SecurityScorecard assesses with moderate confidence that the KillNet group is aware of the limited and temporary operational impact of its distributed denial of service (DDoS) attacks, but is likely to continue to conduct them due to their perceived impact on public opinion regarding the security of state governments and critical infrastructure.
- Researchers leveraged SecurityScorecard’s exclusive access to NetFlow data to identify traffic from IP addresses that may have been involved with the attack.
Pairing this traffic with SecurityScorecard’s internal threat intelligence platform, researchers identified IP addresses contained in our KillNet Bot Blocklist (available by request).
Researchers also identified novel IP addresses (also available by request) that had not previously appeared on the Blocklist but may have participated in the attack. Adding these new IP addresses to blocklists may help organizations defend against future KillNet activity.
Recommendations from SecurityScorecard’s Threat Intelligence team:
Block the IPs in SecurityScorecard’s KillNet Bot Blocklist, available by request to our threat intelligence team.
It is critical to put DDoS mitigations in place via a service like Cloudflare, Akamai, or AWS Cloudfront. Having only a firewall will not stop the volume of traffic we have observed during previous KillNet DDoS attacks.
Note that blocking Russian IPs will not stop DDoS attacks. The attacks are coming from open proxies and DNS resolvers located all over the world.
Configure DNS resolvers and proxy servers to only accept requests from internal IP addresses and authorized users unless there is a practical reason not to do so. Much of KillNet’s bot infrastructure relies on open proxies and DNS resolvers. If all of these services were properly configured, it would be a crippling blow to botnet operators.
On October 5, a cyber incident disrupted the availability of three state government websites. The Russian-speaking KillNet group claimed responsibility.
As discussed in previous SecurityScorecard research, KillNet began as a financially-motivated operation offering a botnet for hire. It has since remodeled to a hacktivist collective, conducting a series of relatively low-sophistication DDoS attacks against targets linked to entities perceived to oppose the Russian invasion of Ukraine. KillNet has historically used open proxy IP addresses and publicly available scripts in its attacks. The group is also quite focused on publicity. It:
Cultivates a following through a Telegram channel (which it also uses to encourage followers to conduct DDoS attacks of their own)
Usually makes public announcements to claim responsibility for its attacks
In some cases, claims responsibility for attacks that may not have even happened in an apparent effort to damage the reputation of their supposed victims.
Through their previous analysis of KillNet’s attack scripts, SecurityScorecard’s Threat Intelligence and Research team has compiled a master list of IP addresses running open proxies that are likely to be used in KillNet DDoS attacks. This list is available upon request. However, in addition to this established list, SecurityScorecard’s investigation into the October 5 attacks against state government websites yielded a list of additional IP addresses that KillNet may have used.
Researchers leveraged SecurityScorecard’s exclusive access to NetFlow data to identify traffic from IP addresses that may have been involved with the attack. They first consulted the SecurityScorecard platform’s digital footprint data and publicly available WHOIS records to identify the affected state government domains and the IP addresses to which they resolved during the attack and then queried our NetFlow tool to sample flows to and from each state government website’s IP addresses between October 4 and 5 (the period in which the attacks likely occurred). Finally, they compared the IP addresses that communicated with the state government IP addresses to SecurityScorecard’s established KillNet Bot Blocklist and across different state governments’ traffic samples.
By consulting SecurityScorecard’s internal threat intelligence platform, researchers identified IP addresses from its KillNet Bot Blocklist that communicated with the IP addresses hosting the affected state government websites at the time of the attack. Ninety-four IP addresses on SecurityScorecard’s blocklist also appeared in the samples of traffic to the IP addresses hosting the affected state government websites on or around the date of the attacks. Since IP addresses previously linked to KillNet communicated with state government assets during the attack, this may support KillNet’s claim of responsibility.
Researchers also identified IP addresses that had not previously appeared on the Blocklist but may have participated in the attack and could be novel KillNet-linked indicators of compromise (IoCs). Researchers compared the traffic to and from different state governments’ IP addresses during the period in which the attacks likely occurred (October 4-5). This comparison enabled researchers to identify 114 IP addresses that communicated with multiple different state government websites’ IP addresses within the same timeframe but did not previously appear in our KillNet blocklist. Of these, other vendors have linked a large majority of (ninety-eight of 114) to malicious or suspicious activity and identify a smaller majority (seventy-eight) as TOR exit nodes, which threat actors often use to conceal the origins of malicious traffic. As with the master blocklist, these new IoCs are available upon request.
Note: The direct publication of the master list could result in KillNet changing their TTPs. Thus, availability by request makes this less likely.
Don’t hesitate to get in touch with our Threat Intelligence team to learn more about this threat actor or for a copy of the master blocklist and IoCs referenced above.