Threat Analysis: Killnet
Who Is Killnet?
Killnet is a hack-for-hire group with strong, but indirect ties to Russian government strategic goals, primarily utilizing Distributed Denial of Service (DDoS) as a preferred attack vector. While the group has been limited in impact to date, there are strong indicators that Killnet will continue to develop and escalate their attacks through malicious networking.
Killnet Activity Background
Several sources state that KillNet has claimed responsibility for data breaches ranging from a “Government Healthcare Source” to Lockheed Martin. This is NOT an expected outcome of a Denial of Service attack by itself. At the time of writing, there is no direct evidence that indicates how Killnet was able to obtain this information, though one source states brute-force dictionary attacks against public-facing services were observed. This source, however, did not provide a reference.
Other analysts suggest that the continued use of DDoS may be to distract and misdirect defensive measures and teams to allow for more detrimental attacks to occur such as Ransomware / Wiper Malware infections.
Because of their strong pro-Russian stance, some believe that other pro-Russian groups may come to their aid and target / assist with attacking the Killnet targets. One specific group listed is the Conti Ransomware group. Both Killnet and Conti have announced support for Russia following the invasion of Ukraine. Further, Killnet has publicly stated a desire to unite forces and bring other pro-Russian hacking groups together. Although they maintain several Telegram channels, Killnet has also established a forum of their own for bringing together threat actors.
Diving Into Infinity Forum
A closer look into the forum shows multiple sections ranging from fundraising for Killnet / Infinity Forum to a functioning store which offers various nefarious activities, including phishing campaigns, stolen credit card information, how to use the stolen data, and much more.
Another alarming part of the forum acts as a “wanted” section. One observed post was soliciting for a Wiper Malware developer, stating that they have already compromised a hospital and have escalated privileges. Although the name of the hospital was not disclosed, screenshots indicate the compromised target is Ukrainian. Other comments on similar threads indicate a compromise of an English speaking hospital, stating that VNC was leveraged to view and edit MRI scans.
News sections of this forum are filled with pro-Russian propaganda regarding the “SVO” (Spetsialnaya Voennaya Operatsiya == SMO (Eng), Special Military Operation) in Ukraine. Forums such as this would be expected to be found on TOR connections and not over the “open” internet. Some of the forums indicate that a shift to TOR may be expected at the end of the month.
Research in Summary
Although the threat of DDoS is of some concern, the potential of Killnet’s criminal partnerships to “share targets” is much more alarming. This is compounded by the active threads on the Infinity Forum which indicate recent active breaches. There are strong indicators that KillNet will continue to develop and escalate their attacks through this malicious networking.
It is our determination that the largest concern of the KillNet ATP group is the implied evolution of TTP’s to encryption-based malware (Ransomware/Wiper Malware) and the potential for extortion / double extortion attacks or a target's complete loss of data as an end goal.