Within the realm of digital warfare, the threat actor group known as “Killnet” has established itself as a high-visibility force. Emerging as one of the most active and ambitious pro-Kremlin hacktivist collectives, Killnet’s volatility has intensified since the onset of Russia’s invasion of Ukraine over a year ago.

While Killnet demonstrates persistence, it is also notably fickle. The group constantly seeks new avenues for expansion, evolving their tactics, and capturing attention using what they proclaim as their “army of cyber partisans” and the pro-Kremlin media eager to deliver storylines that align with the narrative of the Russian government. Alongside their pursuit of financial gain, Killnet’s notorious alignment with pro-Kremlin ideological motives has fueled their collective drive since the inception of the Russia-Ukraine conflict.

Understanding the inner workings of a prominent group like Killnet becomes vital for organizations aiming to grasp the broader cyber threat landscape. By unraveling the operations of Killnet, organizations can bolster their understanding and fortify their defenses against this evolving menace.

What is Killnet?

“Killnet” is a financially- and ideologically-motivated threat group, likely based in Russia, that has committed distributed denial-of-service (DDoS) and data exfiltration attacks against Western entities and Dark Web markets.

First emerging in October 2021, Killnet initially offered for-hire DDoS attacks. Flashpoint observed the first ads posted by the group about its for-hire DDoS service in January 2022 on various Russian-language illicit forums. 

Following Russia’s February 2022 invasion of Ukraine, however, the collective started conducting, threatening, and taking responsibility for attacks on networks in Ukraine and in countries seen as supporting Ukraine. The group openly pledged allegiance to Russia, particularly in the context of the war, and stated its disdain toward NATO and Western weapons shipments to Ukraine.

Since February 2022, Killnet has targeted both state-owned and private websites and networks in countries that provide assistance to Ukraine or have supported sanctions against Russia, often following such a decision. The group’s associates have also perpetrated hack-and-leak attacks against Ukrainian systems.

The Killnet group identity

Killnet has a mostly negative image based on posts from threat actors in illicit communities. Accusations of “corruption” were made by the RuTor user “DHL” due to reports of steady transfers to Killnet’s cryptocurrency wallets following the February invasion of Ukraine. 

On forums such as XSS and Breach Forums, users referred to Killnet as “a group of 10th-grade schoolkids” and “a script kiddie Russian group,” respectively. A member of the top-tier forum Exploit even shared a database of alleged Killnet documents as a “lesson.” Despite media appearances on outlets like RT, Killnet’s image in sophisticated cybercriminal circles remains unchanged.

The users behind the group

Killmilk

The founder and chief of Killnet, known as “Killmilk,” has been an active member of the forum RuTor since October 2021. According to their claims, Killmilk has been involved in various schemes since the age of fourteen, including extorting money from individuals they referred to as “pedophiles” online (although in context, the term can also refer to closeted gay men).

They assert that they began launching attacks on foreign websites in 2019 but faced financial setbacks due to cryptocurrency losses. In November 2021, Killmilk started offering DDoS services with an intensity of 200 GB per second, indicating access to a botnet at that time.

Officially, Killmilk departed from the group in late July 2022. However, they still maintain strong connections with Killnet, often sharing messages and providing guidance as the founder.

BlackSide

In August 2022, the new leader of Killnet was identified as “BlackSide.” BlackSide was introduced as an administrator of a Russian hacker forum, likely the mid-tier Best Hack Forum. It is claimed that BlackSide possesses experience in cryptojacking and ransomware operations. However, as of February 2023, there is no verifiable evidence indicating a notable enhancement in the group’s capabilities or level of sophistication, despite their claims of having executed several successful data exfiltration attacks. The group’s founder, Killmilk, seems to control and direct the activities of Killnet.

A firmly pro-Kremlin collective

Killnet considers the United States and US entities as their primary adversaries and actively promotes data theft and disruptive attacks against them. The group declared cyberwar on the governments of ten countries, including the US, UK, and Ukraine, aiming to “liquidate” these governments while assuring no threat to ordinary citizens. 

Although no direct operational connection between Killnet and Russian state structures has been proven, their goals align with those of the Russian government. Killnet has sought support from the Russian parliament, the State Duma, and potential links between the Kremlin and Russian cyber threat groups targeting Ukraine have been identified.

The group often reacts to the news cycle and targets countries designated as unfriendly or enemies by the pro-Kremlin Russian media. One of their main objectives is to shape domestic perceptions of Russia’s position in the cyber warfare landscape, while also showcasing their DDoS capabilities through media exposure and propaganda material.

Killnet’s structure

In an interview with the Russian news site Lenta, Killmilk claimed that the collective consists of  “roughly 4,500 people” organized into various subgroups. While these subgroups operate independently, they occasionally coordinate their activities. Killnet has also claimed to have 280 members in the US, attributing an attack on Boeing to their US “colleagues.”

