The founder and leader of the crowdsourced pro-Russian hacktivists Killnet announced his plans to leave the group after an upcoming hack and leak operation against Lockheed Martin.
Killnet is part of a new breed of cyberwarfare that emerged during Russia's invasion of Ukraine. While less surgical and less successful than their opposition equivalent, the I.T. Army of Ukraine, both are civilian groups disrupting non-combat organizations to pressure adversarial nations. Killnet is best known for DDoS attacks against a Connecticut airport, institutions in Lithuania and Norway and the official website of the U.S. Congress, which it took down for around two hours.
"Killnet has said in their statements on their Telegram channel and side channels the founder, KillMilk is moving on to protect the group, which I read as protecting them from law enforcement protection," said Bryce Webster-Jacobsen, director of intelligence operations at threat intel firm Groupsense. "I don't buy that explanation."
The posts point Killnet members to new KillMilk channels where KillMilk claims to be starting a new group, so it does not appear that KillMilk is outright retiring. "Most likely," said Webster-Jacobsen, "This is an attempt to distance himself from international attention being paid to the group after the Lockheed operation — an attempt to distance themselves from the activity and C.Y.A., look out for yourself."
While Killnet is mostly known for DDoS attacks, the Lockheed Martin operation will, the group publically said, be a hack and leak operation. Webster-Jacobsen has not been able to assess that the group has its initial access, but he notes that Killnet leadership are not typically as confident as they seem to be about their potential success without genuine belief they can back it up.
Killnet has announced its new leader will be "BlackSide."
"According to Killnet's official points of contact, BlackSide is the administrator of an unnamed cybercriminal special-access forum, which is allegedly hosted on the Tor network," said a private-sector analyst via email who asked to be kept anonymous to protect sourcing. "They have announced that BlackSide is skilled in ransomware, phishing, and theft from European cryptocurrency exchanges."
"'BlackSide'," that analyst said, "in the context of ransomware, is likely a tongue-in-cheek reference and portmanteau of the 'BlackMatter' and 'DarkSide' ransomware groups."
Because Killnet is crowdsourced from users of varying skill, experts believe there is a strong likelihood that the central strategy of DDoSes against perceived corporate and political infrastructure in nations aiding Ukraine. Killnet, said the analyst who asked to remain anonymous, very often claims responsibility for other groups attacks to create its own mythology. But, that analyst said, the expansive skillset Killnet claims BlackSide has could potentially mean new tactics for the group.
"We could see the integration of network intrusion, database exfiltration, and ransomware deployment tactics, techniques, and procedures into their operations. This is not out of the realm of possibility, as hacktivist and cybercriminal groups such as Network Battalion 65, Anonymous, XakNet, and others have been observed conducting similar activities," that analyst said.
"It is important to note that ransomware deployment is a complicated, multi-step, and time-consuming process. Due to Killnet's affinity for quick wins, it is unlikely that potential ransomware operations will be publicly discussed."
KillMilk is actively recruiting for his new venture.