Intelligence Report

lightbulb_outline Actor Profile: "Killnet"

October 18, 2022

October 18, 2022, Updates:

• Executive Overview (updated)
• Killnet and Killmilk (updated)
• Cyber Spetsnaz/Cyber Intelligence (updated)
• Killnet Structure (updated)
• TTPs (added)
• IP Addresses (added)
• Finances (updated)
• Cyber Spetsnaz/Cyber Intelligence Structure and Operation (updated)
• October Attacks on US Websites (added)

EXECUTIVE OVERVIEW
[Contents]
“Killnet” is a likely Russia-based financially and ideologically motivated threat group. The group
emerged in October 2021 and offered for-hire distributed denial-of-service (DDoS) attacks.
Following Russia’s February 2022 invasion of Ukraine, however, the collective started
conducting, threatening, and taking responsibility for attacks on networks in Ukraine and in
countries seen as supporting Ukraine. The group openly pledged allegiance to Russia,
particularly in the context of the war, and stated its disdain toward NATO and Western
weapons shipments to Ukraine. [1]
Killnet labels itself a decentralized, uncontrolled “army of cyber partisans” spread around the
world. It is unclear how many individuals operate the group’s main Telegram channel, but one,
“Killmilk,” appears to be the group’s founder. [2]
Since February 2022 Killnet has targeted both state-owned and private websites and
networks in countries that provide assistance to Ukraine or have supported sanctions against
Russia, often following such a decision. The group has also perpetrated hack-and-leak attacks
against Ukrainian systems.
10/18/22: In October 2022 Killnet conducted DDoS attacks on US targets, including
government and airport websites.

Background
• Killnet and Killmilk (updated 10/18/22)
• Goals and Targets (added 7/18/22)
• Cyber Spetsnaz/Cyber Intelligence (updated 10/18/22)
Methods of Operation
• Killnet Structure (updated 10/18/22)
• TTPs (added 10/18/22)
•Finances (updated
IP Addresses (added 10/18/22)
• Cyber Spetsnaz/Cyber 10/18/22)
• Operation (updated 10/18/22)Intelligence Structure and

•Communication (updated
Zarya Subgroup and H45H13 (added 6/28/22)
• 6/28/22)
• Image
Notable Attacks
• KillnetOctober
Attacks
• Attacks onAttacks on US Websites (added 10/18/22)
• Earlier Attacks (updated
Lithuania and the US (added 7/18/22)
•Cyber Spetsnaz Attacks (added 7/18/22)
• Expanding Operations 6/28/22)
 •
Assessment
Key Indicators
Citations
Change Log

BACKGROUND
KILLNET AND KILLMILK (updated 10/18/22)
[Contents]
The founder and chief of “Killnet,” “Killmilk,” has been active on the forum RuTor since October
2021. The user claims to have run various schemes since they were fourteen years old and
extorted money out of “pedophiles” online (although in context, the word can also refer to
closeted gay men). They claim to have started attacking foreign websites in 2019, but quickly
lost their earnings on cryptocurrencies. In November 2021 Killmilk offered “brotherly” DDoS
services with an intensity of 200 GB per second, suggesting that at that point they already had
access to a botnet.
Killmilk refers to themselves as an “ordinary person from Russia” whose grandfather died in
Ukraine while fighting the “Banderovtsi” (Banderites), the followers of Ukrainian nationalist
leader Stepan Bandera.  
Flashpoint analysts observed the first ads posted by the group “Killnet” about the group’s for-
hire distributed denial-of-service (DDoS) service in January 2022 on various Russian-language
illicit forums. Following Russia’s February 2022 invasion of Ukraine, however, the collective
started conducting, threatening, and taking responsibility for attacks on networks in Ukraine
and in countries seen as supporting Ukraine.
As regards to financing, Killnet denies being connected to or financed by state-backed entities
and claims to be financed by “enthusiasts and patriots.” [3] It maintains relations with the pro-
Russian threat group “Legion.” Information on additional groups Killnet has influenced can be
found in the report “Small Pro-Kremlin Hacktivist Groups Active in the War against Ukraine.”
10/18/22: Killnet actively seeks additional support for its activities. For example, on
September 15, 2022, a representative from the group posted in the Telegram supergroup
“KILLNET ЧАТ 💎” (Killnet Chat) to recruit new members. The group was apparently scouting
members with various skill sets, including coders, network engineers, penetration testers,
system administrators, and social engineers. They also provided the Telegram handles
“@fadeone,” “@ahrenitivs,” and “@svenuh” as methods of contact.

GOALS AND TARGETS (added 7/18/22)

[Contents]
Killnet’s attack coordination takes place in real time on the group’s main Telegram channel,
previously “WE ARE KILLNET ✪” and currently “WE ARE KILLNET.” It has also been echoed in
Killnet’s wider community, such as in the supergroup “KILLNET ЧАТ 💎.” It appears that Killnet
often reacts to the news cycle and targets countries that the pro-Kremlin Russian media
designates as unfriendly or enemy. This and the fact that Killnet actively seeks media
exposure through interviews in the pro-Kremlin media and its house-produced propaganda
material suggests that one of the group’s main goals is to influence the domestic perception of
Russia’s position in the cyber realm of the war.
While no operational connection between Killnet and Russian state structures has been
proven, the group’s goals certainly align with the Russian government’s. On June 29, 2022, it
was reported that Mandiant found possible links between the Kremlin and Russian cyber
threat groups targeting Ukraine. [4]

CYBER SPETSNAZ/CYBER INTELLIGENCE (updated 10/18/22)

[Contents]
“Cyber Spetsnaz” is a threat group that appeared in April 2022 and styled itself as an elite
cyber offensive group targeting NATO members and their allies, including NATO
infrastructure. “Spetsnaz” is a term used to describe elite commando units in the Russian
military, primarily units of the GRU, Russia’s military intelligence.
Cyber Spetsnaz is associated with and shares goals with Killnet. It sometimes appears to be a
separate group—for example, Killnet associates have discussed Cyber Spetsnaz activity as
that of a separate threat actor on the Telegram channel “Killnet Rezerv.” However, Cyber
Spetsnaz often identifies itself as a part of Killnet.
Cyber Spetsnaz started recruiting in pro-Russia Telegram channels and groups in late April
2022. It identified itself as “a volunteer movement of cyber talent specializing in DDoS” and “a
Killnet project.” It also offers DDoS training for its affiliates.
10/18/22: In August 2022 Killnet renamed “Cyber Spetsnaz” as “Cyber Intelligence.” This likely
signaled a new place for the group in Killnet’s operational structure: investigating potential
targets and preparing attacks.

METHODS OF OPERATION
KILLNET STRUCTURE (updated 10/18/22)
[Contents]
In an interview with the Russian news site Lenta, Killmilk claimed that the collective consists of
“roughly 4,500” people, organized into several subgroups, which are usually self-managing but
occasionally coordinate their activities. [5] Separately, Killnet claimed to have 280 members in
the US, saying their US “colleagues” were responsible for an attack on Boeing.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), Killnet may be
associated with another Russian-language cyber group supporting Russia, the “XakNet Team,”
which leaked a Ukrainian government official’s emails in March 2022. [6] Killnet claimed that it
cooperates with XakNet Team, which operates a Telegram channel with the handle
“@xaknet_team.”  
10/18/22: Killnet’s attack coordination takes place in real time on the group’s
Telegram channel. The group is divided into several “legions,” which are often created on a
weekly basis. These legions have included “Jacky,” “Mirai,” “Impulse,” “DDOSGUNG,”
“Sakurajima,” “Kratos,” “Rayd,” “Zarya,” “Vera,” and “Phoenix.” Analysts have observed that the
legions conduct DDoS attacks in waves, focusing on the target announced on Killnet’s main
Telegram channel. Some legions may also be assigned countries, such as Germany or Poland,
as opposed to direct targets. [7]

TTPS (added 10/18/22)
[Contents]
Killmilk has claimed that the group is capable of conducting 2.4 Tbps DDoS attacks with a
botnet, or botnets, that overwhelmingly consists of foreign devices—the proportion of Russian
devices is no more than 6 percent. [8] In May 2022 Killnet named some of the botnets
operated by its subgroups: “JACKY,” “SAKURAJIMA,” and “MIRAI.” The legions were named after
the botnets they claimed to use.
While the group’s main profile is DDoS attacks, it also claims to have been responsible for data
exfiltration from attacked networks, including the email inboxes of “high-ranking officials” and
bank data. [9]
Killnet has been found to leverage “CC-Attack,” a publicly available attack script with
deployment instructions posted in its Telegram channel. This script, likely authored by an
unaffiliated student in 2020, automates the use of open proxy servers and leverages
randomization to avoid any signature-based solution. The CC-Attack toolkit requires very little
expertise to successfully employ, and can create three different layer 7 attack types—GET
flood, HEAD flood, and POST flood. It specifically randomizes multiple entities within the HTTP
requests, such as user-agent, accept header, and POST data. [10]
The Italian Computer Security Incident Response Team (CSIRT) released a report on Killnet’s
observed attack against Italian entities on May 30, 2022. [11] The attack lasted for more than
ten hours, peaking at 40 Gbps, and comprised three phases. The initial phase was
characterized by high frequency of packets in TCP-SYN, UDP, and TCP SYN/ACK amplification
attacks along with DNS amplification and IP fragmentation attacks. A second phase with
similar intensity to the first involved IP fragmentation attacks followed by previous attack types,
though without DNS amplification. The last phase lasted the longest, though it contained a
lower frequency, and was characterized by alternations of volumetric attacks and state
exhaustions.
The specific techniques used by Killnet and identified by CSIRT included:
• ICMP flood
• IP fragmentation
• TCP SYN flood
• TCP RST flood
• TCP SYN/ACK
• NTP flood
 •• DNS amplification
LDAP connectionless (CLAP)
In mid-May, CSIRT also noted that Killnet has made use of slow POST DDoS attacks against
Italian government sites. These attacks use a slow but steady stream of incomplete HTTP
requests, which forces the server to allocate resources waiting for the request to complete.
[12]
After successfully conducting an attack, Killnet frequently uses check-host[.]net to confirm the
operation on its official Telegram channel (example 1, example 2).
Researchers at Forescout used honeypot servers and a list of IP addresses associated with
Killnet to confirm the group’s preference for brute-forcing credentials on TCP ports 21 (FTP),
80 (HTTP), 443 (HTTPS), and 22 (SSH), as well as its use of SSH tunneling. [13] The researchers
managing the honeypot observed 381 attacks from 58 IP addresses. Fifty-six of these
monitored attacks were dictionary attacks, a common automated method threat actors use to
compromise accounts, utilizing common default credentials. These attacks stemmed from ten
observed IP addresses. The brute-force attempts were exclusively against port 22, suggesting
the threat actors may have been attempting credential harvesting. The most common
usernames attempted were “root,” “postgres,” ‘“mcserver,” and “ts3.” The passwords in the
dictionary attack evidently did not contain a clear pattern other than being weak.
According to Forescout, the IP addresses that did not attempt dictionary attacks sustained
their attacks over a maximum of three days. The IP addresses that did conduct dictionary
attacks did not repeat the attack, suggesting varied goals of attack scripts linked with each IP
address. When the attackers were tricked into an SSH session, they tried to create a proxy
toward google[.]com by attempting to create SSH tunnels. The targeted attacks on FTP ports
suggested reconnaissance, as the threat actors repeatedly used the SYST command, which
returns the system type.

IP ADDRESSES (added 10/18/22)

[Contents]
In May 2022, following a DDoS attack by Killnet on several Romanian websites, the ​Romanian
National Cyber-Security Directorate (DNSC) published a list of 266 IP addresses. [14] The list
later grew to roughly 11,000 IP addresses associated with Killnet.
An analysis of the IP addresses found that the majority of them belong to the company
ColoCrossing. [15] A significant section of the IP addresses belong to the autonomous system
AS36352. This group, managed by ColoCrossing, contains 815,974 IP addresses and is known
to conduct malicious activity. [16]
Forescout has also provided a list of IP addresses attacking its honeypot servers and believed
to be associated with Killnet. [17] Forescout noted that the attackers’ IP addresses consisted
mainly of Tor exit nodes and known malicious clearnet or proxied addresses.

FINANCES (updated 10/18/22)

[Contents]
6/28/22: In March 2022 unknown users posted information about the cryptocurrency wallets
associated with Killnet on the site Doxbin. The list contained Bitcoin, Ethereum, and Tether
addresses. Only two of these addresses received substantial amounts of money (over
US$1,000).

• The Bitcoin address bc1qx9nu6lvlq5squ7afm6swzcc2ryng8dp9c6d92z

received 0.86964900 BTC (US$18,300 as of June 2022) in thirty-eight
transactions.
• The Tether address TXofMf9ELVxvPg24xoF34zM97PhBPte2qQ received
US$10,317 worth of stablecoin.

7/18/22: On July 2, Killnet posted further cryptocurrency (Bitcoin, Ethereum, Tether) addresses

as well as a Tinkoff Bank account number, requesting donations from its followers. Flashpoint
mapped the transactions made to Bitcoin addresses linked to Killnet since September 2021.

Image 1: Bitcoin transfers received by Killnet-linked BTC wallets.

The relatively low transaction volumes suggest that Killnet and the organizations in its umbrella
still operate mostly on a voluntary basis. Flashpoint analysts are aware of smaller money
transfers to subgroups for “technical support”—for example, 50,000 rubles (US$850) to the
Mirai division on May 2.
However, Killnet may have other financial support channels, and some transactions—such as
transfers to the Tinkoff account—cannot be openly accessed.
10/18/22: The groups also asked for donations on September 13, claiming to have no financial
support from the Russian government.
10/18/22: In October 2022 Killnet started advertising “Netto Exchange,” a cryptocurrency
exchange that, according to the group, is run by “Killnet’s partners.” The Telegram-based
exchange ostensibly maintains offices in “all bigger Russian cities” and takes all
cryptocurrencies offered on the Binance and Huobi exchanges.
CYBER SPETSNAZ/CYBER INTELLIGENCE STRUCTURE AND OPERATION
(updated 10/18/22)
[Contents]
10/18/22: The group “Legion–Cyber Intelligence” (earlier known as “Legion–Cyber Spetsnaz”)
historically played a role of operative control over Killnet’s  subgroups, namely:

• Mirai (commander: @ddos_bot1)

