SpiderLabs Blog

Retaliation by the Pro-Russian Group KillNet

Written by SpiderLabs Researcher | Sep 14, 2022 1:50:00 PM

At the beginning of the Russia-Ukraine conflict, KillNet - a Russian cybergang - began actively collecting open-source intelligence (OSINT), which drew interest from various threat actor groups. Heightened interest in the OSINT data led to additional actors joining KillNet, growing its membership to include not only Russian cyber criminals, but uniting other cyber gangs sympathetic to Russia.

KillNet actively responds to threats against the Russian Federation by launching widespread DDoS attacks against a target’s cyber landscape. One example of KillNet’s retaliation is the DDoS attack that took down the Anonymous website.

After increasing its membership, KillNet significantly expanded its operation. KillNet’s newly incorporated tactic involved an immediate reaction to geopolitical and external events related to the Russian Federation. For example, after Lithuania blocked a cargo ship of goods that was moving through Lithuanian territory en route to Russia’s isolated Kaliningrad region, KillNet immediately began a series of DDoS attacks on Lithuanian companies and government services.

Other geopolitical targets KillNet decided were enemies of Russia were targeted with retaliation. This included government organizations and critical infrastructure in countries like Poland, Estonia, Japan, and individual companies like Lockheed Martin.

Lithuania

June 28, 2022

Figure 1: Blocking authorization to the central data center system for "BALT NET" clients

Translation of Figure 1

BALTIC PETROLEUM is a modern filling station network operating throughout Lithuania.

❌BLOCKED:

- Authorization

- Internet services

- Application 

June 28, 2022

Figure 2: Ongoing attack on Lithuania’s governmental network

Translation of Figure 2

WE ARE KILLNET

🤫Night insider from Lithuania:

"Lithuania's paralyzed secure state network has not yet been restored. A bunch of useless Baltic specialists promised their Curator from the Cyber Security Agency that they would restore everything by morning."

🙄Tell them that we will meet again in the morning...

June 28, 2022

Figure 3: A report regarding ongoing attacks on Lithuania’s network

Translation of Figure 3

“In 39 hours, we achieved the isolation of 70% of the entire Lithuanian network infrastructure.”

☝️I will explain on the fingers:

- Web integration of Lithuanian websites and electronic systems is in the "Blockade", that is, "Geo block", web traffic and other means of communication are available only within the republic. Thus, we disrupt Lithuania's network interaction with the rest of the world. At the moment, Lithuania is in sadder conditions than Kaliningrad. And we keep our promise! 😉

The attack received coverage in world news, mentioning the DDoS attacks, as well as the onslaught of fake bomb threats.

June 28, 2022

Figure 3-1: The New York Times mentions a flood of fake bomb threats in Lithuania.

June 27, 2022

Figure 3-2: The Lithuanian National Cyber Security Center confirmed DDoS attacks on government and public services

June 28, 2022

Figure 3-3: Reuters highlighted continued KillNet attacks

July 7, 2022

Figure 4: Data from hack of casb.edu.co all emails, certificates, keys, SQL, htaccess, SSL.db, wp_admins_list.

Attacks on Poland

July 14, 2022

Figure 5: KillNet initializes attacks on Polish police departments all over the country

July 15, 2022

Figure 5.1: The attack on the Polish police department was confirmed by local authorities.

Figure 5-2: Continuation of Polish news shared comments from local officials regarding the latest DDoS attacks.

KillMilk leaves KillNet

KillMilk, the leader of KillNet, left the group to “develop his skills,” giving the position to the new head of KillNet – an individual going by the name BlackSide.

July 28, 2022     

  

Figure 6: The Leader of KillNet, KillMilk transfers power to the new Leader, BlackSide.

Translation of Figure 6

☠WE ARE KILLNET 🔥KillMilk blesses the hacker "BlackSide" and gives him the title of Killnet control!

🔹Information: 🇬🇧BlackSide hacker "The Black Side" Specification: Ransomware, "USA/EC" crypto phishing, Brilliant robber of European crypto exchanges, DarkNet forum hack owner in "onion" zone - forum information is hidden.

😈Welcome "BlackSide" and wish you success!

Lockheed Martin Corporation

July 21, 2022

Figure 7: Marking the next target – Lockheed Martin

As has been widely reported, KillNet also targeted Lockheed Martin, a global defense and aerospace company that develops, among other weapons, the Multiple Launch Rocket System (MLRS) High Mobility Artillery Rocket System (HIMARS), which has been supplied to Ukraine by the U.S. government. The MLRS HIMARS was deployed in Ukraine as a next-generation weapon that has dramatically impacted the conflict in Ukraine’s favor.

KillNet labeled Lockheed Martin Corporation a terrorist organization due to casualties caused by the MLRS HIMARS and on August 1, 2022, KillNet identified Lockheed Martin as a major target, asking other cyber gangs to join KillNet’s crusade.

However, Killnet has neither proven nor provided substantial evidence of the Lockheed Martin breach. Even the gang’s colleagues on the Darkweb doubt the veracity of KillNet’s self-proclaimed attribution. As with other cybercriminal gangs, we have seen claims of successful attacks with no proof of the attack provided. For instance, we wrote about the Stormous group this past April.

Closer to August 10, KillNet said it significantly expanded its actions against Lockheed Martin, including DDoS attacks.

August 10, 2022

Figure 8: DDoS attack results against Lockheed Martin’s website.

Translation of Figure 8

            WE ARE KILLNET

The world's best has fallen off Lockheed Martin. Perhaps they realized that it is not necessary to help the terrorists!

