In recent years, Russian threat group KillNet has been making headlines for its high-profile cyberattacks that align with Russian state interests. While the exact connection between KillNet and the Kremlin remains murky, a new report from Mandiant suggests that KillNet’s media branding strategy is successfully consolidating Russian hacker power under one organization.
It is important to note that while there is evidence of KillNet mirroring Kremlin interests, there is little concrete proof of direct collaboration between the group and the Russian government. This ambiguity is characteristic of an environment rife with disinformation, making it difficult to establish clear connections. Interestingly, the release of the Mandiant report closely follows a warning from the UK about cybercrime mercenaries partnering with governments to serve as state proxies.
Graeme Biggar, director of the UK National Crime Agency, acknowledged that both North Korea and Russia have leveraged cybercrime groups and proxies to achieve their objectives. Although there is no direct evidence implicating KillNet as part of this phenomenon, Mandiant’s Threat Intelligence Team acknowledges that Russia and other nations often use proxies to obfuscate attribution.
KillNet, faced with an increasingly crowded Russian cybercrime sector, has implemented a media branding strategy to set itself apart from the competition. Previously, their distributed denial of service (DDoS) attacks had little long-term impact on their targets. However, KillNet’s reputation took a significant turn in June when Anonymous Sudan, a group that had recently joined the KillNet collective, successfully disrupted Microsoft services. This marked a substantial increase in the observed capabilities of the KillNet collective.
Mandiant suggests that KillNet’s creation and absorption of new groups are partially intended to garner attention from Western media and enhance the influence aspect of their operations. Anonymous Sudan, in particular, has displayed overt support for KillNet and its operations, with nearly 50% of their attacks targeting US, European, and other pro-Ukraine organizations. As the KillNet messaging machine continues to churn out propaganda, experts predict that more Russian hackers will be enticed to join the effort.
Timothy Morris, chief security advisor at Tanium, notes that since KillNet transformed into a threat actor group, they have been vocal and have made their intentions clear. Their PR campaign serves to instill fear and demonstrate their allegiance to Russian objectives. The collective of affiliates that make up KillNet is also growing, with groups like Anonymous Sudan showing support and aligning with KillNet’s goals.
However, experts like Callie Guenther, a threat researcher with Critical Start, raise concerns about whether KillNet’s recent boost in capability indicates outside assistance, such as support from the Kremlin. Regardless of the source of their newfound capabilities, Guenther warns that KillNet has evolved to pose a significant threat. Their increasing sophistication and ambition in targeting high-profile organizations like Microsoft and NATO, while consistently aligning with Russia’s geopolitical interests, point to a more substantial threat than a mere PR campaign.
In conclusion, while the exact relationship between KillNet and the Russian government remains unclear, KillNet’s media branding strategy is proving successful in consolidating Russian hacker power. Their recent cyberattacks, including the collaboration with Anonymous Sudan, have showcased their growing capabilities and influence within the cybercrime underground. As KillNet continues to attract attention and expand its network, the cybersecurity community remains vigilant in monitoring this evolving threat landscape.