Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

KillNet, Anonymous Sudan, and REvil Unveil Plans for Attacks on US and European Banking Systems

In a recent development, Russian hackers have declared their intention to launch cyberattacks on the European financial system within the next 48 hours. The announcement was made late on Wednesday, June 14 and came through a video threat posted on the Mash Telegram channel, a very popular channel for Russian news. This operation appears to be a collaborative effort between the hacking groups KillNet, REvil, and Anonymous Sudan. The post was subsequently reposted on the official Telegram channels of Anonymous Sudan and KillNet groups.

The hackers say they will target the financial system, following the formula of "no money - no weapons - no Kyiv regime." Additional information provided in the Telegram post indicates potential targets such as US banks and the US Federal Reserve System.

BSL_20121_picture1hh

Figure 1. Threat video reposted on Telegram channels of Anonymous Sudan and KillNet.

The video from Mash was uploaded to YouTube: https://www.youtube.com/watch?v=uIY_iUsXg9Y.

Here is a screenshot from its opening:

BSL_20122_picture2hh

Figure 2. Video posted on Mash.

As SpiderLabs has previously reported, there is a strong possibility Anonymous Sudan is in fact a KillNet subgroup and SpiderLabs cannot confirm that the group is based in Sudan, nor if any of its members are from that nation, but based on the evidence available, it seems quite likely that Anonymous Sudan is a KillNet project, possibly including some Eastern European members.

KillNet has been on SpiderLabs radar since late last year when they claimed responsibility for the DDoS attack targeting Starlink. In a November 2022 report, SpiderLabs noted that despite its efforts, interest, collaboration, and major bragging, the group does not seem to have advanced any skills beyond very targeted and limited DDoS attacks.

In that report SpiderLab’s research anticipated KillNet would continue to conduct low-skill attacks from KillNet targeting an ever-growing list of targets that it considers to be in opposition to Russian interests. However, it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data, or do more than take down a website for a short period of time.

BSL_20123_picture3hh

Figure 3. Anonymous Sudan Claiming Responsibility for DDoS Attacks on FAB, Chase, and Deutsche Bank Website.

Attack Vectors

KillNet and Anonymous Sudan groups focus on Distributed Denial of Service (DDoS). The groups are known for orchestrating large-scale DDoS attacks on various entities including airports, banks, energy providers, and government agencies.

A report by Forescout provided insights into other tactics employed by the KillNet group. Using a network of honeypots, the study uncovered credential brute-force attacks on common TCP ports, including 21 (FTP), 80 (HTTP), 443 (HTTPS), and 22 (SSH). The attacks relied primarily on dictionary-based techniques, targeting widely used and default credentials. The two most frequently targeted usernames were 'root' and 'postgres'. The analysis of the attackers' IP addresses revealed their reliance on TOR nodes and the utilization of proxies.

REvil is widely known for their ransomware attacks, affecting some large organizations around the world. You might recognize them as the ransomware group that leveraged a zero-day vulnerability in Kaseya IT Management Software in 2021. Back in January 2022, Russia made a lot of noise about “taking down” the REvil group. Back then, SpiderLabs wrote up an analysis where we stated that “The long-term impact of the REvil arrests remains to be seen.” It seems obvious now that that “takedown” did very little. REvil is known to leverage phishing attacks and exploits to gain initial access.

Conclusion

KillNet and Anonymous Sudan are known for DDoS attacks which typically last only a short while; long enough for a screenshot to post on Telegram. REvil, however, has a history of more damaging attacks. While this may not result in any actual attacks, the inclusion of REvil to the KillNet/AnonSudan collective should raise some eyebrows. Regardless of the coming days, this is probably a good time to revisit your threat posture and public facing services. Trustwave is actively monitoring the situation and will provide updates here as we have them.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo