Skip to main content
Security Scorecard

Zhadnost and Killnet : Distant cousins or aligned strangers?

Ryan Slaney, Staff Threat Researcher, Stephen Mondigiung, Senior Staff Threat Researcher, Doina Cosovan, Senior Staff Threat Researcher, Alexander Heid, Chief Research Officer, SecurityScorecard Threat Research & Intelligence
Posted on May 11th, 2022

This blog is the latest in a series dedicated to Zhadnost, a Russia-aligned botnet first discovered by SecurityScorecard in March. Previous Zhadnost related blog posts can be found here.

Executive Summary

  • SecurityScorecard (SSC) has identified and compiled a master list of thousands of open proxy IPs used by Russia-aligned cybergroup KillNet. Blocking these IPs would mitigate the risk of DDoS attacks from KillNet and similar malicious cybergroups.

  • SSC assesses with moderate confidence that Killnet and Zhadnost are controlled by separate actors based on differences in their TTPs and timing of their attacks.

  • SSC assesses with moderate confidence that the Zhadnost botnet is controlled by the Russian Main Intelligence Directorate (GRU).

  • SSC assesses with medium confidence that KillNet is operating out of Russia, and with low confidence that KillNet is supported, and possibly directly tasked by, the Russian Federal Security Service (FSB).

Outlook

SSC continues to assess with moderate confidence that Zhadnost and KillNet are aware of the limited and temporary impact of their DDoS attacks, yet they will continue to conduct them to harass victims and serve as a reminder and warning that further, more destructive attacks could be next.

Recommendations from SecurityScorecard’s Threat Intelligence team:

  • Block the IPs contained in SSC’s KillNet Bot Blocklist, available by request to [email protected]

  • It is critical to put DDoS mitigations in place via a service like Cloudflare, Akamai, or AWS Cloudfront. Having only a firewall will not stop the volume of traffic we have observed during a Zhadnost or KillNet DDoS attack.

  • Furthermore, blocking Russian IPs will not stop DDoS attacks. The attacks are coming from open proxies and DNS resolvers located all over the world.

  • It’s important that DNS resolvers and proxy servers are configured to only accept requests from internal IP addresses and authorized users, unless there is a practical reason not to do so. Zhadnost and KillNet rely on open proxies and DNS resolvers for their bot infrastructure. If all of these services were properly configured, it would be a crippling blow to botnet operators.

Background

Since the beginning of the Russian invasion of Ukraine, Security Scorecard’s Threat Intelligence and Research team has been tracking a botnet we named ‘Zhadnost,’ which is Russian for ‘Greed’. SSC has released a series of blog posts dedicated to the havoc Zhadnost has wreaked in Ukraine, Finland and elsewhere.

KillNet is now on the scene–but who are they?

As part of our research into Zhadnost, we came across another Russia-aligned cyber group named KillNet. KillNet’s first claim to fame was that it had hacked the website of Anonymous in early March, in response to Anonymous’ DDoS attacks on Russian Government websites, state banks, defense companies, and the social media accounts of Russian politicians. Since then, KillNet has gone on to claim hundreds of attacks against entities in any country it perceives as supporting Ukraine, with the most frequent targets being Romanian, Polish, Czech, and NATO websites.

Image 1: List of Romanian websites targeted by KillNet DDoS attack. (Source: Telegram)

Unlike Zhadnost, KillNet doesn’t make it too difficult to discover its origins. Its first Telegram channel, “WE ARE KILLNET,” was created on January 23. The first several posts contain advertisements and videos for what KillNet describes as a “secure botnet service”. On February 2, KillNet posted it had tested its botnet against the website carding.pro with a cheeky comment “I wonder how soon Pavlovich will turn to GROUP IB.”

Sergey Pavlovich is the owner of the carding.pro website and a self-described former cyber criminal turned author and businessman. Group-IB is a Russian cyber security company which has been licensed by the Russian Federal Security Service (FSB) to process state-secret data since 2013. Group-IB is partly owned by Kirill Androsov, the former deputy chief of staff for Vladimir Putin. In September 2021, Group-IB’s then-CEO, Ilya Sachkov, was arrested by the FSB and charged with treason. He has been in prison ever since.

KillNet’s reference to Pavlovich turning to Group-IB suggests KillNet is aware he has a relationship with Group-IB, and possibly by extension, the FSB, which has a history of providing law enforcement information to help hackers avoid detection from international law enforcement. Given that KillNet chose Pavlovich’s website as its first target, and referenced a possible tie to a FSB-affiliated company, it’s likely that at least one KillNet member has a prior “beef” with Pavlovich. Furthermore, it’s likely that members of KillNet are familiar with the Russian hacking underground–and are likely members themselves.

Image 2: Former Group-IB CEO Iyla Sachkov (left) with Vladimir Putin. (Source: Forbes.com)

Since then, KillNet has moved away from advertising the sale of its botnet service and instead used its Telegram channels to claim credit for dozens of DDoS attacks on U.S., European, and NATO websites. On April 20, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed KillNet as one of several Russia-aligned cybercrime groups which pose a threat to critical infrastructure organizations. KillNet has recently expanded, crediting specific KillNet “Squads” for certain attacks and hacks. It has also openly trolled YouTubers and cybersecurity researchers for publishing videos and articles that KillNet deemed not accurate.

