Retaliation by the Pro-Russian Group KillNet
At the beginning of the Russia-Ukraine conflict, KillNet - a Russian cybergang - began actively collecting open-source intelligence (OSINT), which drew interest from various threat actor groups. Heightened interest in the OSINT data led to additional actors joining KillNet, growing its membership to include not only Russian cyber criminals, but uniting other cyber gangs sympathetic to Russia.
KillNet actively responds to threats against the Russian Federation by launching widespread DDoS attacks against a target’s cyber landscape. One example of KillNet’s retaliation is the DDoS attack that took down the Anonymous website.
After increasing its membership, KillNet significantly expanded its operation. KillNet’s newly incorporated tactic involved an immediate reaction to geopolitical and external events related to the Russian Federation. For example, after Lithuania blocked a cargo ship of goods that was moving through Lithuanian territory en route to Russia’s isolated Kaliningrad region, KillNet immediately began a series of DDoS attacks on Lithuanian companies and government services.
Other geopolitical targets KillNet decided were enemies of Russia were targeted with retaliation. This included government organizations and critical infrastructure in countries like Poland, Estonia, Japan, and individual companies like Lockheed Martin.
Lithuania
June 28, 2022
Figure 1: Blocking authorization to the central data center system for "BALT NET" clients
Translation of Figure 1
BALTIC PETROLEUM is a modern filling station network operating throughout Lithuania.
❌BLOCKED:
- Authorization
- Internet services
- Application
June 28, 2022
Figure 2: Ongoing attack on Lithuania’s governmental network
Translation of Figure 2
WE ARE KILLNET
🤫Night insider from Lithuania:
"Lithuania's paralyzed secure state network has not yet been restored. A bunch of useless Baltic specialists promised their Curator from the Cyber Security Agency that they would restore everything by morning."
🙄Tell them that we will meet again in the morning...
June 28, 2022
Figure 3: A report regarding ongoing attacks on Lithuania’s network
Translation of Figure 3
“In 39 hours, we achieved the isolation of 70% of the entire Lithuanian network infrastructure.”
☝️I will explain on the fingers:
- Web integration of Lithuanian websites and electronic systems is in the "Blockade", that is, "Geo block", web traffic and other means of communication are available only within the republic. Thus, we disrupt Lithuania's network interaction with the rest of the world. At the moment, Lithuania is in sadder conditions than Kaliningrad. And we keep our promise! 😉
The attack received coverage in world news, mentioning the DDoS attacks, as well as the onslaught of fake bomb threats.
June 28, 2022
Figure 3-1: The New York Times mentions a flood of fake bomb threats in Lithuania.
June 27, 2022
Figure 3-2: The Lithuanian National Cyber Security Center confirmed DDoS attacks on government and public services
June 28, 2022
Figure 3-3: Reuters highlighted continued KillNet attacks
July 7, 2022
Figure 4: Data from hack of casb.edu.co all emails, certificates, keys, SQL, htaccess, SSL.db, wp_admins_list.
Attacks on Poland
July 14, 2022
Figure 5: KillNet initializes attacks on Polish police departments all over the country
July 15, 2022
Figure 5.1: The attack on the Polish police department was confirmed by local authorities.
Figure 5-2: Continuation of Polish news shared comments from local officials regarding the latest DDoS attacks.
KillMilk leaves KillNet
KillMilk, the leader of KillNet, left the group to “develop his skills,” giving the position to the new head of KillNet – an individual going by the name BlackSide.
July 28, 2022
Figure 6: The Leader of KillNet, KillMilk transfers power to the new Leader, BlackSide.
Translation of Figure 6
☠WE ARE KILLNET 🔥KillMilk blesses the hacker "BlackSide" and gives him the title of Killnet control!
🔹Information: 🇬🇧BlackSide hacker "The Black Side" Specification: Ransomware, "USA/EC" crypto phishing, Brilliant robber of European crypto exchanges, DarkNet forum hack owner in "onion" zone - forum information is hidden.
😈Welcome "BlackSide" and wish you success!
Lockheed Martin Corporation
July 21, 2022
Figure 7: Marking the next target – Lockheed Martin
As has been widely reported, KillNet also targeted Lockheed Martin, a global defense and aerospace company that develops, among other weapons, the Multiple Launch Rocket System (MLRS) High Mobility Artillery Rocket System (HIMARS), which has been supplied to Ukraine by the U.S. government. The MLRS HIMARS was deployed in Ukraine as a next-generation weapon that has dramatically impacted the conflict in Ukraine’s favor.
KillNet labeled Lockheed Martin Corporation a terrorist organization due to casualties caused by the MLRS HIMARS and on August 1, 2022, KillNet identified Lockheed Martin as a major target, asking other cyber gangs to join KillNet’s crusade.
However, Killnet has neither proven nor provided substantial evidence of the Lockheed Martin breach. Even the gang’s colleagues on the Darkweb doubt the veracity of KillNet’s self-proclaimed attribution. As with other cybercriminal gangs, we have seen claims of successful attacks with no proof of the attack provided. For instance, we wrote about the Stormous group this past April.
Closer to August 10, KillNet said it significantly expanded its actions against Lockheed Martin, including DDoS attacks.
August 10, 2022
Figure 8: DDoS attack results against Lockheed Martin’s website.
Translation of Figure 8
WE ARE KILLNET
The world's best has fallen off Lockheed Martin. Perhaps they realized that it is not necessary to help the terrorists!
