In our new threat briefing report, Forescout’s Vedere Labs leverages a list of IP addresses known to be used by Killnet hacktivists during past attacks to study their TTPs when attacking a series of honeypots we control. Our research includes:
- Discovery of their preference for brute forcing credentials on TCP ports 21 (FTP), 80 (HTTP), 443 (HTTPS) and 22 (SSH) and their use of SSH tunneling
- Analysis of the Telegram channels associated with the group to confirm their use of mostly L4/L7 DDoS (SYN flood or resource exhaustion via massive amounts of POST/GET requests) and show their point of view on the attacks they have conducted
- Discussion of the emergence of several copycat groups on Telegram and analysis of an example called “Wawsquad”
- A list of IoCs and mitigation recommendations
What we know about Killnet
Killnet is one of many hacktivist groups that has taken a side in the ongoing Russian invasion of Ukraine. There have been more than 100 groups conducting cyberattacks since we published our initial analysis at the beginning of the war. Most of the attacks from these groups are distributed denials of service (DDoS), but they also include data breaches, data wipers and psychological operations, such as distributing propaganda.
These groups include hacktivists such as Killnet, state-sponsored entities such as Sandworm and ransomware gangs such as Conti. There are currently more than 70 active groups, located mainly in Russia or Ukraine but also in Belarus (Belarusian Cyber Partisans), Turkey (Monarch Turkish Hacktivists), Romania (Anonymous Romania), Poland (Squad303), Portugal (Anon666) and Italy (Anonymous Italia). Their coordination and the communication of their actions usually happens via either Twitter or Telegram.
Killnet stands out as one of the most active groups in this conflict, having declared war on Anonymous, a group supporting Ukraine, since February 25, 2022. Located in Russia, Killnet supports their country in the war, alongside other groups such as Xaknet and, often in joint operations, Legion. Killnet has gained notoriety for DDoSing the websites of western critical infrastructure operators such as airports, banks, energy providers and governmental agencies. They also spread propaganda to more than 70,000 members of their Telegram channel. Based on the high level of activity, the group was included in a recent CISA alert and other reports shared by CERTs and ISACs.
Killnet seems to be a semi-structured organization with effective communication. Although they have managed some level of success in their campaigns, there is no evidence that they use or develop custom tools or even that they reuse very sophisticated tools in their attacks.
How to mitigate hacktivist risks
Forescout recommends that organizations take the following steps to mitigate risks:
- Follow the NCSC-UK’s guide on Denial of Service attacks, which includes understanding weak points in your service, ensuring that service providers can handle resource exhaustion, scaling the service to handle concurrent sessions, preparing a response plan and stress testing systems regularly.
- Monitor the activity of hacktivist groups on Telegram, Twitter and other sources where attacks are planned and coordinated.
- Identify and patch vulnerable IoT devices to prevent them from being used as SSH tunnels or part of DDoS botnets.
- Change defaults or easily guessable passwords of IoT devices.
- Monitor the traffic of IoT devices to identify those being used as part of distributed attacks.
For more information and technical analysis, read the full report.