Killnet Tries Building Russian Hacktivist Clout With Media Stunts

Killnet has been more effective at generating headlines than in executing attacks or wreaking any real damage, experts say.

Concept art with Russian flag to represent cybercrime in Russia
Source: Klaus Ohlenschlaeger via Alamy Stock Photo

Killnet and its leader Killmilk have been making moves to consolidate ragtag Russian hacktivist groups under its leadership over the past several months. Despite Killnet's best efforts to brand itself as a mighty arm of the Russian government, and even a potential mercenary cyber army, its efforts have largely been a bust. Neither of those claims are accurate, according to experts, but when it comes to Killnet, not living up to its own hype isn't anything new.

The problem for Killnet and other cybercriminals working in Russia under relative protection from Western law enforcement is a common capitalist one — the cyberattack threat group market in the country has become saturated and consolidation is imminent. Now the fight for Russian hacktivist supremacy is on, and Killnet has decided to duke it out in the media.

Killnet-Kremlin Love Affair May Not Be Mutual

Killnet's actual connection to the Russian government is foggy, according to security vendor Mandiant. But based on the activities of known Kremlin-controlled hacking operations, which are largely kept quiet and focus on disinformation, Killnet doesn't seem to fit with the military program. The goal for Killnet operations, according to Mandiant, appears to be generating headlines.

"For some groups, such as the Killnet collective, we lack the visibility to determine its affiliation with the Russian government," the company tells Dark Reading. "Mandiant has identified other groups like XakNet and Cyber Army of Russia_Reborn (CARR) that almost certainly are fronts for Russian military cyber operations, promoting leaked or doctored documents. While the effects of claimed attacks and data leaks vary on an individual basis, the primary impact of these groups is the promotion of pro-Russia messaging through the attention their attacks garner."

Since the group emerged following the Russian invasion of Ukraine, Killnet's messaging has been very pro-Kremlin, likely in an effort to court Kremlin support, according to Mike Parkin with Vulcan Cyber.

If they aren't already, it's a safe bet that one of Killnet's goals is to work for the Russian government, Parkin says. "Russia, along with a few other countries, are already pretty lax when it comes to cybercriminal groups. Even if [Killent is] not getting paid, the ability to operate without threat from the state law enforcement agencies is a bonus."

Without direct support from Russia and facing a competitive cybercriminal sector, Killnet has decided to go all-in on building a big brand and corresponding media profile to convince fellow hackers to come work for them.

So far, Killnet hasn't done much damage on the cyber threat front.

For instance, Killnet has claimed to target healthcare centers in the US, including Stanford Health, Michigan Medicine, Duke Health, and Cedars-Sinai, but none of the cyberattacks were successful in causing major network disruptions.

There have been other claims of DDoS attacks, Killnet's primary tactic against infrastructure in the US and beyond, including airports, defense contractors, and even the White House. But again, there wasn't much impact beyond temporary disruptions.

Killnet Builds the Brand

In March Killnet debuted Black Skills, a cyber-army-for-hire modeled after the Wagner Group, a mercenary army in service of Russia in its invasion of Ukraine until a June revolt among the soldiers and its Kremlin-tied leader Yevgeny Prigozhin.

Although Killnet claims it was not involved in the Wagner Group revolt in June, the group was careful to praise Prigozhin while simultaneously denouncing the uprising itself.

Experts tell Dark Reading there is no evidence Killnet has the infrastructure to be able to get a private military company (PMC) off the ground.

"Killnet frequently announces changes to its structure and future operations, including that it planned to form into a private military hacker company," Mandiant added. "In that case and others, we have not observed a shift in operations that would suggest real change, and such calls may be in part intended to gain attention. Given the collective's seeming inability to properly organize to support its grand claims, we do not believe Killnet in its current form possesses the capacity to organize into a fully functional PMC."

There's also been plenty of petty drama. In April, Killnet's Killmilk outed the leader of rival hacktivist threat group Anonymous Russia, calling him a "CIA rat" and appointing a new leader, a threat actor named Radis. That move doesn't seem to have upped Killnet's control among Russian hacktivists either.

The group has also been making noise about working with ransomware group REvilL and Anonymous Sudan to launch cyberattacks against the Western SWIFT banking system, which hasn't yet materialized.

But the Killnet brand is strong. In Russia, Killnet has become the stuff of legend, with rap songs dedicated to their antics, and jewelry bearing their moniker springing into Moscow street fashion.

Recently, Killnet released a promotional video, teasing a promised upcoming short film on the group. In the video, according to reports, complete with smashing sledge hammers and tough talk.

Killnet may well be making inroads in convincing other groups to join them, according to Parkin, but he doesn't expect the threat group to emerge as a singular Russian cybercrime power player. "While they may gain some success in consolidating other groups under their banner, it seems unlikely they will ever get even a majority."

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights