Research November 7, 2022

KillNet Operations Against U.S. Targets Persist With Attempted Airport Website Attacks

Executive Summary

  • In October, BleepingComputer reported that the websites of several airports were experiencing service disruptions after KillNet announced that it would target airports throughout the U.S.
  • Researchers leveraged NetFlow data to identify traffic that may reflect a DDoS attack by KillNet.
    • By consulting SecurityScorecard’s internal threat intelligence platform, researchers identified IP addresses that communicated with the targeted websites and appear in our KillNet Bot Blocklist, which is available by request. Given that IP addresses previously linked to KillNet communicated with airport assets during the period of the attack, this may support KillNet’s claim of responsibility.
    • Researchers also identified novel IP addresses that had not previously appeared on the Blocklist but may have participated in the attack. Adding these new IP addresses to blocklists may help organizations defend against other KillNet activity going forward.
  • The interruptions do not appear to have had a meaningful impact on travel to and from the affected airports.
  • SecurityScorecard continues to assess with moderate confidence that KillNet is aware of the limited and temporary operational impact of its DDoS attacks but is likely to continue to conduct them due to their possible impact upon public opinion regarding the security of critical infrastructure.

Recommendations from SecurityScorecard’s Threat Intelligence team:

  • Block the IPs in SecurityScorecard’s KillNet Bot Blocklist, available by request.
  • Critically, put DDoS mitigations in place via a service like Cloudflare, Akamai, or AWS Cloudfront. Having only a firewall will not stop the volume of traffic we have observed during previous KillNet DDoS attacks.
  • Be aware that blocking Russian IPs will not stop DDoS attacks. The attacks are coming from open proxies and DNS resolvers located all over the world.
  • Configure DNS resolvers and proxy servers to only accept requests from internal IP addresses and authorized users, unless there is a practical reason not to do so. Much of KillNet’s bot infrastructure relies on open proxies. If all of these services were properly configured, it would be a crippling blow to botnet operators.

Background

In October, BleepingComputer reported that the websites of several airports were experiencing service disruptions after the KillNet threat actor group announced that they would target airports throughout the U.S. As discussed in previous SecurityScorecard research, despite their apparent origins in financially-motivated cybercrime, KillNet has operated like a hacktivist collective since Russia’s invasion of Ukraine, conducting a series of relatively low-sophistication distributed denial of service (DDoS) attacks against targets the group deems anti-Russian. The group recently claimed responsibility for DDoS attacks against a group of U.S. state government websites on October 5 and previously attacked a U.S. airport in March.

The initial report suggested that the attack affected Hartsfield-Jackson Atlanta International Airport (ATL), Los Angeles International Airport (LAX), Chicago O’Hare International Airport (ORD), Orlando International Airport (MCO), Denver International Airport (DIA), Phoenix Sky Harbor International Airport (PHX), and unspecified airports in Hawaii, Kentucky, and Mississippi, given that those airports’ sites appeared to be experiencing interruptions to their accessibility.

KillNet has historically used open proxy IP addresses and publicly available scripts in its attacks. The group is also quite focused on publicity:

  • It cultivates a following through a Telegram channel (which it also uses to encourage followers to conduct DDoS attacks of their own)
  • It makes public announcements to claim responsibility for its attacks
  • In some cases, it claims responsibility for attacks that may not have even happened in an apparent effort to damage the reputation of their supposed victims.

Through their previous analysis of KillNet’s attack scripts, SecurityScorecard’s Threat Intelligence and Research team has been able to compile a master list of IP addresses running open proxies that are likely to be used in KillNet DDoS attacks. This list is available upon request. However, in addition to this established list, SecurityScorecard’s analysis of traffic to the IP addresses hosting the affected airports’ websites yielded a list of additional IP addresses that KillNet may have used; these included IP addresses that appear to have been involved in previous KillNet attacks, most prominently, the October 5 attack on state government sites.

