The Russia-based Killnet hacking collective, which has pledged to involve itself in the Ukraine invasion on the side of the Putin government and has threatened Western targets, has claimed responsibility for recent DDoS attacks against NATO that disrupted a number of its operations. Among these was an earthquake relief program assisting those impacted by the Turkish-Syrian earthquake. The Russian hackers targeted the communications of search and rescue teams among other incursions into a classified NATO network.
Killnet used its Telegram channel to advertise the fact that it is attacking NATO. The group has primarily been known for DDoS attacks thus far, and while prolific these attacks have generally not had much meaningful impact prior to disrupting the earthquake relief efforts.
Russian hackers wield DDoS attacks in volunteer war effort
The Russian hackers threw in their lot with their home country very early in the invasion of Ukraine, and have persistently lobbed DDoS attacks at targets around the world since. The “hacktivist” collective is roughly comparable to Anonymous, but more single-minded in its purpose of supporting the Russian government’s war effort. It has attacked a variety of targets in the US including government agencies, hospitals, banks and airports, but has really not amounted to much more than a nuisance to present.
The attack on NATO earthquake relief is probably its most impactful to date in terms of real world damage. The NATO-affiliated Strategic Airlift Capability, which has previously been used to deliver equipment to Ukraine and is currently performing search and rescue in the earthquake’s damage zone, suffered some unspecified damage from the Russian hackers that is thought to have at least slowed the relief efforts. It also disrupted a secured restricted network used by NATO for transmitting classified data.
The DDoS attacks also reportedly took down the NATO Special Operations Headquarters website for about two hours, something more in line with the typical damage the Russian hackers have done in the past. The group has temporarily disabled the public-facing websites of both airlines and hospitals in the US in the past year, but generally does not penetrate farther into networks than that and also generally provides only a short-term outage.
The earthquake relief efforts have been struggling to keep up with a wave of magnitude 4 aftershocks that continued to knock over previously damaged buildings. In total at least 35,000 people have died due to the quakes, and rescuers continue working to find both survivors and remains nearly two weeks after the initial damage from the 7.8 magnitude quake occurred.
Targeting of earthquake relief, hospitals demonstrates willingness to involve civilians
The Russian hackers do not have a direct established connection to the country’s government, and seem to be happy to take advantage of their disaffiliated position to target civilians in ally countries in a way that could spark a much bigger military conflict if tied to an official government action. The group is fresh off a round of DDoS attacks aimed at hospitals in the US and Europe, which the Cybersecurity and Infrastructure Security Agency (CISA) has been providing prevention and recovery aid for. CISA says that only about half of the group’s DDoS attacks are actually managing to knock websites offline for any amount of time, but that these attacks can result in appointment delays or patient records being unavailable for some amount of time.
Similar to Anonymous, KillNet remains tough to pin down as it operates in a decentralized way that allows just about anyone to temporarily participate. The group’s Telegram channel invites anyone aligned with the Russian government to join in with DDoS attacks. A May 2022 arrest of one of its operatives by UK police resulted in calls to shut down ventilator systems in British hospitals until the prisoner was released.
NATO secretary general Jens Stoltenberg has said that the organization has deployed additional cyber defense measures in response to the earthquake relief disruptions. Though this attack was successful enough to make news, it did not ultimately do much to disrupt operations and security analysts widely believe that the group does not have much more capability than was displayed here.
As expected, the Russian government has no official response to the incident, but it is not unreasonable to speculate that the freelancing Russian hackers may be going too far in targeting NATO in this way. Though the two countries have had recent regional clashes, they also maintain a major trade relationship in spite of Turkey’s NATO membership. Turkey is considered to have good and stable political relations with both Russia and Ukraine, and has played host to numerous negotiations between the two sides.
Any disruption to earthquake relief efforts might lead to Turkish demands for action by the Russian government to rein in these rogue elements. As Avishai Avivi, CISO at SafeBreach, observes: “In this case, the relatively primitive distributed denial of service (DDoS) of NATO disrupted their ability to provide aid missions. This is an upsetting example of how a cyberattack can impact real life. While there was no breach of NATO systems, the fact that their services were disrupted most likely resulted in lost lives in Turkey. We know that Russia opposes NATO and its support of Ukraine, and this can be seen as a retaliatory attack by the Russia-affiliated Killnet. Considering that Turkey is one of the only NATO members still somewhat in support of Russia, this wasn’t the smartest move.”