The core group of Killnet likely comprises members from a DDoS-for-hire group that emerged on the RuTor forum in October 2021. Attack coordination occurs in real time through Killnet’s Telegram channel, where they form and dissolve “legions” focusing on specific targets or countries.

Since February 2022, Killnet has been actively engaging in recruitment efforts to expand its support base. In September 2022, for example, a representative from the group utilized a Telegram supergroup dedicated to Killnet for the purpose of recruiting new members. Their recruitment drive targeted individuals with diverse skill sets, including coders, network engineers, penetration testers, system administrators, and social engineers, indicating the group’s desire to bolster their team with a range of expertise.

Frequent restructuring, expanding, and shrinking

Killnet has undergone reorganizations, with divisions becoming inactive over time. While the DDoS group “Phoenix” was previously associated with Killnet, it is now regarded as a separate but allied group. Divisions such as “Mirai”, “Sakurajima” and “Zarya” gained operational independence, with Zarya focusing on attacks against Ukrainian networks.

Historically, the group “Legion-Cyber Intelligence” had operational control over Killnet’s subgroups, occasionally assigning them specific countries as targets. More recently, they have taken on an “intel-gathering” functionality.

Killnet has expanded its influence by integrating at least fourteen smaller hacktivist groups, including “Anonymous Russia,” and establishing the “Killnet Collective” as an umbrella organization for pro-Kremlin hacktivist groups.

Recommended Reading: Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama

The group firmly denies any affiliation or financial support from state-backed entities, asserting that their funding comes from “enthusiasts and patriots.” However, assessments of the group indicate with high likelihood that the group also generates substantial income through their DDoS-for-hire services and potentially other sources, such as the sale of stolen data.

Infinity Forum

In November 2022, Killnet launched the Infinity forum to structure discussions and foster cooperation among pro-Kremlin hacktivist groups and financially motivated threat actors. The forum was intended to serve as both a platform for collaboration and a marketplace for cybercrime tools and stolen data, and in February 2023 it was announced by Killmilk that Killnet would be selling the forum.

Black Skills

In March 2023, Killmilk announced the establishment of “Black Skills,” a Private Military Hacking Company. The move was seen as an attempt to rebrand and structure the group, inviting Russian government utilization while also engaging in cybercrime activities. The group’s new identity seeks to establish a corporate image and attract clients for their cyber mercenary activities.

In April it was announced that Killnet would be officially ending its hacktivist activities and rebranding as Black Skills. According to the group, it will continue attacking Western entities—but instead of doing so “altruistically” it will instead take orders from private and public entities for money. However, just weeks later Killnet called the move a “mistake” and retracted it.

Killnet’s modus operandi

Killnet employs a variety of methods in their operations, primarily focusing on DDoS attacks. Killmilk, the group’s founder, has claimed their capability to conduct massive 2.4 Tbps DDoS attacks using a predominantly foreign botnet, with Russian devices comprising no more than 6 percent.

In addition to DDoS attacks, Killnet also takes credit for data exfiltration from targeted networks, including high-ranking officials’ email inboxes and bank data. One tool used by Killnet is the “CC-Attack,” a publicly available attack script shared in their Telegram channel. This script, likely authored by an unrelated student in 2020, automates the use of open proxy servers and incorporates randomization techniques to evade signature-based solutions. The CC-Attack toolkit requires minimal expertise and offers three layer 7 attack types: GET flood, HEAD flood, and POST flood. It employs randomization of entities within HTTP requests, such as user-agent, accept header, and POST data.

Killnet has also utilized several known DDoS scripts, including “Aura-DDoS,” “Blood,” “DDoS Ripper,” “Golden Eye,” “Hasoki,” and “MHDDoS,” alongside their proprietary tools.

A Killnet attack in action

One notable attack by Killnet was observed by the Italian Computer Security Incident Response Team (CSIRT) on May 30, 2022. Lasting over ten hours, the attack peaked at 40 Gbps and consisted of three phases. The initial phase involved TCP-SYN, UDP, and TCP SYN/ACK amplification attacks, along with DNS amplification and IP fragmentation attacks. The second phase mirrored the intensity of the first, featuring IP fragmentation attacks followed by the aforementioned attack types but without DNS amplification. The last and longest phase exhibited a lower frequency and alternated between volumetric attacks and state exhaustions.

CSIRT identified specific techniques employed by Killnet during their attacks, including ICMP flood, IP fragmentation, TCP SYN flood, TCP RST flood, TCP SYN/ACK, NTP flood, DNS amplification, and LDAP connectionless (CLAP) attacks.

Killnet has also been observed using slow POST DDoS attacks against Italian government sites, employing a continuous stream of incomplete HTTP requests to tie up server resources.