Methodology and Findings

Researchers leveraged NetFlow data to identify traffic from IP addresses that may have been involved with the attack. They first consulted the available public reporting to identify the airport domains KillNet likely targeted. SecurityScorecard was able to identify the specific domains targeted by comparing this list to KillNet’s announcement of their attack, which listed possible targets by state.

Image I: KillNet’s message listing possible target domains by state (from BleepingComputer)

Based on BleepingComputer’s list of possibly affected sites and KillNet’s list of possible targets, SecurityScorecard researchers identified the following domains as the basis for their traffic analysis:

  • Atlanta International Airport (ATL)
    • atl[.]com
  • Los Angeles International Airport (LAX)
    • flylax[.]com
  • Chicago O’Hare International Airport (ORD)
    • flychicago[.]com
  • Orlando International Airport (MCO)
    • orlandoairports[.]net
  • Denver International Airport (DIA)
    • Flydenver[.]com
  • Phoenix Sky Harbor International Airport (PHX)
    • Skyharbor[.]com
  • Hawaii
    • airports.hawaii[.]gov
  • Kentucky
    • Flylouisville[.]com
    • Cvgairport[.]com
  • Mississippi
    • Jmaa[.]com
    • Flygpt[.]com
    • Meridianairport[.]com

Researchers then consulted the SecurityScorecard platform’s digital footprint data and publicly available WHOIS records to identify the IP addresses to which the above domains likely resolved during the attack and then queried our NetFlow tool to sample flows to and from each state government website’s IP addresses between October 9 and 10 (the period in which the attacks likely occurred). Finally, they compared the IP addresses that communicated with the state government IP addresses to SecurityScorecard’s established KillNet Bot Blocklist and across different state governments’ traffic samples.

By consulting SecurityScorecard’s internal threat intelligence platform, researchers identified IP addresses from its KillNet Bot Blocklist that communicated with the IP addresses hosting the affected state government websites at the time of the attack. Fifty-two IP addresses from SecurityScorecard’s blocklist also appeared in the traffic samples to the IP addresses hosting the affected airport websites on or around the date of the attacks. Eighty-one IP addresses that communicated with the state government websites targeted in the October 5 attack also communicated with the airport websites targeted in this more recent attack, of which twenty-four also appear in SecurityScorecard’s TOR exit node feed (threat actors often route malicious traffic through TOR). Given that IP addresses previously linked to KillNet communicated with airport assets during the attack, this may support KillNet’s claim of responsibility.

Researchers also identified IP addresses that may have participated in the attack but have not previously been linked to KillNet.They may therefore be novel KillNet-linked indicators of compromise (IoCs). Researchers compared the traffic to and from the different airports’ IP addresses during the period in which the attacks likely occurred (October 9-10, 2022). This comparison enabled researchers to identify thirty-eight IP addresses that communicated with multiple different state government websites’ IP addresses within the same timeframe but did not previously appear in our KillNet blocklist. Of these, other vendors have linked nineteen to malicious or suspicious activity and identified thirteen as TOR exit nodes. As with the master blocklist, these new IoCs are available upon request.

Conclusion

The interruptions do not appear to have had a meaningful impact on travel involving the affected airports; subsequent reporting has cited airport officials whose comments highlight the minimal effect of the attacks on airports’ operations. However, as with previous attacks, SecurityScorecard continues to assess with moderate confidence that the KillNet group is aware of the limited and temporary operational impact of its DDoS attacks but is likely to continue to conduct them due to their possible impact on public opinion. KillNet’s behavior has been fairly consistent since the start of the war in Ukraine, and KillNet’s recent messaging has declared their intent to persist in targeting U.S. entities, including critical infrastructure, telling whoever “participated in the liquidation of the United States of America,” “Do not stop!!” The use of “liquidation” may, like its unsubstantiated claim of an attack against Lockheed-Martin, reflect the group’s tendency towards exaggeration, likely in an effort to shake public confidence in its targets. Similarly, even if they only threaten airports’ websites rather than more sensitive internal systems, DDoS attacks against airports are likely intended to heighten the public’s concerns over airport security, especially concerns among a non-specialist audience that may be less capable of distinguishing between disruptions to a website’s service and other threats.