Pro-Russian Hacker Group, Killnet, Attacking US Government Sites

PUBLISHED ON October 26, 2022
LAST UPDATED Oct 26, 2022

As the war between Russia and Ukraine rages on, so do the cyberattacks against Ukraine and its NATO allies, including the US. Just in recent weeks, a pro-Russian hacker group has attacked several US government and critical infrastructure entities, including airports.  

What We Know 

  • On Wednesday October 5, 2022, pro-Russian hacker group Killnet claimed responsibility for taking down US government websites in Colorado, Connecticut, Mississippi, and Kentucky. These sites were temporarily offline due to a DDoS attack. 
  • On Monday October 10, 2022, Killnet claimed responsibility for another attack, this time on airports within the US, including Los Angeles International (LAX), Chicago O’Hare, Atlanta, and 13 others. This attack was also a series of DDoS attacks temporarily shutting down websites. Luckily, these attacks did not affect airport operations. 
  • Killnet, on the social media platform Telegram, is calling upon other hacker groups like Anonymous Russia and We Are Clowns to attack US critical infrastructure segments including logistic facilities, maritime terminals, healthcare, weather, and subway systems. 
  • Killnet has claimed responsibility for attacks on NATO countries including Poland, Italy, Norway and most recently with Bulgaria. On October 16, 2022, Killnet targeted the websites of Bulgaria’s government, including the Presidential Administration, Interior Ministry, Defense Ministry, and more – in response to the supplying of weapons to Ukraine.  

Effect of the Attacks 

While these recent DDoS attacks are causing disturbances to government websites, it appears they are more of a nuisance than full-blown data breaches, or even ransomware. However, all organizations, including those in the critical infrastructure industry, need to have protections in place and continuously monitor for any signs of attack, including, but not limited to, bot activity, DDoS attacks, and unusual API traffic flow.  

It’s not uncommon for hacking groups to call upon others to assist in campaigns that target organizations. We see this time and time again, especially with ransomware groups known as Ransomware-as-a-Service or RaaS. Whether hackers are looking for financial gain, to create havoc, or even to incite geo-political cyberwar, it is harder for organizations to detect and stop attacks when they are being attacked at all angles from different entities.  

The organizations that Killnet has called upon to attack map back to what CISA has defined as Critical Infrastructure organizations. If we see ongoing and continued attacks, this will lead to a response from the United States government. We’ve recently seen prolific ransomware gangs taken offline or incarcerated, and bounties established to capture the individuals behind these attacks. This is something to heavily monitor for potential further escalation as tensions continue to rise over the Russian and Ukrainian war. 

Protecting Against Attacks 

Having state-of-the art DDoS protection is crucial for organizations to identify, protect against, and block attacks. By taking advantage of faulty business logic or crafting highly intensive queries such as a database lookup, an attacker can overwhelm an application with a relatively small amount of normal-looking traffic. It’s important to have a solution that can not only identify suspicious users, but also interact with them to clearly and quickly establish whether they are malicious.  

In addition, combining DDoS protection with API and application discovery and cataloging, bot mitigation, and real-time attack protection, organizations can stay ahead of the curve against complex and evolving attacks.  

For more details on recent DDoS attacks and how to address them, watch the recording of our recent Live Q&A on the subject. 


About the Author

Jeremy Ventura

Jeremy Ventura is a cybersecurity professional, specializing in advising organizations on information security best practices. He has years of experience in vulnerability management, email security, incident response and security center operations. At ThreatX, he is responsible for the development and presentation of thought leadership across all areas of cybersecurity. Ventura is an industry leader that can regularly be seen in media, blog posts, podcasts and at speaking events. Previously, Ventura has worked at Gong, Mimecast, Tenable and IBM, among other security organizations. Ventura holds a Master’s Degree in Cybersecurity and Homeland Security.