Private Russian criminal groups that have declared their support for their country’s invasion of Ukraine have previously said that they would strike at the critical infrastructure of NATO members if Russian infrastructure came under attack. Some of these groups appear to be moving on this threat as a wave of DDoS attacks has disrupted the normal function of the websites of numerous US airports.
The campaign of DDoS attacks has been ongoing in Europe for some time, but expanded to include entities in the US in early October. The strikes on US airports appear to be tied to a larger retaliatory campaign in the wake of a truck bombing of a Crimean bridge that Russia has blamed on Ukraine’s special forces.
“Killnet” moves into action against US airports as Ukraine war escalates
A loose confederation of Russian criminal groups and hackers roughly comparable to the “Anonymous” hacktivist organization, Killnet has been active with sporadic DDoS attacks around the world in support of the Ukraine invasion since at least April of this year. The group took credit for the attacks on US airports, publishing a target list on its Telegram channel.
The DDoS attacks do not appear to have impacted any flights, but have made it difficult for travelers to access the websites of US airports as they go offline temporarily or experience bouts of extremely slow connection speeds. The attacks appear to be focusing exclusively on disrupting access to public-facing websites, with no reports yet of internal network breaches at US airports. Ability to purchase tickets and flight impacts are minimal as airline websites have not been targeted as of yet, but travelers may experience issues with booking airport services or checking flight status.
A number of major international airports reported service interruptions from the DDoS attacks including those in New York City, Atlanta, Chicago, Los Angeles, Denver, Orlando, and St. Louis. The Killnet Telegram target list had 49 US airports and aviation sites in total. The majority of the attacks were conducted on Monday October 10, beginning in the early morning hours in the US.
While the DDoS attacks on US airports appear to have been coordinated in response to the Crimea bridge bombing, beginning not long after retaliatory Russian missile strikes hit Kiev, Killnet has been observed taking shots at US websites since as early as October 5. The group recently undertook a smaller attack campaign that focused on the websites of several state governments, knocking the public-facing sites of Colorado and Kentucky offline for a time.
The Transportation Security Administration (TSA) has said that it is working with airports to assist in remediating any attacks and is monitoring the situation. Andrew Hay, COO at LARES Consulting, notes that this is mostly a matter for content delivery networks and cloud service providers to address: “There was no vulnerability exploited. The attackers simply overwhelmed the servers by flooding the sites with garbage requests – exhausting the server’s resources. Many of the targeted organizations are already utilizing anti-DDoS content delivery networks (CDNs) to mitigate attacks of this nature. Unfortunately, the CDN infrastructure couldn’t prevent the flood of requests.”
KillNet DDoS attacks rampant, but group has struggled to do more than annoy targets
KillNet is thought to have formed shortly after the Ukraine invasion began; the Five Eyes intelligence coalition issued a public warning about the group after it was spotted attacking government websites in the Czech Republic. The group has since launched sporadic DDoS attacks in Italy, Japan, Norway, Lithuania, Moldova, and Latvia. A subgroup that Killnet refers to as “Cyber Special Forces RF” or “Legion” is responsible for some of these attacks.
Though the vast majority of these incidents are fairly basic DDoS attacks, in August KillNet claimed to have stolen employee files from Lockheed Martin in response to the US supplying artillery rocket systems to Ukraine. The group posted what it claims to be personal information of company employees, but it remains unclear if the information was actually obtained via a data breach (or is completely authentic).
Some security experts feel that KillNet is much more flash than substance, good at grabbing headlines with its antics but ultimately delivering only relatively minor DDoS attacks that prove to be not much more than a temporary nuisance for victims.
The group has no established connection to the Kremlin, and its focus on relatively low-skill DDoS attacks tends to support that it is a loose “hacktivist” collection working independently out of some sort of sense of patriotism. Other, much more skilled ransomware groups have also declared for Russia in the conflict, but Killnet does not have any clear ties to these either. The group’s interest may be more in obtaining a sort of “folk hero” status in Russia rather than actually having a meaningful impact on the invasion, with actions like the attacks on US airports calculated to keep their name in the news with a relatively minimal amount of effort. The group sometimes appears to spend more time on the videos and memes it promotes its attacks with than the actual attacks.Loose confederation of Russian criminal groups and #hackers roughly comparable to the 'Anonymous' organization, Killnet has been active with sporadic #DDoS attacks around the world in support of the Ukraine invasion. #cybersecurity #respectdataClick to Tweet
An act of sabotage committed against a German state-owned rail operator remains a mystery, but is not thought to be associated with Killnet as it is more sophisticated than they have shown to be capable of to date. Craig Burland, CISO for Inversion6, notes that even though the group may not be particularly serious they do illustrate a need to anticipate frequent low-level attacks in connection with geopolitical events: “This malicious call to action is a great example of why organizations need to be ever-vigilant in their cybersecurity operations. A focus on cybersecurity isn’t only for when the auditor is coming or after a breach. It’s a 24x7x365 responsibility that we must all own and embrace. We don’t take days off from things like workplace safety or legal due diligence. Cybersecurity is no different especially as we collectively face organizations like Killnet.”