Although the precise connection between Russian threat group KillNet and the Kremlin remains nebulous, its high-profile, and increasingly effective, cyberattacks continue to align with Russian state interests. And its churning PR campaign is luring fellow cybercriminals, and their skills, into the operation.
A new report out this week from Mandiant finds KillNet’s media branding strategy is working, helping the group to consolidate Russian hacker power under one organization.
It’s worth noting, as other analysts have noted, that beyond mirroring Kremlin-interests following the Ukraine invasion, there is little hard evidence of coordination between KillNet and the Russian government. However, in an environment rife with disinformation, facts can be hard to follow, and the Mandiant report comes on the heels of a UK warning about cybercrime mercenaries teaming up with governments to become state proxies.
“North Korea has for some time used cybercrime to steal funds and more recently cryptocurrency,” UK National Crime Agency director Graeme Biggar said in the statement. “The Russian state has long tolerated and occasionally tasked the cybercrime groups on its territory and had links with its oligarchs and their enablers. But over the last year we have begun to see hostile states beginning to use organized crime groups — not always of the same nationality — as proxies. It is a development we and our colleagues in MI5 and CT [counter-terrorism] policing are watching closely.”
KillNet may or may not be part of the phenomenon. “We have not uncovered direct evidence of the [KillNet] collective’s collaboration with, or direction from, the Russian security services, but Russia and many other nations have leveraged proxies in their operations to obfuscate attribution,” Mandiant’s Threat Intelligence Team told Dark Reading in a media statement.
KillNet’s PR Plan to Consolidate Russian Cybercrime
It might be motivated by geo-political events, but KillNet is a business faced with an increasingly crowded Russian cybercrime sector, so it has a particular focus on differentiating the brand with “legend making” in the press.
In the past there wasn’t much technological fire power behind KillNet attacks. KillNet’s distributed denial of service (DDoS) attacks have been splashy, focused largely on NATO interests in the US and Europe but did little long-term damage to its targets. That changed in June when Anonymous Sudan joined the wider KillNet collective for a June cyberattack that was able to successfully disrupt Microsoft services. This has allowed the collective to have a broadening circle of influence in the cybercrime underground.
“Mandiant assesses with moderate confidence that the collective’s regular creation and absorption of new groups is at least partially an attempt to continue to garner attention from Western media and to enhance the influence component of its operations,” Mandiant said. “Anonymous Sudan’s successful disruption of Microsoft services in June 2023 marked a significant increase in observed capabilities of the KillNet collective, which had previously struggled to impact claimed targets of previous operations.”
Anonymous Sudan emerged in January, and by the following month had joined under the KillNet collective, Mandiant’s team tells Dark Reading.
“Even in the short period before this official declaration, Anonymous Sudan displayed overt support for KillNet and its operations,” Mandiant’s statement to Dark Reading explains. “Nearly 50% of Anonymous Sudan’s attacks have been on US, European, and other pro-Ukraine organizations, despite its claimed focus on Sudan’s issues.”As the KillNet messaging machine churns on, Timothy Morris, chief security advisor at Tanium, tells Dark Reading he expects more Russian hackers will be joining the effort.
“Since KillNet was transformed from a DDoS-as-a-service attack tool to a threat actor group, they have been vocal,” Morris says. “So their PR game is a key component to attempt to instill fear and show their allegiance to Russian objectives. The collective of the affiliates that make up KillNet is also growing. There have been spin-offs, but the support of other DDoS groups, like Anonymous Sudan, has shown that they’ve struck a chord with other groups.”
Can KillNet Back Up the Hype?
Callie Guenther, threat researcher with Critical Start, wonders whether the new boost in KillNet’s capability is, in fact, a sign it’s getting new outside help, such as from the Kremlin. But in any event, she warns that its cybercrime arsenal might soon back up the group’s self-hype.
“It’s clear that KillNet, including its affiliate group Anonymous Sudan, is exhibiting increasingly sophisticated capabilities, suggesting potential backing from more experienced or resourced actors,” Guenther tells Dark Reading in response to the Mandiant report.
“Overall, the developments suggest that KillNet, along with its affiliates, is growing in sophistication and ambition, targeting high-profile organizations like Microsoft and NATO, and consistently aligning with Russia’s geopolitical interests,” Guenther adds. “This points to a more significant threat than a mere PR campaign.”