Making Sense of the Killnet, Russia’s Favorite Hacktivists
Killnet makes three announcements
The past month seemed to be a turning point for the pro-Russian hacktivist group “Killnet”—and it was very eager to tell the world about it.?
First, on July 27, “Killmilk”—the founder and the head of the group who led its transformation from a DDoS-for-hire outlet into an ambitious hacktivist group aligned with Russia’s war goals—announced his resignation. The new head of the group, “BlackSide,” was introduced as the administrator of a Russian hacker forum (most likely the mid-tier Best Hack Forum) with experience in cryptojacking and ransomware operations—a more illustrious and scarier sounding resume than Killmilk’s.?
Second, in parallel, the group announced that it would mount an attack on Lockheed Martin, the US company manufacturing the HIMARS rocket launchers that seem to be making a crucial difference in Ukraine’s favor in the war. This in itself would not have been news. Killnet had been known to closely follow the news agenda before, usually in a bid to provide a show in cyberspace to domestic audiences—something that the Kremlin-aligned media was all too eager to help the group with.?
However, Killnet promised a “different kind” of attack against Lockheed Martin, one that goes beyond DDoS-ing. On August 4, “From Russia With Love”, a Killnet-aligned group announced a successful breach of Gorilla Circuit, a Lockheed contractor, which allegedly resulted in the exfiltration of 800 GB of files.?
On August 10, Killmilk claimed to have successfully attacked Lockheed Martin’s authorization infrastructure and obtained files about “all employees." This is possible, but Killnet has this far shown little verifiable evidence of this beyond a video and a spreadsheet allegedly containing employee data, the authenticity of which could not be determined. Meanwhile, the media-savvy group continued to put out messages threatening Lockheed employees. In one message, Killmilk said that he would “share the data with mules in countries where [the employees] live” so his associates would attack them. The collective backed up this message with a series of English-language (and not very good) memes, one of which we've included below.
Third, the group suddenly inserted itself into an ongoing war between darknet markets for the spoils of Hydra Market, a gigantic narcotics and cybercrime tool marketplace, which was taken down by German and US law enforcement in April. Killnet openly sided with WayAWay, a resurrected narco forum likely run by former Hydra administrators, which had been attacking another forum, RuTor, and its associated market, OMGOMG. Killnet claimed that RuTor—whose users had been largely sympathetic to Ukraine following the February invasion—was taken over by the Ukrainian Security Service. On August 15 the collective spearheaded an effort of various pro-Russian hacker groups to conduct DDoS attacks against RuTor’s infrastructure, in return for rewards paid out in cryptocurrency.?
So how significant are these developments actually?
FUDging information
As always, it is worth remembering that one of the most important battles of the war in Ukraine takes places in the heads of Western populations whose support is crucial to maintain or increase the level of aid to Ukraine, and in the heads of Russian citizens whose belief in their country’s eventual victory is crucial to maintain war efforts amidst increasingly severe deprivations. And the media-savvy Killnet has been playing the instrument known as FUD—fear, uncertainty and doubt—very well.
As of August 17, there is no evidence that the group indeed exfiltrated sensitive employee information or technical documentation from Lockheed Martin. The company denied that this happened and the files that Killnet and its associates have released do not amount to such data.?
However, the collective has been very vocal about this attack. The Russian government-controlled RT media outlet posted an interview with the representative of the group who claimed both that the allegedly exfiltrated data would be “sold on the darknet” and that it would be shared with the Russian security services. The group then posted the interview not only on Russian platforms such as VK and RuTube, but also on fringe US platforms known to be used by far-right and conspiracy theorist users, such as Rumble, Odyssee and Gab, apparently targeting Western audiences.
It appears that Killnet, true to the ransomware operator background of its new leader, is using tactics increasingly utilized by ransomware groups over the past years, whereby data exfiltration is followed up by direct pressure on the victim organization’s employees or associates. In this case, the threat of physical attacks or identity theft committed against Lockheed Martin employees is apparently supposed to weaken the company. Killnet members rejoiced over a drop in the company’s share price in early August, even though this was temporary and insignificant—a classic example of Killnet bragging.?
领英推荐
Meanwhile, Killnet’s sudden pivot towards the lower circles of the Russian-speaking darknet confused even some of its followers, many of whom had no idea what RuTor was. Some were happy to participate in—or at least cheer on—an attack against a “pro-Ukrainian” forum, while others questioned why they should spend resources on this attack or even why Killnet wouldn’t hit Russian narco forums instead, given their harmful influence on the Russian population. Despite the attacks, as of August 15, several darknet and clearnet mirrors of RuTor remain up and running.?
Be skeptical but be aware
Speaking of mirrors: Does this then mean that Killnet is all smoke and mirrors and it is not worth the attention of information security officers? Not quite.?
Lockheed Martin
First of all, even if the collective has been very keen to magnify the size of its attacks—be it against Lithuanian networks or Lockheed Martin—its communication itself represents a security risk for its targets. Its incitement against Lockheed Martin employees in front of its 86,000 Telegram subscribers and in sympathetic media may very well increase physical security risks for these employees, even if Killnet does not have sensitive data about them.?
Aligned with Russia
Second, while Killnet is not the only known Russian hacktivist group and not even the most established one—Xaknet, a collective with which Killnet claims to have collaborated and which may have direct connections to Russia’s security services—its nifty branding and aggressive recruitment and media strategy appear to have made it into a bridge between several groups aligned with the goals of the Russian government in the war, which itself is a risk factor. It is notable that this is the first time that Killnet itself confirms that it intends to cooperate with the Russian security services.?
RaHDIt
Third, apart from ransomware tactics, Killnet also seems to copy the tactics of another pro-Kremlin group, RaHDIt, which one could call fake-and-leak (due to its similarity to hack-and-leak operations), whereby a group claims to have successfully executed a breach and then shares information of doubtful veracity.?
RaHDIt (short for “Russian Angry Hackers Did It”) claimed to have breached Ukraine’s military intelligence agency (GUR) in July, and then went on to make several statements allegedly based on the information exfiltrated from the agency, but without providing evidence. RaHDIt claimed to have found 2,500 Russians who are cooperating with Ukrainian intelligence, and shared the list with the Russian special services. In an interview with the Russian state-owned RIA press agency, a RaHDIt member also said that the documents showed US intelligence has been providing Ukraine with radar data and satellite imagery of territory, including across the Russian border, which is then targeted by Ukrainian strikes, leading to civilian damage and casualties, and that Ukrainian authorities collaborated with criminals and smugglers to sell Western weapons on the black market. All three narratives clearly aimed to intimidate Russian dissidents and undermine support for Ukraine in the West. In a similar vein, Killnet may publish fake information about Lockheed Martin.?
Tapping into financial resources
Fourth, Killnet’s sudden interest in the war of darknet markets suggests that the collective is eager to tap into the vast financial resources of this industry. The fact that those DDoS-ing RuTor were promised cryptocurrency payouts suggests that the attacks may have been ordered by someone, most likely the administrators of the rival forum, WayAWay/Kraken. As of August 15 Flashpoint analysts have not seen a significant inflow of funds to any of Killnet’s known wallets, but it is unlikely that the collective—which started out as a DDoS-for-hire group—would let such an opportunity pass.
Some Russian cybercriminal groups have voiced support for Russia in various ways, including its invasion of Ukraine, such as the case with Conti. But this likely and mutually beneficial cooperation between WayAWay—a financially-motivated group—and Killnet—an ideologically motivated group—may be the first of its kind since the invasion began in February, showing us the shape of things to come.