WE ARE KILLNET
Lockheed Martin’s system administrators are sweating hard to stop billions of requests to their servers. As for the identification systems in NASA - the admin stopped responding with the blocking "possibly hanged himself"
August 11, 2022
Figure 9: Screenshot from an animated presentation of the obtained Lockheed employee information
A brief search across a small sample of these email addresses did not show them to be part of known data dumps or compromises. Additionally, the ninth column in the spreadsheet in Figure 9 suggests exactly that, potentially showing previous compromises that were mined for Lockheed Martin email addresses. If KillNet used data from previous email dumps, this would disprove their claim of having breached Lockheed Martin’s servers.
Many journalists and infosec professionals asked KillNet for more significant proof of a breach of the Lockheed Martin servers or any data leak.
Attacks on Estonia
Around mid-August, KillNet stopped posting about Lockheed Martin. Instead, it announced a DDoS attack targeting RuTor, an underground forum and marketplace specialized for Russian-speaking regions. The gang believes the Security Service of Ukraine still controls this marketplace and that law enforcement monitors all operations. Later, Estonian financial and governmental sectors were marked as new targets.
Beginning on or around August 17, KillNet began DDoSing Estonian governmental networks and other services:
August 17, 2022
Figure 10: ESTO AS | Innovative payment provider
The main authorization of the payment aggregator throughout the Republic of Estonia is blocked
August 17, 2022
Figure 11: KillNet mocking Estonia for their payment system going down
Translation of Figure 11
AT THE MOMENT IN ESTONIA THERE ARE BIG PROBLEMS WITH ONLINE PAYMENT🙄
But, they are blunt and do not understand why🐌😂😂😂
Oh what happened
August 17, 2022
Figure 12: Examples of broken service
August 17, 2022
Figure 13: Partial list of targets in Estonia
August 17, 2022
Figure 14: More mocking of Estonia
Translation of Figure 14
Estonia, How are you there?
As previously mentioned, KillNet immediately reacts to any political issues affecting the Russian Federation. In this case, the gang reacted to the Estonian decision to remove a Soviet Union era World War 2 monument – a T34 tank – from public display.
August 16, 2022
Figure 14-1: World War 2 Soviet monument
August 22, 2022
Figure 14-2: Bloomberg adds more context to ongoing DDoS attacks.
(src: https://www.bnnbloomberg.ca/estonia-repels-cyber-attacks-as-pro-kremlin-group-takes-credit-1.1807236)
Attacks on Japan
On September 6, it appears that KillNet continued its malicious activities by launching DDoS attacks against Japan.
September 6, 2022
Figure 15: KillNet claims attacks against Japanese government sites
Translation of Figure 15
There is good news guys... Killmilk is❤️
Electronic Government of Japan (Public Services)
(links redacted)
Electronic application of the e-government of Japan.
(links redacted)
Japan's main tax portal (desktop)
(links redacted)
The main electronic system of the tax authority of Japan.
(links redacted)
September 6, 2022
Figure 16: KillNet’s message regarding JCB
Translation of Figure 16
Striking it to the samurai 👊
The JCB payment system is one of the leading international payment systems founded in Japan in 1961. Since 2015, JCB cards have been issued in Russia as well. The JCB card allows travelers privileges and discounts in restaurants, hotels, shops, and when visiting attractions around the world.
September 6, 2022
Figure 17: Attack on Japan’s tax office
September 6, 2022
Figure 18: Internal Server Error Message
Translation of figure 18
KillNet hackers are on the warpath against Japanese militarism. They disabled the country's second most popular social network, Mixi.
In terms of the number of users, it is second only to Facebook (banned in Russia), several tens of millions of people are registered there. They keep their own diaries, where they write about their love for tentacles and yaoi and comment on the diaries of others. Well, they no longer comment - they organized a digital wakizashi. All for the support of Ukraine and encroachment on the Kuriles.
Before that, KillNet talked about the decommissioning of Japan's e-government, their main tax portal and the national payment system JCB.
September 6, 2022
Figure 19: 504 Gateway Time-out Message
Translation of figure 19
We have prepared a nice exclusive for the telegrams of the MASH channel about how the samurai killmilk demolishes the social network MIXI (Jap. ミクシィ, mikushi:) is the largest social network in Japan after Facebook, the number of users in which, as of September 2012, exceeds 26 million people [2][3]. Participants of this project get the opportunity to keep their own diary (blog) and read the diaries of other people, publish photos and videos, participate in numerous communities, exchange messages and leave feedback on media products.[4]. Mixi services are free, but you can upgrade to a paid account (315 yen per month)
13:35
WE ARE KILLNET
Smoke break 10 minutes👌
September 6, 2022
Figure 20: A comment from KillNet illustrating the latest news.
Translation of figure 20
The Japanese government has sent a "strong protest" to Russia over Moscow's decision to terminate the agreement on facilitated visits to the Kurile Islands, said Hirokazu Matsuno, Secretary General of the Japanese Cabinet.
In turn, Japanese Foreign Minister Yoshimasa Hayashi called Moscow's decision "absolutely unfounded and unacceptable."
Earlier, Russia terminated the agreement with Japan on facilitated visits to the Kurile Islands by Japanese citizens.
Japanese Prime Minister Fumio Kishida is the same as Zelensky, only not a drug addict but an ordinary pawn for the United States.
Summary section
Unlike our previous blog post covering the Cyber Weapons used in the Russia/Ukraine War that shows cybergangs with direct ties to a Russian APT, we can see from this post that cyber gangs with indirect ties to Russia are still throwing their hat into the ring to support Russia in its invasion of Ukraine.
Additionally, we can see that Killnet casts its net very widely and purportedly is willing to act against organizations and nations willing to support Ukraine. This evidence reinforces the idea that the fallout from cyberwarfare being conducted against a specific entity can often hit targets far and wide.
This means that while organizations and nations should always have cybersecurity measures in place, those supporting an entity that is being singled out for cyberattacks should be on a higher level of alert.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.