Through honeypot servers and monitoring IP addresses associated with Killnet, researchers at Forescout confirmed the group’s preference for brute-forcing credentials on TCP ports 21 (FTP), 80 (HTTP), 443 (HTTPS), and 22 (SSH), as well as their use of SSH tunneling. The observed attacks included 381 instances from 58 IP addresses, with 56 of them being dictionary attacks targeting common default credentials. 

Forescout noted that IP addresses not involved in dictionary attacks sustained their attacks for a maximum of three days, indicating varied goals associated with each IP address. During SSH sessions, the attackers attempted to create a proxy towards “google[.]com” by establishing SSH tunnels. Targeted attacks on FTP ports suggested reconnaissance efforts, as the threat actors repeatedly used the SYST command, which returns the system type.

In December 2022, Killnet shared a script hosted on GitHub that encouraged its followers to deface websites, indicating their potential inclination towards such attacks.

In January 2023, researchers at Radware identified the “Passion” botnet as one of the tools employed by Killnet in attacks against medical institutions. The botnet maintained a Telegram channel named “PASSION BOTNET CHAT,” which was present in Flashpoint collections.

After successfully executing an attack, Killnet frequently utilizes check-host[.]net to verify and confirm the operation on their official Telegram channel.

Notable Killnet attacks

Killnet has targeted numerous organizations and institutions, with heightened activity since February 2022.

Attacks on medical institutions

Killnet initiated a widespread campaign, collaborating with multiple hacktivist groups, to target healthcare institutions in Western countries, particularly the United States. The Phoenix hacktivist group claimed responsibility for impacting two hospitals in the US. Killnet shared lists of hospitals’ websites on their Telegram channel, calling for a massive attack on the US healthcare system.

Attack on Germany

Killnet spearheaded a DDoS campaign against German websites after Germany’s decision to send Leopard tanks to Ukraine. Sixteen pro-Kremlin hacktivist groups joined the attack, although its impact remained low.

Attacks on dark web markets

Killnet played a role in an ongoing conflict between Dark Web markets following law enforcement takedowns of Hydra Market, a dominant Russian-run market. Killnet supported WayAWay and attacked RuTor, a major forum allied with OMGOMG. The group justified its attacks on Dark Web markets as a stance against narcotics trade. However, financial motivations and ideological justifications were also identified.

Attacks on European institutions

Killnet targeted the website of the European Parliament after the institution recognized Russia as a state sponsor of terrorism. The attack briefly made the Parliament’s website unavailable. They also attacked Belgium’s Cybersecurity Center after an investigation was opened against the group due to the attack on the European Parliament.

Attacks on US websites

Killnet has claimed responsibility for various attacks on US government websites. They targeted the National Geospatial-Intelligence Agency, US tax resources, government websites of several states, airports (including O’Hare International Airport), and a major US bank. While these attacks caused visibility issues, they had limited impact on operations.

Recommended Reading: Advanced Persistent Threat (APT) Groups: What They Are and Where They Are Found

Attacks on Lithuania and the US

Killnet has conducted DDoS attacks on Lithuanian government and private institutions. They demanded the reinstatement of transit routes between the Russian exclave of Kaliningrad and the rest of Russia. Killnet also threatened the US energy and financial sectors, claiming they could conduct similar attacks in five US states or European countries simultaneously.

These notable attacks provide a glimpse into Killnet’s activities, targeting various sectors and countries. The group’s motivations range from geopolitical disputes and ideological justifications to financial interests and opposition against specific industries.

The future of Killnet

Killnet, despite its nationalistic agenda, has primarily been driven by financial motives, utilizing the eager support of the Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services. Killnet has also partnered with several botnet providers as well as the Deanon Club—a partner threat group with which Killnet created Infinity Forum—to target narcotics-focused darknet markets.

While there is no evidence of Killnet acquiring more sophisticated tactics, their recent shift towards becoming paid “cyber mercenaries” raises concerns. This move could serve as a blueprint for other groups seeking to monetize their activities. Formerly associated groups like Phoenix, AKUR, and Legion have already made clear strides towards cybercrime. Phoenix established a Telegram channel for advertising and selling unauthorized access and exfiltrated data, while Legion created its own private military hacking company.

The extent of the connection between pro-Kremlin hacktivist groups and Russian security services remains uncertain and likely varies. Earlier reports from Mandiant linked XakNet and the Cyber Army of Russia to Russian security services, suggesting that these groups acted as fronts for sharing illegally obtained information by state-backed entities. This arrangement allowed the groups to gain fame while providing plausible deniability for state actors. A more pronounced shift towards cybercrime could lead to state-backed groups using “cyber mercenaries” as proxies to probe the cyber defenses of Western organizations. The interest in such arrangements is evident, as demonstrated by ransomware attacks on Polish logistics companies in late 2022, attributed to Russian APT groups.

Killnet has shown interest in such arrangements as long as they bring financial gains, indicating a future trajectory for the group.

Identify and mitigate cyber risks with Flashpoint

Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Get a free trial today and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.