Self-proclaimed hacktivist collective KillNet’s capabilities have grown significantly in the past six months as its largest affiliate, Anonymous Sudan, claimed credit for a wave of distributed denial of service (DDoS) attacks.
KillNet’s affiliates claim their attacks are ideologically motivated, but the collective is widely believed to be aligned with the Russian government and its attacks — including against U.S., Ukrainian and NATO targets — consistently align with Russia’s interests.
In a research report published Thursday by Mandiant, the Google-owned threat intelligence firm identified over 500 distinct victims the KillNet collective has allegedly targeted with DDoS attacks between Jan. 1 and June 20.
During that time, Anonymous Sudan “become the collective’s most prolific affiliate … conducting 63% of [all KillNet’s] claimed DDoS attacks.” While many DDoS campaigns result in only temporary — often hours-long — disruptions to public facing websites, the latest round of attacks carried out by Anonymous Sudan has had effects “at a level not observed by KillNet affiliates previously,” the Mandiant researchers said.
It is common for Russian government-linked actors to use “false activist facades” when targeting Western countries and KillNet is likely to continue its DDoS and hack-and-leak operations against states supporting Ukraine, the report said.
“Pro-Russian hacktivists are really attempting to hack our attention by hitting flashy targets and taking on a number of identities,” said John Hultquist, chief analyst, Mandiant Intelligence, Google Cloud.
“They may succeed in carrying out a serious incident but we have to remember that immediate effects aren't nearly as important to them as undermining our sense of security.”
CyberCX expressed similar sentiments last month when it said Anonymous Sudan was set up to create “a smokescreen for Russian interests” by spreading propaganda and disinformation, and tying up Western cyber defense resources.
The significance of an attack on Microsoft
According to Mandiant’s report, recent attacks against Microsoft are a likely indicator of how KillNet and Anonymous Sudan’s capabilities are growing, in part due to what the company suspects is increased support from the Russian government.
Last month, a range of Microsoft services and portals were disrupted, with the company initially denying Anonymous Sudan’s claims that it was responsible. However, it later conceded the outages were the result of DDoS attacks by the threat actor.
“The collective’s apparent significant growth in capabilities, demonstrated by Microsoft’s confirmation…potentially indicates a significant increase in outside investment in the collective, further suggesting a potential tie to the Russian state,” Mandiant said in its report.
“We anticipate that KillNet and its affiliates will continue DDoS attacks and become more brazen in their targeting of organizations.”
Who else is part of KillNet?
Mandiant said KillNet appeared to start in January 2022, the month before Russia’s invasion of Ukraine. The collective currently has at least nine affiliate threat actors in its fold.
KillNet’s structure, leadership, and capabilities had changed over the past 18 months as it gained “higher profile affiliate groups intended to garner attention for their individual brands in addition to the broader KillNet brand.”
As well as Anonymous Sudan, current affiliates include Tesla Botnet, KillNet LATAM, Titan Stealer, Anonymous Russia and KillMilk, an actor Mandiant said continued to be a “central coordinator” for the collective despite claiming last year they were leaving KillNet.
One threat group that has left the collective is Zarya, an actor believed to be responsible for breaching an unnamed Canadian oil pipeline. Mandiant said Zarya was previously the most active member of KillNet. It ended its relationship with the collective in October last year after announcing it was rebranding.
In its report, Mandiant said it was unable to validate Zarya’s claimed hacking capabilities or its reported connections to Russia’s Federal Security Service, the FSB. However, the report noted that things were often not as they appeared in the murky world of geopolitical cybercrime.
“Russia has historically used self-proclaimed hacktivist groups as a means to obfuscate its role in operations against Western nations and it is plausible that Zarya or various pro-Russia hacktivists that have risen to prominence since Russia’s invasion of Ukraine may either be cooperating or coordinating with, or a front for, the Russian security intelligence services.”
