Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
4 min read

Killnet Increases Attacks on US Organizations

Dec 20, 2022 9:34:13 AM

Throughout the Russian invasion of Ukraine, the pro-Russian hacktivist group Killnet has captured the attention of cybersecurity experts. Killnet originally began as a DDoS botnet service. In January 2022, a threat actor posted an advertisement for the Killnet botnet in Duplikat, a dark web forum for carding, botnets, and other illegal activities. According to the ad, the botnet allowed users to direct traffic without the target’s knowledge. It also claimed that the botnet uses the latest WEB3 technology and that the data is stored throughout the Blockchain. Since January, the nationalist group has targeted pro-Ukrainian countries and organizations in a slew of attacks and experienced organizational shake-up after their leader left

End-of-Year Activity

Killnet isn’t slowing down over the holidays. In late November, GroupSense analysts found a new Telegram channel named Killnet Collective created by the hacktivist group. According to the description, this channel will primarily be used for defacements, email dumps of European organizations, DDoS attacks, tutorials of SQL injections, and general cyber intelligence. The channel also provided instructions for all actors willing to carry out DDoS attacks. Their first target was the Latvian Ministry of Foreign Affairs website. Though the new channel offers different attacks than Killnet previously perpetrated, the new attacks are not very sophisticated.

Telgram channel screen shot 1
Figure 1: instructions posted to the Killnet Collective channel

Translation: Everybody hit L7/4 on the targets in this LIST (https://t.me/killnet_collective/8). Use 443/80/53 PORT if you are working on level four.

Attacks on Ukrainian Forces

In a showcase of their newer attack styles, Killnet accessed a database containing almost 1 gigabyte of information with photos of the 92nd Army Brigade of the Armed Forces of Ukraine and shared it to the original Killnet channel We Are Killnet. They claimed to take the data from Brigade Commander Fedosenko’s email account. It seemed that, because this was posted before Killnet Collective was created, Killnet was practicing their new TTPs and showing their members what was possible.

Telegram screen shot 2
Figure 2: Images of the leak on the Killnet channel.
Translation: Almost 1 gigabyte of data with photos of all the personnel of the 92nd Army Brigade of the AFU. 

➡️ Data taken from the email of Brigade Commander Fedosenko of the 92nd Army Brigade of the AFU(Аrmed forces of Ukraine) 

Notable Killnet Collective Attacks

Over the last few months, GroupSense analysts have noted a higher volume of Killnet attacks on US entities, some of which belonged to the US government and major media outlets. The targets included whitehouse.gov, bbc.com, cnn.com, washingtonpost.com, and usa.gov. GroupSense analysts note that these sites were used as a training ground for the new Killnet Collective channel, allowing members to get up to speed on new attack techniques.

Telegram screen shot US organizations
Figure 3: Screenshot from Killnet Collective with US targets.

Another US victim of Killnet is JOOJ technologies, an American software company. On November 28, the company’s website was defaced by Killnet, and displayed a photo of a child killed in Donbas, Ukraine, with the following message, “Hello friend! This child named Vlad Shikhov, he is killed by the Kyiv regime like thousands of other children of Donbas. You are sending money not to help Ukraine, you have been deceived. Your money go to the business of the Kyiv officials. Stop the war - stop your power, go to the street and burn beat the police. Take power into your hands! I am waiting for you my friend!” The next post in the channel included a leak of email correspondence from the company. While the message posted to the defaced site might be linked to alleged donations to the Ukrainian cause, it could be a general message sent to the American people about supporting Ukraine. GroupSense can’t confirm either theory at this time.

Telegram screenshot 4
Figure 4: A screenshot of the defaced websites of the American software developer 
Translation: American company, software developers🤗

On November 30, Killnet claimed that they gained access to a senior customer support expert at the state labor inspectorate of Latvia named Aija Berkold. In their new attack style, they claimed to gain access through an email address and then got into the governmental system, ultimately gaining VPN access, where they were allegedly able to get gigabytes of documents. They are now ransoming that data, requesting 10 bitcoin from the Latvian government.

Telegram screen shot 5

Figure 5: Posts in the Telegram channel claiming the Latvian attack. 

The Future of Killnet

On November 28, Killnet conducted an attack in collaboration with Deanon Club against Black Sprut, a deep web marketplace used for drug trading. GroupSense believes this attack to be significant because it shows a successful collaboration that is more effective than either group can be on its own. Together, they were able to DDoS the form and steal a database containing username data, histories, logging, and communication. This attack shows the broadened horizons of Killnet’s hacktivism, and GroupSense analysts expect more sophisticated attacks like this in the future.

As Killnet continues to evolve, GroupSense analysts are interested to see if attacks continue to be collaborative, and as the war in Ukraine trudges on, we know attacks won’t be slowing down. If you’re interested in receiving cyber intelligence like this, learn more about our Digital Risk Protection Services offering today.

Topics: Blog

Written by Editorial Team

Featured