• Sakurajima (commander: @rodr1se)
• Jacky (commander: @AuraNetz)
• FasoninnGung (commander: @Leoselers)
• Zarya (commander: @H45H13)
• Impulse (commander: @MMntHX)
• Kajluk
• Sparta
• Vera
• Rayd
Not all of these divisions may still be operational.
The group sometimes directed these groups to target specific countries. On May 11, for
example, the administrators of the Cyber Spetsnaz Telegram channel directed the Mirai
group to focus on Italy and Spain, and the Sakurajima and Jacky groups to focus on Poland and
Germany.
On June 9 Cyber Spetsnaz announced that it would undertake a “reorganization” of its groups
and asked its commanders to report about the “readiness” of the members in their
departments. The purpose was to weed out inactive members and imposters. Several days
earlier, the group also tightened its recruitment practices, insisting that new members should
be recommended by at least one existing “curator,” and introduced an internal bonus system
to improve compliance with internal rules.
 Image 2: Cyber Spetsnaz awards for subgroups.

Apart from its proprietary tools, Cyber Spetsnaz has used several known DDoS scripts such as
“Aura-DDoS,” “Blood,” “DDoS Ripper,” “Golden Eye,” “Hasoki,” and “MHDDoS.” [18]

ZARYA SUBGROUP AND H45H13 (added 6/28/22)

[Contents]
Cyber Spetsnaz maintains a press officer, ”@H45H13” (pronounced “hashie”), who is also the
coordinator of the first Cyber Spetsnaz subgroup, “Zarya” (“Dawn”). The subgroup admits only
experienced hackers and open source intelligence specialists, although it also provides
training in DDoS tools.
H45H13 has also been associated with the cyber threat group “XakNet,” which was accused of
attacks on Ukrainian government networks. In April they were identified as the head of the “hit
group” of the Killnet affiliate “Russian Cyber Army” and its de facto second-in-command after
the group’s “general,” user “@Barsuk_zv.” The user was named as a participant in several
attacks on Ukrainian networks, including an attack on the Ukrainian Cyber Police.
Apart from Killnet and XakNet-associated groups, this user has also been active in a Telegram
group dedicated to the threat group “LAPSUS$” since at least March 2022; in the fraud group
“Procoder - Good bases” between November 2021 and January 2022; and the Telegram
group of Lolzteam, a popular Russian-language cyber forum.
This user was also a member of the now-defunct Raid Forums, based on their activity in the
forum’s Telegram group.
Flashpoint has records of a user named H45H13 from the Russian-language Telegram group
“Rad Spar” in February 2021. H45H13 first warned that they were about to share potentially
forbidden wares (as they related to Russian state institutions), and then claimed that they had
for sale a “huge database” that included data exfiltrated from the servers of the
administrations of four Russian regions and various other institutions—such as the Ulyanovsk
region police and the Central Hospital in the city of Belgorod—as well as kompromat about
Ukrainian officials.
While there is no direct evidence linking the above H45H13 to the Killnet member other than
the shared public usernames (the Telegram user IDs are different), there is circumstantial
evidence. H45H13, the Killnet member, suggested in a message on March 12, 2022, that they
had successfully breached the mail server of the Khmelnitsky local authority in Ukraine and
leaked “all correspondence.” This could correspond to the other user’s previously claimed
“kompromat on Ukrainian officials.”

COMMUNICATION (updated 6/28/22)

[Contents]
Killnet maintains a presence on various social media platforms. Its main method of
communication is through the official Killnet Telegram channel, which the group has
maintained since at least January 23, 2022. Killnet also runs a support account with the handle
“@killnet_support,” a “reserve” account with the handle “@killnet_hacking,” and a channel with
the handle “@cyberwar_world.”
The group has used videos on major international video-sharing sites and apps for publicity
purposes. [19] Both its communication strategy and its videos seem to be strongly influenced
by the hacktivist collective “Anonymous.” Killmilk themselves claimed to have been motivated
by Anonymous’s attacks on the Russian state-owned media network RT, and the group
attacked Anonymous in response. [20] Killnet also maintains a presence on the Russian social
media platform VK.
6/28/22: Cyber Spetsnaz shares information with followers via its Telegram channel “Legion -
Cyber Spetsnaz RF.” The channel started on April 28, 2022. The Cyber Spetsnaz subgroup
Zarya has its own Telegram channel, “Информ Zаря” (Inform Zarya).

IMAGE
[Contents]
Based on the posts of threat actors who publicly stated their opinion in the illicit communities
in Flashpoint datasets, Killnet has a mostly, but not fully, negative image. The RuTor user “DHL”
accused Killnet of “corruption” in March, due to reports that the group’s cryptocurrency
wallets had received steady transfers following the start of the February invasion. A user of the
top-tier forum XSS, “pycckoe777,” called Killnet “a group of 10th-grade schoolkids.” “Gentle,” a
member of Breach Forums, called Killnet “a script kiddie Russian group.” On March 27,
“0x00000f4,” a member of the top-tier forum Exploit, shared a database allegedly containing
documents related to the group, adding that they intended this to be “a lesson.”

NOTABLE ATTACKS
KILLNET ATTACKS
OCTOBER ATTACKS ON US WEBSITES (added 10/18/22)

[Contents]
In early October Killnet claimed a number of attacks against US government websites. On
October 3, Killnet claimed to have attacked the National Geospatial-Intelligence Agency, and
listed the following targeted domains:

• hxxps://intelshare[.]intelink[.]gov
• hxxps://adfs[.]riss[.]net
• hxxps://www[.]cjis[.]gov
Killnet also posted an image appearing to be alleged proof of access to one of the systems.
On October 4, Killnet also threatened unnamed US tax resources.
On October 5, Killnet claimed responsibility for conducting DDoS attacks targeting various
government websites, including those of Alabama, Alaska, Colorado, Connecticut, Delaware,
Florida, Idaho, Indiana, Kansas, Kentucky, and Mississippi, as well as Hawaii’s Tax Department
and the Gov2Go domain. Some of the affected sites, such as those of Kentucky and
Mississippi, were back online within a few hours, while that of Colorado took longer to bring
back up. [21] Additionally, Killnet claimed that an unnamed “provider” in California was
targeted. According to the group, this was the first stage of DDoS attacks it had planned.
On October 10, Killnet claimed to have targeted Chicago’s O’Hare International Airport,
posting alleged proof to have targeted flychicago[.]com, which serves both the Midway Airport
and the O'Hare International Airport in Chicago. The group also wrote that the US’s “civilian
network sector” is not secure. [22]

• Killnet then declared a “new safari” on the US, inviting “all those willing” to
conduct DDoS attacks against the US’s “civilian network infrastructure.” This
would include all airports, maritime terminals and logistics facilities, weather
monitoring centers, the healthcare system, metro systems, and exchanges and
online trading systems.
• Killnet then posted a list of the sites of forty-seven US airports. It was reported
that websites of at least twelve airports were affected by DDoS attacks,
including airports in Atlanta, Los Angeles, and New York. [23, 24]
While the DDoS attacks on the high-visibility airports affected site accessibility for several
hours, they did not result in a significant disruption of operations. [25] This is consistent with
Killnet’s past attacks—while they are often highly visible, their effects have mostly been
negligible. Killnet followed up by once again saying that the security of the US’s “civilian
network infrastructure” is “absolutely zero,” while making a vague threat against unnamed
“congressmen.” The group then called for all hackers participating in the “liquidation” of the
US to continue.
On October 11, Killnet posted a threatening image depicting the US Capitol building on fire.
The group then claimed to have attacked the network infrastructure of a named major US
bank and declared “victory” against “America’s largest bank.”  
On October 12, Killnet appears to have claimed to have “only begun” its attacks against the US.
Similar statements were made by Killnet’s founder, “Killmilk,” in an interview with RT
published on October 9: Killmilk claimed that the US is the “last stronghold” against the
collective, and that this is only the beginning of Killnet's anti-US operations. Killmilk also
reiterated their belief that the security of the US’s civilian network infrastructure is “absolutely
zero.” [26]  

ATTACKS ON LITHUANIA AND THE US (added 7/18/22)

[Contents]
On June 27, 2022, news surfaced that the Lithuanian government and private institutions were
experiencing DDoS attacks. The Lithuanian National Cyber Security Center said in a statement
that it expects “attacks of a similar or greater intensity in the coming days, especially in the
transportation, energy and financial sectors." [27] Killnet took responsibility for the attack,
claiming it would stop it as soon as the Lithuanian government reinstates transit routes
between the Russian exclave region of Kaliningrad and the rest of Russia. [28]

• Lithuania had been blocking the transit of sanctioned goods from the rest of
Russia through its territory to Kaliningrad, which complicated Russian efforts to
supply the exclave with these goods. The Russian government and pro-Kremlin
media called Lithuania’s decision a “blockade.”
• The European Commission issued a guidance on July 13 clarifying that the
transfer of sanctioned goods through Lithuania between two parts of Russia
does not violate EU sanctions on Russia. The Lithuanian government appears to
have accepted this guidance. [29]
• In early July the government had also expanded the list of goods whose transfer
is prohibited, in line with EU sanctions. [30]
The attack did not cause major disruptions in Lithuania’s network infrastructure, but it was
ambitious in scope. The targeting called to mind the 2007 DDoS attacks on computer systems
in Estonia, which were later linked to the Kremlin-controlled youth group “Nashi.” [31]
Killnet continued to attack Lithuania in July, perpetrating an attack on Ignitis, a major Lithuanian
energy company serving 1.7 million customers. [32]
On July 1, days after the initial attacks on Lithuania, Killnet posted a message threatening the
United States, specifically the energy and financial sectors, calling an impending attack
“Lithuania 2.” The collective claimed to be able to conduct attacks similar to the ones in
Lithuania in five US states or five European countries at the same time. At the time of the
announcement, Killnet did actually target US entities. However, these attacks were
significantly less ambitious than the attack on Lithuania. Killnet committed DDoS attacks
against:

EARLIER ATTACKS (updated 7/18/22)

[Contents]

• In July Killnet attacked PayUSATax[.]com, a third-party website where US

citizens can pay their taxes. From the group’s messages, it appears that Killnet
thinks this website is associated with the Internal Revenue Service (IRS).
• In July Killnet attacked the website of the US Congress, which was down for a
short time. [33]
• In March 2022 Killnet conducted a DDoS attack on the International Cyber
Police Agency (Cyberpol). [34]
• In March Killnet claimed responsibility for a DDoS attack on the website of
Bradley International Airport in Connecticut, US, and linked the attack to the
US’s military support to Ukraine.
• In April Killnet claimed responsibility for DDoS attacks against targets in the
Czech Republic. The attacks targeted the websites of railroads, airports, and a
public administration portal. No information or private data of citizens appears
to have been leaked. [35]
• In April Killnet claimed responsibility for attacks on Romanian government-
affiliated websites: various government agencies, the Romanian border police,
and the local train transportation system. [36] Killnet claimed that the attacks
were launched due to Romania’s anti-Russia stance, particularly in the context
of the war in Ukraine.
• The attacks came the day after Marcel Ciolacu, the head of Romania’s
governing Social Democratic Party, announced that Romania might
provide military aid to Ukraine. [37]
• Afterward, the group threatened to attack hospital ventilators in the UK if
one of its affiliates who was arrested there was not released.
• In April the collective conducted a DDoS attack against the website of La
Republique en Marche (LREM), French President Emmanuel Macron’s party,
ahead of the French election. The attack was ostensibly in retaliation “for
Stingers,” seemingly suggesting that France delivered Stinger missiles to
Ukraine, which it did not. [38]
• In April Killnet posted on its Telegram channel regarding an attack on
Germany’s Ministry of Defense and two airports, Cologne Bonn Airport and
Hamburg Airport; it later also mentioned Bremen Airport. The posts
mentioning these attacks were also accompanied by messages denouncing
Germany’s aid to Ukraine. Additionally, on April 17 Killnet claimed to have
targeted two banks in Germany, Commerzbank and Kreditanstalt für
Wiederaufbau.
• In May 2022 Germany’s Ministry of Defense, federal parliament (Bundestag), a
number of federal police services, and the website of German Chancellor Olaf
 Scholz were subject to a DDoS attack, which was successfully repelled. [39] The
websites of Germany’s foreign intelligence service (Bundesnachrichtendienst),
Mercedes, and Giropay, a local payment system, also appear to have been
targeted. Killnet took responsibility for the attacks.
• In May, Killnet continued targeting Ukrainian networks. The collective dumped
information from the city administration of Rivne; the state-run database
Derzhzovnishinform, which monitors commodity markets; and Ukraine’s
pension portal, among others.
• In May, DDoS attacks against Italy, which hosted the Eurovision Song Contest on
May 10-14, were attributed to Killnet by local authorities, although the group
has denied that it was responsible. [40]
• Russia had been expelled from the competition due to its aggression
against Ukraine, which ultimately won the contest.
• Following DDoS attacks on Italian government websites, including the
Senate and the National Institute of Health, the voting system of the
contest was reportedly attacked unsuccessfully by Killnet.
• 7/18/22: In July, Killnet’s channel called on affiliates to attack a car repair
business in Moscow, Russia, after the business allegedly refused to serve active
military service members. This was the first known instance of Killnet calling for
a domestic attack.
• 7/18/22: In July, Killnet committed a DDoS attack against the website of the
Polish Tax Service.
• Killnet has also claimed to have conducted attacks on a number of other
countries, such as Estonia, France, Poland, and the United Kingdom. Killnet also
posted a list of twelve countries that it says are vulnerable to DDoS attacks: the
Czech Republic, Estonia, Finland, France, Germany, Latvia, Lithuania, Moldova,
Poland, Romania, Ukraine, and the United Kingdom.  

CYBER SPETSNAZ ATTACKS (added 6/28/22)

[Contents]

• On April 28 the group conducted DDoS attacks on the Polish Railways.

