Understanding the Killnet, Russia’s favorite hacktivists


First, on July 27, “Killmilk” — the founder and head of the group, which is pursuing its transformation from a DDoS-for-hire outlet into an ambitious hacktivist group aligned with Russia’s war goals — announced his resignation. The group’s new leader, “BlackSide,” was introduced as an administrator of a Russian hacking forum (most likely the medium-sized Best Hack Forum) with experience in cryptojacking and ransomware operations – an illustrious and creepier-sounding resume than Killmilk’s.

Second, the group announced in parallel that it would launch an attack on Lockheed Martin, the US company that makes the HIMARS rocket launchers, which appear to be making a crucial difference to Ukraine in the war. That alone would not have been news. Killnet has previously been known for closely following the news agenda, usually in an effort to give home audiences a show in cyberspace — something the group’s Kremlin-affiliated media were only too happy to help with.

However, Killnet promised a “different kind” of attacks against Lockheed Martin, one that goes beyond DDoS-ing. On August 4, a Killnet-affiliated group, From Russia With Love, reported a successful attack on Gorilla Circuit, a Lockheed contractor, that allegedly resulted in the exfiltration of 800GB of files.

On August 10, Killmilk claimed to have successfully attacked Lockheed Martin’s authorization infrastructure and obtained files on “all employees” that could not be authenticated. Meanwhile, the media-savvy group continued to spread messages threatening Lockheed employees. In a message, Killmilk said he would “share the data with mules in countries where [the employees] live” so that his associates would attack them. The collective backed up this message with a bunch of English-language (and not very good) memes, one of which we’ve included below.

Third, the group suddenly got involved in an ongoing war between darknet markets over the loot of Hydra Market, a massive drug and cybercrime marketplace that was shut down by German and US law enforcement agencies in April. Killnet openly sided with WayAWay, a resurrected narco forum likely run by former Hydra admins that had attacked another forum, RuTor, and its related market, OMGOMG. Killnet claimed that RuTor — whose users were largely sympathetic to Ukraine after February’s invasion — was taken over by the Ukrainian security service. On August 15, the collective led an effort by various pro-Russian hacker groups to conduct DDoS attacks against RuTor’s infrastructure in exchange for rewards paid out in cryptocurrency.

So how significant are these developments really?

FUDging information
As always, it should be remembered that one of the most important battles of the war in Ukraine is taking place in the minds of the western population, whose support is crucial to maintaining or increasing the level of aid to Ukraine, and in the minds of Russian citizens, Their belief in their country’s eventual victory is crucial to sustaining the war effort amid increasingly severe hardship. And the media-savvy Killnet has played the tool known as FUD — fear, uncertainty, and doubt — very well.

As of August 17, there is no evidence that the group actually filtered out confidential Lockheed Martin employee information or technical documentation. The company denied this happened, and the files released by Killnet and its associates contain no such data.

However, the collective has been very vocal about this attack. The Russian government-controlled media outlet RT published an interview with the group’s representative, who claimed that the allegedly exfiltrated data was “sold on the dark web” and shared with Russian security services. The group then published the interview not only on Russian platforms like VK and RuTube, but also on US fringe platforms known to be used by far-right and conspiracy theorist users, like Rumble, Odyssey and Gab, which appear to cater to Western ones target audiences.

It appears that, true to its new leader’s ransomware-operating background, Killnet is employing tactics increasingly employed by ransomware groups in recent years, with data exfiltration followed by direct pressure on the victim organization’s employees or partners. In this case, threats of physical attack or identity theft against Lockheed Martin employees appear to weaken the company. Killnet members reveled in a drop in the company’s stock price in early August, though it was temporary and insignificant — a classic example of Killnet bragging rights.

Meanwhile, Killnet’s sudden pivot to the lower circles of the Russian-speaking dark web confused even some of his followers, many of whom had no idea what RuTor was. Some happily participated in – or at least cheered for – an attack on a “pro-Ukrainian” forum, while others wondered why they should be spending resources on this attack, or why Killnet wouldn’t hit Russian narco forums instead, given the harmful influence on the Russian population. Despite the attacks, several RuTor darknet and clearnet mirrors remain operational as of August 15.

Be skeptical but be aware
Speaking of mirrors, does that mean Killnet is all smoke and mirrors and not worth the attention of information security officers? Not quite.

Lockheed Martin
First of all, although the collective was keen to increase the scale of its attacks – be it against Lithuanian networks or Lockheed Martin – its communications itself pose a security risk to its targets. His baiting of Lockheed Martin employees in front of its 86,000 Telegram -Subscribers and in likable media may very well increase physical security risks for these employees, even if Killnet has no sensitive data about them.

Tailored to Russia
Second, while Killnet isn’t the only well-known Russian hacktivist group, and not even the most established – Xaknet, a collective Killnet allegedly worked with and may have direct ties to Russia’s security services – its slick branding and aggressive recruitment and media strategy shines through having made it a bridge between multiple groups aligned with the Russian government’s wartime goals, which is itself a risk factor. It is noteworthy that this is the first time that Killnet itself has confirmed that it intends to cooperate with the Russian security services.

Third, in addition to ransomware tactics, Killnet also appears to be copying the tactics of another pro-Kremlin group, RaHDIt, which could be described as fake-and-leak (due to its similarity to hack-and-leak operations), with one group claiming a breach to have carried out successfully and then passes on information of dubious truthfulness.

RaHDIt (short for “Russian Angry Hackers Did It”) claimed to have violated the Ukrainian Military Intelligence Service (GUR) in July, and then made several statements allegedly based on the information exfiltrated from the intelligence service, but without providing any evidence. RaHDIt claimed to have found 2,500 Russians working with Ukraine’s intelligence agency and shared the list with Russia’s special services. In an interview with Russia’s state-run press agency RIA, a RaHDIt member also said the documents showed that US intelligence provided Ukraine with radar data and satellite imagery of areas, including beyond the Russian border, which were then targeted by Ukrainian attacks , resulting in civilian damage and casualties, and that Ukrainian authorities colluded with criminals and smugglers to sell Western weapons on the black market. All three narratives were clearly aimed at intimidating Russian dissidents and undermining Western support for Ukraine. Similarly, Killnet may publish fake information about Lockheed Martin.

development of financial resources
Fourth, Killnet’s sudden interest in the darknet markets war suggests that the collective is looking to tap into the industry’s vast financial resources. The fact that these DDoS-ing RuTor were promised cryptocurrency payouts suggests that the attacks may have been ordered by someone, most likely the administrators of rival forum WayAWay/Kraken. As of August 15, analysts at Flashpoint haven’t seen any significant inflow of funds into any of Killnet’s well-known wallets, but it’s unlikely that the collective – which began as a DDoS-for-hire group – would let such an opportunity pass.

Some Russian cybercriminal groups have expressed their support for Russia in various ways, including its invasion of Ukraine, as in the case of Conti. But this likely and mutually beneficial collaboration between WayAWay – a financially motivated group – and Killnet – an ideologically motivated group – could be the first of its kind since the invasion began in February, and show us the shape of things to come.


About Author

Comments are closed.