Killnet explained in 10 questions

9 min readMar 12, 2023

This article is originally prepared for an interview with a reporter but was canceled later. I keep the self-interview format to keep to flow and updated the answers. The intention of the article is to provide information about the cybercriminal group called KillNet and it is never the glarofications of any cyber crime group. The article also covers how to recommendation of group’s attacks. Best defense starts with knowing the enemy.

Updated on April 11, 2023, with the group’s ongoing campaign toward NATO. Question number 10 is altered to provide this update.

1. Who is KillNet? Why have they become more widely known?

Killnet was originally the name of a DDoS kit, a cyber weapon used or rented by subscriber cybercriminals in the past. During the Russian invasion of Ukraine, it was presented as a quote-and-quote hacktivist group by a cyber criminal nicknamed KillMilk.

They started organized DDoS attacks on Ukraine and countries supporting Ukraine. Other subgroups and affiliates, such as Legion, Russia Anonymous, and others, joined their operations. Killnet is now like an umbrella organization that has grown significantly since mid-2022.

CyberKnow created an excellent diagram explaining the history and organizational/affiliation structure of KillNet.

2. Can you explain in further detail what DDoS attacks are?

DDoS attacks are to send small legitimate bogus requests, like tiny data packets, from thousands if not millions of sources, usually botnets, to a single endpoint on the target system to interrupt services.

Imagine that you order lunch at your home, and some pranksters order hundreds of peanut snacks you are allergic to at the same time from multiple grocery stores in the neighborhood. Peanut deliveries will block your door, and you will not be able to receive the lunch you need. Ultimately, you will have too many peanuts that you cannot consume and no lunch.

For some businesses, DDoS attacks do not harm like other attacks, but for industries like healthcare, the interruption of services may cause serious problems. For instance, in the Killnet hitlist, I see the prescription services API endpoint as a target. It means that physicians may be unable to use the prescription system during the attack.

3. What is a botnet?

A botnet is a network of zombie endpoints consisting of millions of computers, laptops, mobile devices, etc. Threat actors trick people into downloading malware that stays idle. During DDoS attacks, this malware sends tiny data packets that the end users cannot feel and do not see as an anomaly. Because it is a legitimate but bogus request to legitimate endpoints. Botnet operators lend a portion of their botnets for DDoS attacks.

4. Why has Killnet become infamous for carrying DDoS attacks? What other methods of attack do they conduct?

KillNet, as a pro-Russian state-sponsored threat group, has become popular with its influence on other groups for organized DDoS attacks. They organize in KillNet’s telegram channel, not only for cyberattack coordination but also as a propaganda machine. As of March 12, 2023, the Telegram Channel called We Are KillNet has more than 90K followers. It seems that they only conduct DDoS attacks, at least under the name of KillNet.

Sometimes they claim to possess sensitive data, but we know that they can exaggerate for the sake of propaganda and not solid evidence provided for the stolen data.

Some side groups, such as Killnet_Spike, also claim data breaches in the name of KillNet. Recently Killnet_spike has announced an alleged breach of a German military contractor providing sources to Ukraine. However, concrete evidence has yet to be provided.

In the first half of 2022, other criminal groups joined forces with KillNet. They orchestrated attacks on public institutions in Western Countries, airports such as the Bradley Airport attack in March, the Eurovision contest, defense contractors, and many others.

They announced they would target the healthcare industry in Western countries, including the US, and published a hit list. The initial list of US targets was 50 organizations in 50 states on January 31, 2023. They updated the list on Feb 2nd by adding more organizations. There are hospitals right here in Boston on the target list.

The airports are another hot target for KillNet since the DDoS attacks on airports can create delays, ticketing issues, and so on. Eventually, millions of dollars can be lost. On Feb. 16th, they claimed to be responsible for business interruption in some German airports and airlines.

KillNet and its DDoS attacks have become more popular because it has become a more available tool than other threat actors. Ransomware groups are another type of cybercrime state-sponsored group. However, moving ransom money around and investing the infrastructure in Western countries became more difficult after the sanctions and law enforcement’s joint operations on ransomware groups such as Revil and Hive. All these things made groups like KillNet more popular.

In fact, there are even so-called scammers that impersonate KillNet, and the group warns its subscribers of such “scams.”

5. What are the widespread implications of a data breach on US healthcare organizations? What types of damages can organizations expect to incur due to these attacks?

When I look at the hitlist of KillNet, I see that the targets are endpoints for specific services. For instance, the top of the list is a Boston-based hospital targeted because KillNet thinks that, quote-and-quote, it is the largest military hospital. And the endpoints for this hospital are listed, such as the API endpoint to a third-party Diagnostics vendor, or Identity and Access Management endpoint used by hospital employees to access the systems. So, when attacks are executed on these endpoints, it is possible that doctors cannot get results from the diagnostics vendor or order tests, or they may not even log in to the hospital’s system for a while.

Even the most persistent DDoS attacks last for an hour or so. It may not be seen too long, but the impact of accumulated tasks during the attack may last longer.

