natali_mis - stock.adobe.com
The Russia-aligned KillNet hacktivist group, which has been behind a string of distributed denial of service (DDoS) attacks on Western targets since the outbreak of the Ukraine war, continues to steadily ramp up its capabilities and is likely using newly created or absorbed affiliate groupings to conduct more impactful attacks, but its primary goal likely remains attention-seeking.
This is according to analysis of the group conducted by threat researchers at Google Cloud-backed Mandiant, who said that until recently the KillNet group’s attacks had generated “only shallow impacts lasting short periods of time”.
However, the emergence of new, associated groups – most notably Anonymous Sudan, which is neither anonymous nor Sudanese – is causing more organisations to sit up and take notice, said Mandiant.
“The self-proclaimed hacktivist group Anonymous Sudan appears to have increased KillNet’s capabilities and the group has become the collective’s most prolific affiliate in 2023, conducting a majority of claimed DDoS attacks. Anonymous Sudan has caused significant disruptions at a level not observed by KillNet affiliates previously,” the research team wrote.
By Mandiant’s reckoning, Anonymous Sudan has committed about 63% of the DDoS attacks attributed to the collective this year, followed by UserSec (14%) and KillNet itself (10%).
Most notably, Anonymous Sudan – also tracked as Storm-1359 – was responsible for an extremely successful DDoS attack against Microsoft, which caused service disruptions for users of its Azure, OneDrive and Outlook products at the start of June.
UserSec, meanwhile, was this week held to be behind an incident that saw the websites of Birmingham and London City airports disrupted for a short time.
The KillNet collective has also claimed to have brought on board operatives associated with the REvil ransomware group and posited links with Conti.
Read more about DDoS attacks
- Investigations into recent outages on Microsoft Azure and Outlook services have turned up evidence of a massive distributed denial-of-service attack.
- A rise in massive DDoS attacks, some of which target the application layer and cause significant disruptions, might require new defence strategies from cyber security vendors.
- An operation combining law enforcement from the UK, US, Netherlands and Europol has disrupted 48 of the world’s most popular DDoS booter websites.
Mandiant said the group’s overarching structure, leadership and capabilities were clearly undergoing substantial shifts and seem to be progressing towards a model that includes these newer and higher-profile cyber crime “brands” that act to draw global attention in addition to that drawn by KillNet itself.
According to John Hultquist, chief analyst at Mandiant Intelligence, attention-seeking is, to some extent, the collective’s main goal.
“Pro-Russian hacktivists are really attempting to hack our attention by hitting flashy targets and taking on a number of identities,” Hultquist told Computer Weekly. “They may succeed in carrying out a serious incident, but we have to remember that immediate effects aren’t nearly as important to them as undermining our sense of security.”
Consistent targeting but no proof of Kremlin links
Mandiant said that while KillNet maintained consistent targeting that was in line with Russian geopolitical objectives, it had not been able to obtain any evidence that directly confirms the group is collaborating with, or being tasked by, the Russian intelligence and security services, although Anonymous Sudan’s hit on Microsoft may indicate an increase in outside investment, which may suggest firmer ties than previously thought.
“We anticipate that KillNet and its affiliates will continue DDoS attacks and become more brazen in their targeting of organisations,” said the research team.