            WE ARE KILLNET

Lockheed Martin’s system administrators are sweating hard to stop billions of requests to their servers. As for the identification systems in NASA - the admin stopped responding with the blocking "possibly hanged himself"

August 11, 2022

Figure 9: Screenshot from an animated presentation of the obtained Lockheed employee information

A brief search across a small sample of these email addresses did not show them to be part of known data dumps or compromises. Additionally, the ninth column in the spreadsheet in Figure 9 suggests exactly that, potentially showing previous compromises that were mined for Lockheed Martin email addresses. If KillNet used data from previous email dumps, this would disprove their claim of having breached Lockheed Martin’s servers.   

Many journalists and infosec professionals asked KillNet for more significant proof of a breach of the Lockheed Martin servers or any data leak.

Attacks on Estonia

Around mid-August, KillNet stopped posting about Lockheed Martin. Instead, it announced a DDoS attack targeting RuTor, an underground forum and marketplace specialized for Russian-speaking regions. The gang believes the Security Service of Ukraine still controls this marketplace and that law enforcement monitors all operations. Later, Estonian financial and governmental sectors were marked as new targets.

Beginning on or around August 17, KillNet began DDoSing Estonian governmental networks and other services:

August 17, 2022

Figure 10: ESTO AS | Innovative payment provider

The main authorization of the payment aggregator throughout the Republic of Estonia is blocked

August 17, 2022

Figure 11: KillNet mocking Estonia for their payment system going down

Translation of Figure 11

AT THE MOMENT IN ESTONIA THERE ARE BIG PROBLEMS WITH ONLINE PAYMENT🙄

But, they are blunt and do not understand why🐌😂😂😂

Oh what happened

 August 17, 2022

Figure 12: Examples of broken service

August 17, 2022

Figure 13: Partial list of targets in Estonia

August 17, 2022

Figure 14: More mocking of Estonia

Translation of Figure 14

Estonia, How are you there?

As previously mentioned, KillNet immediately reacts to any political issues affecting the Russian Federation. In this case, the gang reacted to the Estonian decision to remove a Soviet Union era World War 2 monument – a T34 tank – from public display.

August 16, 2022

Figure 14-1: World War 2 Soviet monument 

August 22, 2022

Figure 14-2: Bloomberg adds more context to ongoing DDoS attacks.

(src: https://www.bnnbloomberg.ca/estonia-repels-cyber-attacks-as-pro-kremlin-group-takes-credit-1.1807236)

Attacks on Japan

On September 6, it appears that KillNet continued its malicious activities by launching DDoS attacks against Japan.

September 6, 2022

Figure 15: KillNet claims attacks against Japanese government sites

Translation of Figure 15

There is good news guys... Killmilk is❤️

Electronic Government of Japan (Public Services)

(links redacted)

Electronic application of the e-government of Japan.

(links redacted)

Japan's main tax portal (desktop)

(links redacted)

The main electronic system of the tax authority of Japan.

(links redacted)

September 6, 2022

Figure 16: KillNet’s message regarding JCB

Translation of Figure 16

Striking it to the samurai 👊

The JCB payment system is one of the leading international payment systems founded in Japan in 1961. Since 2015, JCB cards have been issued in Russia as well. The JCB card allows travelers privileges and discounts in restaurants, hotels, shops, and when visiting attractions around the world.

September 6, 2022

Figure 17: Attack on Japan’s tax office

September 6, 2022

Figure 18: Internal Server Error Message

Translation of figure 18

KillNet hackers are on the warpath against Japanese militarism. They disabled the country's second most popular social network, Mixi.

In terms of the number of users, it is second only to Facebook (banned in Russia), several tens of millions of people are registered there. They keep their own diaries, where they write about their love for tentacles and yaoi and comment on the diaries of others. Well, they no longer comment - they organized a digital wakizashi. All for the support of Ukraine and encroachment on the Kuriles.

Before that, KillNet talked about the decommissioning of Japan's e-government, their main tax portal and the national payment system JCB.

September 6, 2022

Figure 19: 504 Gateway Time-out Message

Translation of figure 19

We have prepared a nice exclusive for the telegrams of the MASH channel about how the samurai killmilk demolishes the social network MIXI (Jap. ミクシィ, mikushi:) is the largest social network in Japan after Facebook, the number of users in which, as of September 2012, exceeds 26 million people [2][3]. Participants of this project get the opportunity to keep their own diary (blog) and read the diaries of other people, publish photos and videos, participate in numerous communities, exchange messages and leave feedback on media products.[4]. Mixi services are free, but you can upgrade to a paid account (315 yen per month)

13:35

WE ARE KILLNET

Smoke break 10 minutes👌

September 6, 2022

Figure 20: A comment from KillNet illustrating the latest news.

Translation of figure 20

The Japanese government has sent a "strong protest" to Russia over Moscow's decision to terminate the agreement on facilitated visits to the Kurile Islands, said Hirokazu Matsuno, Secretary General of the Japanese Cabinet.

In turn, Japanese Foreign Minister Yoshimasa Hayashi called Moscow's decision "absolutely unfounded and unacceptable."

Earlier, Russia terminated the agreement with Japan on facilitated visits to the Kurile Islands by Japanese citizens.

Japanese Prime Minister Fumio Kishida is the same as Zelensky, only not a drug addict but an ordinary pawn for the United States.

Summary section

Unlike our previous blog post covering the Cyber Weapons used in the Russia/Ukraine War that shows cybergangs with direct ties to a Russian APT, we can see from this post that cyber gangs with indirect ties to Russia are still throwing their hat into the ring to support Russia in its invasion of Ukraine.

Additionally, we can see that Killnet casts its net very widely and purportedly is willing to act against organizations and nations willing to support Ukraine. This evidence reinforces the idea that the fallout from cyberwarfare being conducted against a specific entity can often hit targets far and wide.

This means that while organizations and nations should always have cybersecurity measures in place, those supporting an entity that is being singled out for cyberattacks should be on a higher level of alert.