Share this article on:
Killnet is just one of a wave of pro-Russian hacktivist groups that have sprung up to support Russia’s illegal war in Ukraine, but it has been one of the busiest.
It’s also been one of the more successful operators, with a recent DDOS attack taking down websites belonging to 14 hospitals in the United States on 30 January. The group is considered enough of a threat to healthcare systems that the Health Sector Cybersecurity Coordination Center in the US is monitoring it specifically to watch out for future attacks and operations.
Killnet is also on the radar of the Five Eyes intelligence-sharing alliance, of which Australia is a member.
The group is also responsible for a range of attacks in Europe, most recently against airports and law enforcement agencies in Germany, in response to that country’s promise to send tanks to Ukraine.
However, it is possible to fight back, to a degree, and security ratings company SecurityScorecard is doing just that, by releasing a list of proxy IPs commonly used in Killnet’s DDOS attacks.
The Killnet block list is hosted on GitHub, has an impressive 17,746 IP addresses listed, and is being regularly updated.
“To help organisations better protect themselves, SecurityScorecard has published a list of proxy IPs to help block the Killnet DDoS bot,” the company said in a recent blog post.
Killnet methodology
Killnet, like many such pro-Russian groups, operates largely on Telegram, where its channel has over 92,000 followers. It’s where it works with affiliates and shares techniques and tactics with fans, training some and even recruiting directly.
Targets are also discussed, and any successes are loudly shared.
“A common strategy employed by both Killnet and the Russia-linked DDoS botnet known as Zhadnost is to exploit the vulnerabilities in devices that run on MikroTik routers,” SecurityScorecard notes.
Killnet is thought to have formed around March 2022, and within a month were responsible for attacks on government websites in Romania, Moldova, and the Czech Republic. In May, the group went after a range of targets in Italy, including more government sites and the voting infrastructure for the Eurovision song contest, which Italy was hosting, though this last was unsuccessful.
Lithuania and Norway became targets in June, again to little effect, and then followed with an operation against Latvia, which was the largest DDOS attack the country had ever seen.
Killnet began targeting US sites in August, particularly Lockheed Martin, makers of the HIMARS missile system that was being provided to Ukraine at that time. In September, Japan became a target, and then Killnet turned back to the US, when it began targeting airports and carriers.
With the first anniversary of the war in Ukraine just weeks away, cyber attacks from groups like Killnet are expected to increase, in Europe and abroad.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.