• On April 28, the group announced that actors belonging to the group would
conduct a DDoS attack on NATO’s website, nato[.]int. The operators formed
three subgroups that would attack different NATO subdomains. The “test drive”
of the attack took place against the website of the Polish Railways.
• In May the group continued committing DDoS attacks on Polish government
institutions, including the Ministry of Foreign Affairs and the police.
• In May the group carried out DDoS attacks against several logistical terminals in
Italy, as well as banks and state institutions in the Baltic countries, Moldova, and
Romania as well as companies in Germany.
• On May 7 Cyber Spetsnaz called on its subdivisions to attack the US defense
contractor Lockheed Martin.
 • On May 9 Killnet and Cyber Spetsnaz targeted Ukrainian internet providers
 and dedicated the attack to Ukraine’s World War II veterans.
• From May 10 to 14 Cyber Spetsnaz subgroups—along with Killnet—
attacked several subdomains belonging to the Eurovision Song Contest, where
Ukraine was a favorite to win. The collective posted detailed instructions about
subdomains, ports, and services to attack.
• On May 16, following Killnet’s “declaration of war” on ten Western governments,
Cyber Spetsnaz joined the declaration.
• On May 25 Cyber Spetsnaz announced that its Zarya division hacked the
website of the Ukrainian Security Service (SBU). This was considered a
symbolic victory.
• On June 3 Cyber Spetsnaz created the “Sparta” division with the aim of
conducting cyberespionage, stealing financial data, and attacking internet
resources in NATO countries.
• On June 13 the group announced attacks against Polish entities to take place
throughout June; the announcement contains a list of subdomains, ports, and
services to be targeted instead of only the primary domain.

EXPANDING OPERATIONS
[Contents]
On May 15, 2022, Killnet “officially declare[d] cyberwar” on the governments of ten countries:
Estonia, Germany, Italy, Latvia, Lithuania, Poland, Romania, Ukraine, the UK, and the US. Killnet
said that while ordinary citizens of those countries face no threat, their governments will be
“liquidated.”
According to Killmilk, the group’s objective is to become the largest global hacktivist group by
2023. [41] Killnet promoted the Telegram channel “@world_hacker_alliance” as part of its
recruitment efforts.  

ASSESSMENT
[Contents]
Killnet remains a threat to institutions located in countries that provide assistance to Ukraine
in the ongoing war with Russia. NATO member countries that actively supply weapons to
Ukraine are considered to be prime targets for cybercriminals who have pledged allegiance
to Russia.
As shown in attacks attributed to Killnet and its claims, financial institutions in these countries,
such as banks, are at risk. For example, Killnet claims to have targeted three banks in Romania,
including OTP Bank; Komerční banka in the Czech Republic; Narodowy Bank Polski in Poland;
ProCreditBank in Moldova; Latvijas Banka in Latvia; and a major US bank.
KEY INDICATORS
[Contents]
Source Reliability:
• A - Reliable
• B - Usually Reliable
• C - Fairly Reliable
• D - Not Usually Reliable
• E - Unreliable
• F - Cannot be Judged
Information Reliability:
• 1 - Confirmed
• 2 - Probably True
• 3 - Possibly True
• 4 - Doubtfully True
• 5 - Improbable
• 6 - Cannot be Judged
Credibility assessment: Moderately credible (medium confidence)
Motivation: Ideological, financial gain, possibly state-sponsored
Aliases: Killnet, Killmilk (likely founder)
Active Online Communities: Telegram, VK, RuTor, Vsemmoney
Date of First Activity: October 29, 2022
Accomplices/Associates:
• @Legion_Russia (Cyber Spetsnaz)
• @xaknet_team (Xaknet)
Capabilities: Maintaining and using botnets in DDoS attacks, data exfiltration
Sources of Income: For-hire DDoS services
Targets: State institutions and private entities in countries supporting Ukraine
Identifiers:
• Telegram:
• @killnet_channel
• @killnet_support
• @killnet_hacking
• Legion - Cyber Spetsnaz RF
• Информ Zаря
Possible Real Name: Unknown
Languages: Russian
IP Addresses: Unknown

