Bonus Read 11/05 - 'Killnet' DDoS affected EuroControl IT systems.

Mid-April saw EuroControl, the organisation tasked with the management of European airspace, come under a sustained distributed, denial-of-service (DDoS) attack later claimed by Killnet as their activity. Killnet, also recently known as ‘Black Skills’ are an independent collective of threat actors sympathetic to, although not officially sponsored by, the Kremlin. They were formed in response to Ukraine’s volunteer cyber-warfare organisation ‘IT Army of Ukraine’ at the start of the most recent conflict.?

A now removed statement on EuroControl’s website on 20 April reported:???

“Since 19 April, the EUROCONTROL website has been under attack by pro-Russian hackers. The attack is causing interruptions to the website and web availability. There has been no impact on European aviation.”??

A spokesperson for the organisation sought to further allay fears with an additional statement confirming that in-line with good cyber security practice, their mission-critical flight systems are separated from operational technologies and the wider Internet, so quite literally air-gapped! While flight systems were unaffected, the attack reportedly prevented over 2,000 employees from accessing internal systems, having a knock-on effect across the business. EuroControl appear to have a strong cyber posture, utilising Mandiant for their CTI requirements and displaying a high level of awareness and vigilance in their systems and documentation. Only two days prior to the attack commencing, EuroControl published a guideline document on their website relating to ‘U-Space’ airspace proposals for Drone management, an excerpt from which reads:?

"The ever-growing risks of cyber-attack are a major factor in this category. U-space is a highly automated and interconnected system, so special care must be taken to reduce its exposure while?ensuring its resilience with regard to cyber threats, and so minimise the level of cyber-security risk."?

Conversely, a ‘think paper’ also published on their public site back in 2021 raises concerns about the wider industry’s ability to withstand cyber attacks, something that continues to be an issue today.?

?

Killnet’s own Telegram channel later claimed responsibility for the attack, stating “From today, a Eurocontrol marathon is being held, lasting 100 hours”. We know from our own research that the threat group’s modus operandi appears to be destructive and retaliatory attacks against anyone it considers to be an enemy of Russia, specifically those in support of Ukraine at any level. They appear to hold a penchant for the aviation sector, having previously attacked multiple installations across Europe and the USA, notably in October 2022 when they attacked fourteen American airports as well as several state government websites. In August of that year they also made a strike at Lockheed Martin, apparently in response to the USA’s supply of their HIMAR system to Ukraine. We share the general consensus within the industry that Killnet are a lower-skillset activity group, preferring the low-bar entry method of denial of service attacks against their victims and having not displayed any evidence of mature TTPs or advanced coding skills. In May 2022 they were themselves victims of a successful attack by the hacking collective ‘Anonymous’ who stated on their official Twitter channel that they had breached Killnet’s internal systems, dumping the user database and later knocking the official website offline.?

As with any adversary, that is not to say that they should be underestimated as there is an abundance of evidence for their regular partnerships with more advanced criminal activity groups, as well as their most recent attempt at evolution into ‘Black Skills’, describing the newer entity as a ‘Private Military Hacking Company’, a cyber emulation of the notorious Wagner group. Whether this is a genuine foray into the more lucrative world of cybercrime or simply an attempt at political posturing and a desire to gain more acknowledged support from the Russian leadership, remains to be seen.?

?

Due to the very brute-force but simplistically effective nature of a DDoS attack, there is a limited set of options available in terms of mitigation, however that is not to say there is nothing that can be done. At e2e, we relentlessly collate, curate and disseminate to our partners and customers the best threat intelligence available that allows us to build a greater visibility of threat actor activity and crucially, correlations between the data sets allowing us to identify active campaigns and build a holistic intelligence picture that enables our teams to convert into customer-centric protection layers.?

Ensure that you have developed and regularly war-game a dynamic Incident Response plan (IRP), allowing you to plan for such worst-case scenarios; if it should happen, your employees will be well-versed in response actions and therefore less likely to reactively panic.??

?

Check the features on your Internet-facing devices, aside from the obvious monitoring capabilities, review HA and clustering capabilities and consider implementing load-balanced solutions across multiple, geographically-dispersed sites.?

?

Consider CDN networks and WAF solutions such as Cloudflare, Akamai or Imperva to take the load (and bear the brunt of any attack) while proxying connections back to your networks. These sites also provide useful analytics on your web traffic, allowing the investment to potentially spread across the business.?

We hope you found this article informative, if you have any questions, would like to know more about our services or have an active situation you require assistance with, please email us – [email protected]??

Author: Duncan Wirght