KillNet has called on its squads and followers to conduct DDoS attacks of their own, even providing easy-to-follow instructions. KillNet then specifies the target, and port, and instructs its followers and squads to commence the attack. The scripts that KillNet is enticing its followers to run are known DDoS and network stress tools that can be found on GitHub.

The coordination of Killnet attack participants and attack methodologies are similar to how the Anonymous hacking collective organized DDoS attacks during 2010, specifically Operation Payback. At the time, Anonymous affiliated hackers would communicate via Internet Relay Chat (IRC) and make use of publicly available attack scripts in order to take targets offline. KillNet participants appear to be making use of more modern communication technologies (Telegram instead of IRC), and are using more modern attack scripts, while still harnessing the effective firepower of crowdsourced hacktivism fueled by publicly available attack tools.

Image 3. KillNet Telegram post providing DDoS instructions (Source: Telegram)

SSC analyzed the various scripts advertised by KillNet and discovered that they were all designed to conduct simple DDoS attacks via open proxies. For the DDoS attack to work, the script must first compile a list of open proxy IPs from various URLs. Once the list is complete, the DDoS attack can be launched on any target via the open proxies in the list.

SSC compiled its own list of URLs contained in the various scripts and downloaded all of the IPs that were contained within them. What SSC’s Threat Intelligence and Research team now has is a master list of IPs running open proxies that are likely to be used in KillNet DDoS attacks. Our list will be updated daily and can be obtained upon request from [email protected]. (The direct publishing of the master list could result in KillNet changing their TTPs, thus availability by request makes this less likely.)

Zhadnost vs. KillNet

SSC has discovered some similarities between Zhadnost and KillNet. They both use HTTP flooding and tend to attack websites belonging to entities that are Ukrainian, or openly supportive of Ukraine. Some of the KillNet bots used were also used by Zhadnost, however that is not meaningful because they are open proxies and can be used by anyone with very little technical skill.

That, though, is where the similarities end.

Zhadnost is known to use DNS amplification in addition to HTTP flooding but SSC has not observed KillNet employing this method. Where no actor has come forward to claim credit for the Zhadnost attacks, KillNet eagerly takes credit for its attacks via its Telegram channel. Zhadnost does not appear to have any social media presence, whereas KillNet has multiple Telegram channels and social media accounts.

Attribution - KillNet

SSC explored the possibility that Zhadnost and KillNet are one and the same. However, our research team came to the conclusion, with moderate confidence, that they are separate groups given the aforementioned differences between their TTPs and the fact that KillNet did not take credit for the specific DDoS attacks SSC attributed to Zhadnost.

For a group that takes credit for every attack, no matter how small the impact, SSC assesses that KillNet would have claimed credit for the Zhadnost attacks if it was indeed responsible for them. SSC assesses with moderate confidence that KillNet has ties to the Russian hacking underground, given its reference to Sergey Pavlovich and Group-IB. It would be odd for a group outside of this community to make this reference. Also, we know the FSB has a history of recruiting from Russia’s underground hacking community. One such case is that of Dmitry Dokuchaev, a prominent Russian hacker who was arrested by the FSB in 2011. In lieu of jailtime, Dokuchaev was given a job and the military rank of Major. Now working for the FSB, Dokuchaev acted as a liaison between his new employer and criminal hackers contracted by the FSB. Dokuchayev was indicted by the FBI in 2017 for his role in directing the hackers responsible for the 2014 Yahoo breach. Although safe from US authorities in Russia, Dokuchaev was later arrested by his employer, the FSB, and charged with treason, then sentenced to six years in prison–a fate similar to that of Group-IB CEO Ilya Sachov. Given these factors, SSC assesses with medium confidence that KillNet is operating primarily out of Russia, and with low confidence that KillNet has support, or direct tasking, from the FSB.

Image 4. FBI “wanted” poster for Dmitry Dokuchaev. (Source: US DoJ)

Attribution - Zhadnost

SSC has cross referenced the timeline of Zhadnost attacks with various reports released by cyber security companies and government agencies. Our researchers discovered that both the U.S. Government and the UK’s National Cyber Security Agency (NCSA) attributed DDoS attacks on Ukraine’s financial sector on February 15 and 16 to Russia’s Main Intelligence Directorate, or GRU, also known as APT 28, Fancy Bear, and Sofacy. Both agencies cited non-published “technical information” that revealed known GRU infrastructure was seen transmitting a high volume communication to Ukrainian IP addresses and domains. SSC observed a Zhadnost DDoS attack on the websites of Ukrainian banks Privatbank and Oschadbank on February 15.

It is likely that the NCSA, US Government, and SSC are all referring to the same DDoS attack, therefore SSC assesses with moderate confidence that the Zhadnost botnet is controlled by the GRU. Since the U.S. Government and NCSA did not publish any IoCs associated with their attribution, and the bots we identified are open proxies, SSC can not determine with 100 percent certainty that Zhadnost and the GRU-attributed attacks are the same. These limitations factored into our confidence rating.

Indicators of Compromise

Please contact [email protected] for IoCs associated with the Zhadnost and KillNet botnets, or with any questions or comments.

SecurityScorecard’s threat intelligence could be the competitive advantage your company needs to stay ahead of today’s fast-moving threat actors. If your company would like to access the expertise of SecurityScorecard’s Threat Research and Intelligence team, please contact [email protected].


Return to Blog
Join us in making the world a safer place.