6. Can you name a few examples of healthcare organizations affected in the last year? What were the damages resulting from these DDoS attacks? How did these organizations recover?

Usually, the damages of DDoS attacks are only visible if customers complain about it. We are aware of airport attacks because ticketing was impossible and there were too many complaints. Consider the FAA outage in January. Even though it was not due to an attack, everybody knew the situation.

For healthcare, it could be more evident because healthcare providers may go manual for a while to keep the records and later put them into the system. But we know that HHS and CISA warn healthcare providers against DDoS attacks and provide advisories.

Usually, DDoS attacks do not result in data breaches, and healthcare providers are not obligated to report them. Sometimes, they do not even know they were attacked. It is just another system error. However, we know DDoS attacks also create smocks to cover other harmful operations behind the scenes. So far, we don’t have any evidence that KillNet has such covered operations under the DDoS attacks.

Recovery happens in time, but prevention and preparedness are essential.

7. As the Head of Black Kite Research, is there any activity you are seeing now that might suggest specific organizations may be impacted next? If not, is anything else worth noting about today’s threat landscape?

Killnet may go after public institutions and critical infrastructure, considering their motivations. But I think they will keep targeting healthcare providers for a while. But not just providers but also third-party vendors as well. In our Third-Party Data Breach report, where we cover data breaches caused by vendors, we see that The healthcare industry was the most common victim of third-party breaches accounting for 34% of incidents in 2022 — an increase from 2021 — followed by finance (14%) and government (14%).

We see that, especially after Covid, the digitalization of healthcare providers has increased rapidly. Threat actors find new avenues to reach sensitive patient data and interrupt critical services with every new vendor added to the digital vendor ecosystem.

Based on Black Kite data, we did DDoS-resiliency research on 1,300 federal and state agencies. In general, resiliency is good. For instance, only 11.5% lack redundancy for DNS servers and 6% for email servers. Only 4% have publicly available BGP ports that can be used for severe DDoS attacks. However, we also see that 67% of agencies enable DNS amplification, a configuration used by DDoS attackers like KillNet.

8. What steps can healthcare organizations take to protect themselves from ransomware attacks? What is the single most critical preventative measure, in your opinion?

We have to admit that it is not a fair game. State-sponsored threat actors have automated tools, collaboration within the cybercrime business ecosystem, and money to invest in resources as staff. Conversely, healthcare organizations have limited cybersecurity budgets and are short of staff. Thus, they need to invest in automated monitoring systems, not just for themselves but also for their vendors, and get the shared information and alerts in collaboration with HHS and CISA.

What can organizations do to prevent or detect a DDoS attack?

Get DDoS mitigation services from an Internet Service Provider (ISP), Content Delivery Network (CDN), or Web-Application Firewall (WAF) provider.
Add known Killnet-related IP addresses to the blacklist to block any traffic originating from these addresses.
Enable the DMZ (Demilitarized Zone) for internet-facing entities.
Employ DDoS protection via web bot detection techniques.
Monitor your DDoS resiliency and check if you have any configuration that attackers can use.
Configure web servers and APIs with security modules to optimize performance during a web traffic spike.
Perform stress tests on all critical services for their ability to handle resource exhaustion attacks.
Have secondary systems in a different subnet

9. You mentioned your team’s 2023 Third-Party Breach report. Based on cybercriminal activity from groups like Killnet, were you surprised to discover that healthcare was the most impacted industry?

Honestly, not. Besides the political motivations, threat actors such as KillNet target healthcare providers and their vendors because of the lack of cybersecurity budget in the industry remotely shared personal data and services between patients and hospital systems, and outdated software and servers.

10. Can you provide an overview of how Killnet’s attacks on NATO began and share any updates on the current status of these attacks?

Killnet’s attacks on NATO were initiated when the group announced its intentions via its Telegram channel on April 8, 2023. They conducted a poll, asking their followers if they should target NATO, and received over 178,000 ‘Yes’ votes. Subsequently, they posted a series of messages, indicating their plans to launch a high-impact DDoS attack campaign on NATO targets.

Killnet’s message that initiated the campaign

As for the current status of the attacks, here’s what we know:

Killnet claimed to have paralyzed 40% of NATO’s electronic infrastructure, and some NATO websites have been confirmed to be down on April 10, 2023.
The group created a new private Telegram channel to post target lists and organize their DDoS attack campaign, initially focusing on nato[.]int domain.
The campaign is showing signs of escalation, with a new list of targets posted on April 11, 2023, all located in Belgium, indicating a potential expansion to NATO member countries.

Teri Robinson from Security Boulevard has recently published an article covering the ongoing Killnet DDoS campaign toward NATO. The situation is still developing, and we advise organizations, especially those within critical sectors and NATO member countries, to remain vigilant and ensure their cybersecurity measures are in place.

Thanks for reading. If you enjoyed this article, feel free to hit that clap button 👏 (more than once if you like) to help others find it.