Killnet

Background

Killnet is a pro-Russian hacktivist collective that emerged in early 2022 following Russia's invasion of Ukraine and became one of the most high-profile hacktivist operations of the conflict. The group primarily conducts DDoS attacks against governments, organizations, and infrastructure in countries that support Ukraine or impose sanctions on Russia.

Unlike genuinely independent hacktivist groups, Killnet is widely assessed by Western intelligence agencies and cybersecurity researchers to operate with at least tacit support from the Russian state. The group's target selection closely aligns with Russian government interests, operations are coordinated through Telegram channels with hundreds of thousands of followers, and the group's rhetoric consistently advances Kremlin narratives. The group's founder, known online as "KillMilk," has given media interviews and openly discussed the group's pro-Russian ideology.

Killnet's operations are primarily disruptive rather than destructive — the group conducts DDoS attacks that cause temporary website outages and service degradation but rarely achieve persistent access or significant data theft. The group's symbolic value to Russian information operations often exceeds its actual technical impact: Killnet attacks receive wide media coverage, amplifying the perception of Russian offensive cyber capability during the conflict.

Notable Campaigns

Baltic State Government Attacks (2022): Following Lithuania's blockade of Russian goods transit to Kaliningrad, Killnet launched a series of DDoS attacks against Lithuanian government websites, financial institutions, and critical infrastructure portals, causing temporary outages across dozens of government services.

NATO Website Attacks (October 2022): Killnet claimed DDoS attacks against multiple NATO websites following NATO Secretary-General statements on Ukraine support. While actual impact was limited, the attacks received significant media coverage and were amplified by Russian state media as evidence of pro-Russia hacker capabilities.

U.S. Airport Websites (October 2022): Killnet conducted a coordinated campaign against the websites of major U.S. airports including Hartsfield- Jackson Atlanta International, O'Hare International, and Los Angeles International. While flight operations were not affected, public-facing websites experienced temporary outages.

Healthcare Sector Campaign (2023): Killnet, in coordination with affiliated groups AnonymousSudan and REvil, targeted healthcare organizations in the United States and Europe. The campaign claimed attacks against multiple hospital systems and was the subject of a specific HHS alert warning the healthcare sector.

European Parliament Attack (November 2022): Following the European Parliament's vote declaring Russia a state sponsor of terrorism, Killnet conducted DDoS attacks against the European Parliament website, briefly taking it offline.

Tactics, Techniques & Procedures

Killnet's primary technique is volumetric DDoS attacks (T1498, T1499) targeting public-facing websites and web services. Operations are coordinated through a Telegram channel that announces targets, provides attack instructions, and claims credit for successful disruptions. The group uses both volunteer attack tools and a dedicated botnet for higher-volume attacks.

Unlike sophisticated state-sponsored groups, Killnet rarely conducts network intrusions, data theft, or persistent access operations. The collective focuses on sustained DDoS pressure against symbolic targets to generate media coverage and demonstrate Russian cyber activism during the conflict. Attack timing is typically coordinated with geopolitical events, such as NATO meetings, Ukrainian government announcements, or Western sanctions decisions.

The group collaborates with other pro-Russian hacktivist groups including AnonymousSudan, XakNet, and NoName057(16), creating a broader ecosystem of pro-Russian hacktivism that presents the appearance of widespread support for Russian positions.

Tools & Malware

• Custom DDoS Tools: Killnet has developed and distributed proprietary DDoS tools through Telegram, including HTTP flood tools capable of layer 7 attacks against web applications.
• Botnet Infrastructure: Unlike pure volunteer operations, Killnet maintains a botnet of compromised devices to amplify attack traffic volume beyond volunteer contributions.
• Telegram Coordination: Killnet's primary operational platform, with channels in both Russian and English for target announcement, coordination, and claim dissemination.
• LOIC/HOIC Variants: Standard hacktivist DDoS tools distributed to volunteer participants.

Indicators & Detection

Killnet's target selection is largely predictable based on geopolitical context. Organizations in NATO member states, particularly government agencies, healthcare systems, financial institutions, and media outlets, face elevated risk during periods of heightened Russia-Ukraine tensions or Western policy decisions affecting Russia.

DDoS mitigation infrastructure is the primary defense. Killnet's attacks typically generate multi-Gbps volumetric floods targeting web properties, with some layer 7 HTTP flood activity against application endpoints. Deploy CDN-based DDoS protection with sufficient scrubbing capacity. Implement rate limiting, geographic traffic blocking during active attacks, and CAPTCHA challenges on high-value web endpoints.

Monitor Killnet's Telegram channels (publicly accessible) for target announcements. Killnet typically announces targets hours to days in advance, providing defenders preparation time to increase mitigation posture. Given the group's primarily symbolic impact, prioritize ensuring DDoS protection is in place over more complex threat hunting activities.