In a recent development, Russian hackers have declared their intention to launch cyberattacks on the European financial system within the next 48 hours. The announcement was made late on Wednesday, June 14 and came through a video threat posted on the Mash Telegram channel, a very popular channel for Russian news. This operation appears to be a collaborative effort between the hacking groups KillNet, REvil, and Anonymous Sudan. The post was subsequently reposted on the official Telegram channels of Anonymous Sudan and KillNet groups.
The hackers say they will target the financial system, following the formula of "no money - no weapons - no Kyiv regime." Additional information provided in the Telegram post indicates potential targets such as US banks and the US Federal Reserve System.
Figure 1. Threat video reposted on Telegram channels of Anonymous Sudan and KillNet.
The video from Mash was uploaded to YouTube: https://www.youtube.com/watch?v=uIY_iUsXg9Y.
Here is a screenshot from its opening:
Figure 2. Video posted on Mash.
As SpiderLabs has previously reported, there is a strong possibility Anonymous Sudan is in fact a KillNet subgroup and SpiderLabs cannot confirm that the group is based in Sudan, nor if any of its members are from that nation, but based on the evidence available, it seems quite likely that Anonymous Sudan is a KillNet project, possibly including some Eastern European members.
KillNet has been on SpiderLabs radar since late last year when they claimed responsibility for the DDoS attack targeting Starlink. In a November 2022 report, SpiderLabs noted that despite its efforts, interest, collaboration, and major bragging, the group does not seem to have advanced any skills beyond very targeted and limited DDoS attacks.
In that report SpiderLab’s research anticipated KillNet would continue to conduct low-skill attacks from KillNet targeting an ever-growing list of targets that it considers to be in opposition to Russian interests. However, it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data, or do more than take down a website for a short period of time.
Figure 3. Anonymous Sudan Claiming Responsibility for DDoS Attacks on FAB, Chase, and Deutsche Bank Website.
KillNet and Anonymous Sudan groups focus on Distributed Denial of Service (DDoS). The groups are known for orchestrating large-scale DDoS attacks on various entities including airports, banks, energy providers, and government agencies.
A report by Forescout provided insights into other tactics employed by the KillNet group. Using a network of honeypots, the study uncovered credential brute-force attacks on common TCP ports, including 21 (FTP), 80 (HTTP), 443 (HTTPS), and 22 (SSH). The attacks relied primarily on dictionary-based techniques, targeting widely used and default credentials. The two most frequently targeted usernames were 'root' and 'postgres'. The analysis of the attackers' IP addresses revealed their reliance on TOR nodes and the utilization of proxies.
REvil is widely known for their ransomware attacks, affecting some large organizations around the world. You might recognize them as the ransomware group that leveraged a zero-day vulnerability in Kaseya IT Management Software in 2021. Back in January 2022, Russia made a lot of noise about “taking down” the REvil group. Back then, SpiderLabs wrote up an analysis where we stated that “The long-term impact of the REvil arrests remains to be seen.” It seems obvious now that that “takedown” did very little. REvil is known to leverage phishing attacks and exploits to gain initial access.
KillNet and Anonymous Sudan are known for DDoS attacks which typically last only a short while; long enough for a screenshot to post on Telegram. REvil, however, has a history of more damaging attacks. While this may not result in any actual attacks, the inclusion of REvil to the KillNet/AnonSudan collective should raise some eyebrows. Regardless of the coming days, this is probably a good time to revisit your threat posture and public facing services. Trustwave is actively monitoring the situation and will provide updates here as we have them.