CITATIONS
[Contents]
[1] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[2] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[3] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[4] hxxps://www[.]bloomberg[.]com/news/articles/2022-06-29/mandiant-finds-possible-link-
between-kremlin-pro-russian-hacktivists#xj4y7vzkg
[5] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[6] hxxps://www[.]cisa[.]gov/uscert/ncas/alerts/aa22-110a
[7] hxxps://www[.]digitalshadows[.]com/blog-and-research/killnet-the-hactivist-group-that-
started-a-global-cyber-war/
[8] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[9] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[10] hxxps://securityscorecard[.]com/blog/killnet-utilizes-cc-attack-a-quick-dirty-ddos-method
[11] hxxps://www[.]csirt[.]gov.it/contenuti/attacco-ddos-ai-danni-del-sito-istituzionale-dello-
csirt-italia-del-30-maggio-2022-analisi-preliminare-bl01-220531-csirt-ita
[12] hxxps://www[.]bleepingcomputer[.]com/news/security/italian-cert-hacktivists-hit-govt-
sites-in-slow-http-ddos-attacks/
[13] hxxps://www[.]forescout[.]com/resources/analysis-of-killnet-report/
[14] hxxps://www[.]nineoclock[.]ro/2022/05/02/dnsc-the-list-of-ip-addresses-used-for-cyber-
attacks-amid-the-ongoing-war-in-ukraine-grows-exponentially/
[15] hxxps://www[.]pwndefend[.]com/2022/05/18/killnet-area-they-really-a-threat/
[16] hxxps://twitter[.]com/bad_packets/status/1527168335904796672
[17] hxxps://www[.]forescout[.]com/resources/analysis-of-killnet-report/
[18] hxxps://securityaffairs[.]co/wordpress/131967/hacking/exclusive-pro-russia-cyber-
spetsnaz-is-attacking-government-agencies[.]html
[19] hxxps://www[.]youtube[.]com/watch?v=qA9jCO4UNXs,
[20] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[21] hxxps://www[.]cnn[.]com/2022/10/05/politics/russian-hackers-state-government-
websites/index[.]html
[22] hxxps://www[.]flychicago[.]com/Pages/default[.]aspx
[23] hxxps://chicago[.]suntimes[.]com/news/2022/10/10/23397497/ohare-midway-airport-
websites-shut-down-cyberattack-russia
[24] hxxps://abcnews[.]go[.]com/Technology/cyberattacks-reported-us-airports/story?
id=91287965
[25] hxxps://www[.]darkreading[.]com/attacks-breaches/us-airports-cyberattack-crosshairs-
pro-russian-group-killnet
[26] hxxps://russian[.]rt[.]com/world/article/1059107-killnet-hakery-ssha-razoblachenie
[27] hxxps://www[.]reuters[.]com/technology/lithuania-hit-by-cyber-attack-government-
agency-2022-06-27/
[28] hxxps://www[.]reuters[.]com/technology/russias-killnet-hacker-group-says-it-attacked-
lithuania-2022-06-27/
[29] hxxps://www[.]reuters[.]com/world/lithuania-will-allow-sanctioned-russian-goods-trade-
kaliningrad-2022-07-13/
[30] hxxps://www[.]reuters[.]com/world/europe/lithuania-expands-restrictions-kaliningrad-
trade-2022-07-11/
[31] hxxps://www[.]wired[.]com/2009/03/pro-kremlin-gro/
[32] hxxps://techmonitor[.]ai/technology/cybersecurity/ignitis-ddos-attack-lithuania-killnet-
russia
[33] hxxps://securityboulevard[.]com/2022/07/killnet-russian-ddos-group-claims-attack-on-us-
congress-website/
[34] hxxps://twitter[.]com/cyberpol/status/1509958891228254208
[35] hxxps://www[.]expats[.]cz/czech-news/article/pro-russian-hackers-target-czech-websites-
in-a-series-of-attacks
[36] hxxps://universul[.]net/pro-russian-group-killnet-claims-responsibility-for-cyber-attacks-
on-romanian-government-websites/
[37] hxxps://www[.]digi24[.]ro/stiri/actualitate/politica/ciolacu-suntem-pregatiti-sa-livram-
armament-ucrainei-e-nevoie-de-un-cadru-legal-si-o-decizie-politica-1920695
[38] ​​hxxps://www[.]20minutes[.]fr/high-tech/3285003-20220506-cyberattaque-site-
emmanuel-macron-pirate-russes-pendant-presidentielle
[39] hxxps://www[.]republicworld[.]com/world-news/russia-ukraine-crisis/russian-hackers-
target-german-govt-websites-in-series-of-cyberattacks-report-articleshow[.]html
[40] hxxps://www[.]reuters[.]com/world/europe/italian-police-prevents-pro-russian-hacker-
attacks-during-eurovision-contest-2022-05-15/
[41] hxxps://lenta[.]ru/articles/2022/04/15/killnet/
[26] hxxps://lenta[.]ru/articles/2022/04/15/killnet/

CHANGE LOG
[Contents]

• 5/20/22: First publication

• 6/28/22:
• Background: Cyber Spetsnaz (added)
• Killnet Structure and Operation (updated)
• Cyber Spetsnaz Structure and Operation (added)
• Zarya Subgroup and H45H13 (added)
• Communication (updated)
• Cyber Spetsnaz Attacks (added)
• 7/18/22:
• Goals and Targets (added)
• Finances (updated)
• Killnet Attacks (updated)
• Attacks on Lithuania and the US (added)
• 10/18/22:
• Executive Overview (updated)
• Killnet and Killmilk (updated)
• Cyber Spetsnaz/Cyber Intelligence (updated)
• Killnet Structure (updated)
TTPs (added)
 •• IP Addresses (added)
Finances (updated)
• Cyber Spetsnaz/Cyber Intelligence Structure and Operation (updated)
• October Attacks on US Websites (added)

=======
All Flashpoint intelligence reports, related data, and content are the property of Flashpoint,
and are protected under all applicable laws. Flashpoint reports and data are intended solely
for the internal use of the individual and organization to which they are addressed, and are
subject to the applicable terms and conditions of your Subscription Agreement with
Flashpoint and/or your NDA, as applicable. Flashpoint reports and data are Flashpoint
Confidential Information, and as such, may not be shared outside of your company or
disclosed publicly for any purposes without Flashpoint’s written consent; provided, however,
that you may share such materials to third parties if legally required, or on a need-to-know
basis, and then only to those parties who are bound by confidentiality obligations no less
protective of Flashpoint than those contained in your Agreement and/or your NDA.
=======