first half of 2022, many other criminal groups did join with Killnet in its malicious activities.

“They orchestrated attacks on public institutions in western countries, airports such as the Bradley Airport attack in March, the Eurovision song contest, defense contractors and many others,” Dikbiyik wrote on Medium.

“They announced they would target the health care industry in western countries, including the U.S., and published a hit list. The initial list of U.S. targets was 50 organizations in 50 states on January 31, 2023,” he said. “They updated the list on Feb 2 by adding more organizations. There are hospitals right here in Boston on the target list.”

In the Black Kite blog, the researchers pointed to a poll Killnet recently conducted on its Telegram channel that asked followers to weigh in on whether they should target NATO. “With over 178,000 people voting ‘Yes,’ the group has declared their intention to proceed with the attacks in a series of messages today (April 8), emphasizing the potential harm of their upcoming campaign tomorrow (April 9),” Dikbiyik wrote.

“As cybersecurity professionals, we must remain vigilant and prepare for these potential high-impact DDoS attacks on critical infrastructure and organizations associated with NATO,” he said.

To guard against Killnet attacks, Dikbiyik recommended that organizations:

– Obtain DDoS mitigation services (ISP, CDN, WAF).

– Blacklist known Killnet-related IP addresses.

– Enable DMZ for internet-facing entities.

– Employ web bot detection techniques.

– Monitor DDoS resiliency and configurations.

– Optimize web servers and APIs with security modules.

– Perform stress tests on critical services.

– Have secondary systems in a different subnet.

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson