A wave of distributed denial of service (DDoS) cyber attacks that have hit Lithuania in the past week have been claimed by a non-government group of Russian hackers, who say the digital bombardment is in response to a blockade of train routes that serve Kaliningrad with freight.
The Russian hackers call themselves “Killnet” and first made the news in April with declarations of support for Russia’s war efforts and intent to attack critical infrastructure in other countries. The group has been linked to a prior DDoS campaign that attempted to shut down the Eurovision Song Contest website in May, as well as attacks on the government websites of assorted other countries.
Russian hackers go on DDoS spree in Lithuania, hint at partnership With Conti ransomware gang
The shutdown of Lithuanian rail deliveries to Kaliningrad, an isolated province of Russia that sits between Poland and Lithuania on the Baltic Coast, is a result of EU sanctions on the sale of coal and metals to Russia. These items make up 50% of the imports to the province.
The Lithuanian government confirmed cyber attacks on a variety of its websites, and said the country’s tax authority had to temporarily shut down its servers due to DDoS attacks. State and transport institutions and media websites were apparently the prime targets, with some private businesses caught up in the campaign.
For its part, a spokesperson for the Russian hackers said the group plans to continue the cyber attacks until the blockade is lifted and claimed that it had hit 1,652 “web resources” in the country thus far. The DDoS attacks reportedly began on June 21. The biggest wave of cyber attacks came on June 27, with Killnet referring to it as “judgment day.”
The Russian Security Council has yet to take any direct action in response, but issued a statement saying that the blockade would have a “serious negative impact” on Lithuania. Lithuania’s National Cyber Security Centre has warned the country’s population that cyber attacks were likely to continue with a specific focus on the transportation, energy and financial sectors.
The Russian hackers do not have any known connection to the country’s government as of yet; the group styles itself as a “hacktivist” collective acting out of patriotism. The Five Eyes intelligence agencies put the group on the radar in April when it issued a warning about various hacking groups in Russia declaring their intent to digitally volunteer for the war effort by hitting critical infrastructure in Ukraine and the nations providing it with material support. The group was then linked to DDoS attacks on various government websites in Italy, Romania, Moldova and the Czech Republic from late April into May. It also attempted to take down the Eurovision website while the Ukrainian team was performing, but Italian police say that they were able to block the attack.
There is a likely connection to the criminal underground, however, with the Russian hackers posting a June 26 message declaring intent to work with their “friends” from the Conti ransomware gang. Conti is one of the world’s leading “ransomware as a service” groups, in business since 2019 and responsible for a number of major attacks. A leak of internal documents from Conti in February revealed that key members of the group felt a patriotic duty to support the Russian government by conducting independent cyber attacks, something that caused dissention in its ranks. Other ransomware gangs that have openly declared support for Russia have found themselves sanctioned by Western countries, which greatly increases hesitancy to pay among their ransomware victims (who could be fined as much or more than the ransom payment amount).
Of course, there is also the possibility that Russia is using Killnet as a proxy to deny responsibility and keep from sparking a war with NATO members with its DDoS attacks on governments, as Chris Clymer (Director & CISO at Inversion6) observes: “Russia has a collection of theoretically autonomous groups like Killnet which give it the ability to strike at its enemies while still denying responsibility – not a new tactic. This year alone, Killnet has reportedly targeted Romania, Moldova, Czech Republic, and Italy with Lithuania now added to the list. This harassment will continue, and what’s more interesting is that it doesn’t seem to have targeted the US and major European powers as strongly as first expected. With what we know of internet infrastructure, it’s hard to believe this is because those targets are stronger. Perhaps the Russians are trying to stay focused on targets it feels it can afford to antagonize.”
Cyber attacks by Russian hackers expected to continue as international tension increases
Lithuanian officials say that they have been able to restore services within a short amount of time after the DDoS attacks, with none yet having a major impact. Cyber attacks are expected to continue, however, as long as Lithuania continues to honor its obligations as an EU and NATO member and comply with sanctions. Lithuania says that it has response teams working in shifts 24 hours a day to ensure that the Russian hackers continue to only cause a minimal amount of disruption.
The European Union has stepped in to attempt to calm the emerging crisis, but is struggling to have an impact as Russia and the involved Baltic states continue to squabble over the issue. The European Commission was supposed to issue new guidelines about what cargo and quantities could be delivered to Kaliningrad on June 27, but was forced to delay the decision as NATO members argued about exactly how far the restrictions should go.