Killnet Strikes Are Taking Thousands Offline

Albert Howard

Killnet Strikes Are Taking Thousands Offline

Distributed Denial of Service (DDoS) attacks are a growing threat, becoming increasingly weaponized by malicious state actors to bring down critical architecture. Killnet is one such dangerous threat actor, with a proven record of successful hits. What does DDoS mean – and how can you DDoS-proof your own online presence?

What is a DDoS Attack?

To learn how a DDoS attack disrupts the service of entire countries, it’s important to understand the everyday mechanisms that keep a site online. This process is largely dependent upon the website’s hosting server. This server supplies the processing power that, upon a user’s request, delivers the page to your browser. Most companies today do not rely on an in-house server, and instead outsource the physical computing components through a cloud provider.

When one user requests the site, the server’s processor will draw a (relatively tiny) amount of power to deliver it. With a traditional physical server, there is an upper limit to the number of users, before you need to start multiplying server stacks. Scaling this process with a cloud provider is a little simpler, just pay for more processing power. DDoS attacks abuse the scalability of web traffic to massively disrupt, and outright take down their victims’ sites. This is achieved via a botnet, a collection of computers or internet-connected devices that have been infected. Upon the press of a few buttons, a botnet can be aimed at an individual, with each device making multiple requests to the site. User traffic at this scale sees the server being placed under immense amounts of strain – even with scalability measures in place, it’s very common for service to pause entirely.

Note that DDoS attacks don’t even try to breach your security perimeter. Rather, the goal of a DDoS attack is to make your website unavailable to genuine users. 

With how visible DDoS attacks are, they offer highly efficient smokescreens for a wealth of secondary malicious activities, such as breaching your tech stack’s security mechanisms. They also empower malicious organizations to broadcast their message loud and clear. 

DDoS Attacks Have Always Been Political

Dyn is a DNS provider that supplies much of the US. At 11am UTC, on 26th October 2016, the provider was suddenly struck with an attack of unprecedented scale. All of a sudden, sites such as Airbnb, Netflix, PayPal, Visa and Amazon were all struggling to maintain consistent uptime. Throughout the day, surges of fake requests – and subsequent outages – rippled across the continent. The cause was a sudden overload of traffic directed at the DNS provider. Digging deeper, researchers discovered brand-new requests from tens of millions of new IP addresses. 

The mind-boggling scale of this attack was achieved through the Mirai malware. This malicious code seeks out unprotected Internet of Things (IoT) devices – of which there are billions – and compromises them. From there, the infected smart TVs, printers – even baby monitors – are instructed to focus site requests on the attacker’s victim of choice. 

Thanks to the ever-expanding and easy utilization of botnets, DDoS attacks are more powerful than ever. Alongside placing major strain on company websites, political leaders have also learnt the power of crushing vital website utility. 

Killnet: Russian-funded DDoS

Toward the tail-end of February 2022, Russia took its latest step towards a major escalation of the Ukrainian war. As the country launched an attack upon its smaller cousin, the world suddenly became enraptured in the geopolitical fallout. NATO countries took to condemning the attack, bolstering Ukraine’s supplies of weaponry; Russia continued its misinformation campaign of liberating the country from fringe far-right movements. As the war raged and bodies continued to pile up, Lithuania – a close neighbor of Ukraine – partially blocked shipments of products to nearby Kaliningrad, a small Russian city sat between Lithuania and Poland.

On June 25th, researchers observed Telegram chatter surrounding a response by the Russian DDoS group Killnet. The 27th of June was dubbed “judgment day” within the Telegram channel, and – upon the day arriving – Killnet struck. The websites of four Lithuanian airports were crippled, becoming completely unavailable for non-Lithuanian IP addresses. One message stated the group’s absolute dedication to condemning Lithuania’s choice to ban cargo being transported throughout the country, urging the country to withdraw their decision. 

Lithuania promptly ignored the attack, and only a few weeks later, Killnet struck again – this time at the energy supplier Ignitis Group. In what the group claimed was the biggest cyberattack they’d experienced in over a decade, they were stuck with numerous DDoS attacks over two days of chaos. Supply was not interrupted, but Killnet were only getting started. 

Growing Bigger and Bolder

On July 8, the website of the US Congress was briefly brought down. Public access was denied for several hours, and Killnet wasted no time boasting about the attack on Telegram, stating that Congress may have the extra money to bolster Ukraine’s arsenal, “but not enough for its own defenses”. 

Following this high-profile attack, Killnet continued to threaten further attacks on US entities, lavishing particular attention on the country’s energy and financial sectors. They nicknamed the attack “Lithuania 2”, although no such attack has materialized just yet. Other mild attacks include a brief DDoS attack on PayUSATax, which is a third-party provider of tax services for US citizens. 

It’s not just American citizens that have received the sharp end of Killnet’s stick: they’ve recently been taking pot shots at Italian organizations such as Poste Italiane, Italy’s postal service provider, and CSIRT Italy. This sparked pushback from the Italian division of hacker group Anonymous, who publicly released the personal information of some Killnet members.

Protecting Yourself from DDoS Attacks

Thankfully, Killnet’s real-life carnage has been remarkably stunted. This is because of the comprehensive protection from DDoS attacks that is available today. The attacks cannot be stopped, but mitigation processes are vast and varied. 

One highly-applicable form of DDoS protection for sites and servers alike is by a form of network layer mitigation. The key danger of DDoS is in its ability to push your network past its breaking point; to prevent this, once a huge spike of requests is detected, a BGP announcement is made. This re-routes all incoming traffic via a high-traffic scrubbing center. These servers have the capacity to handle gigabytes of traffic, and examine the packets being sent to your site. Only the legitimate traffic is sent onward to your site, allowing for your genuine users to continue uninterrupted.

A high-quality security service provider will guide you through the process of keeping yourself secure, turning Killnet into a mild inconvenience.