The following is a Threat Analysis, detailing research performed by on the Killnet hack-for-hire group. Quadrant Security Who Is Killnet? Killnet is a hack-for-hire group with strong, but indirect ties to Russian government strategic goals, primarily utilizing Distributed Denial of Service ( ) as a preferred attack vector. While the group has been limited in impact to date, there are strong indicators that Killnet will continue to develop and escalate their attacks through malicious networking. DDoS Killnet Activity Background Several sources state that KillNet has claimed responsibility for data breaches ranging from a “Government Healthcare Source” to Lockheed Martin. This is NOT an expected outcome of a Denial of Service attack by itself. At the time of writing, there is no direct evidence that indicates how Killnet was able to obtain this information, though one source states brute-force dictionary attacks against public-facing services were observed. This source, however, did not provide a reference. Other analysts suggest that the continued use of DDoS may be to distract and misdirect defensive measures and teams to allow for more detrimental attacks to occur such as Ransomware / Wiper Malware infections. Because of their strong pro-Russian stance, some believe that other pro-Russian groups may come to their aid and target / assist with attacking the Killnet targets. One specific group listed is the Conti Ransomware group. Both Killnet and Conti have announced support for Russia following the invasion of Ukraine. Further, Killnet has publicly stated a desire to unite forces and bring other pro-Russian hacking groups together. Although they maintain several Telegram channels, Killnet has also established a forum of their own for bringing together threat actors. Diving Into Infinity Forum A closer look into the forum shows multiple sections ranging from fundraising for Killnet / Infinity Forum to a functioning store which offers various nefarious activities, including phishing campaigns, stolen credit card information, how to use the stolen data, and much more. Another alarming part of the forum acts as a “wanted” section. One observed post was soliciting for a Wiper Malware developer, stating that they have already compromised a hospital and have escalated privileges. Although the name of the hospital was not disclosed, screenshots indicate the compromised target is Ukrainian. Other comments on similar threads indicate a compromise of an English speaking hospital, stating that VNC was leveraged to view and edit MRI scans. News sections of this forum are filled with pro-Russian propaganda regarding the “SVO” (Spetsialnaya Voennaya Operatsiya == SMO (Eng), Special Military Operation) in Ukraine. Forums such as this would be expected to be found on TOR connections and not over the “open” internet. Some of the forums indicate that a shift to may be expected at the end of the month. TOR Research in Summary Although the threat of DDoS is of some concern, the potential of Killnet’s criminal partnerships to “share targets” is much more alarming. This is compounded by the active threads on the Infinity Forum which indicate recent active breaches. There are strong indicators that KillNet will continue to develop and escalate their attacks through this malicious networking. It is our determination that the largest concern of the KillNet ATP group is the implied evolution of TTP’s to encryption-based malware (Ransomware/Wiper Malware) and the potential for extortion / double extortion attacks or a target's complete loss of data as an end goal. To view / download the full threat analysis details, including Analyst Recommendations, visit: https://quadrantsec.com/blog/threat-analysis-killnet

BREAKING New Threat Analysis: Killnet Hack-for-Hire Group

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

108 Stories To Learn About Cybersecurity Tips

10 Cybersecurity Tips Everyone Should Follow

10 Best Practices for Securing Your API

122 Stories To Learn About Cybercrime

3 Cybersecurity Terms Non-Techies Can Use to Impress a Techy Date

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

108 Stories To Learn About Cybersecurity Tips

10 Cybersecurity Tips Everyone Should Follow

10 Best Practices for Securing Your API

122 Stories To Learn About Cybercrime

3 Cybersecurity Terms Non-Techies Can Use to Impress a Techy Date

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps