Russian hacktivist groups are proving to have a significant impact on organizations in Ukraine and NATO countries, despite their sometimes empty PR stunts. These groups, led by KillNet, have been launching attacks against governments and corporations that voice opposition to Putin’s invasion of Ukraine.
While some of these attacks are merely nuisance attacks on public-facing websites, others are targeting critical infrastructure such as hospital systems. Michael McPherson, a former FBI veteran and now senior vice president of technical operations at ReliaQuest, explains that targeting hospital systems is much more impactful and harmful than mere website takedowns.
The use of distributed denial-of-service (DDoS) attacks has played a key role in the Russia-Ukraine conflict. These attacks were the first to hit media, government, and financial organizations in Ukraine, signaling the beginning of the war. As the conflict continued, the responsibility for these attacks seemed to shift from state-sponsored groups to hacktivist outfits. However, attributing these attacks to specific groups has become increasingly challenging.
Regardless of their affiliations, these hacktivist groups target any organizations or individuals that speak out against the war. For example, whenever President Biden speaks at international summits, there is a spike in DDoS attacks against the United States government. The evolution of these groups has led to the fragmentation of KillNet into multiple factions with different agendas, supporting different facets of the government.
This fragmentation has contributed to the increasing DDoS activity worldwide. In the first half of 2023 alone, nearly 7.9 million DDoS attacks were recorded, representing a 31% year-over-year growth. Pascal Geenens, director of threat intelligence at Radware, explains that these DDoS-focused groups have become more active and sophisticated over time.
Geenens cites NoName as an example of a matured hacktivist threat. Instead of overwhelming target sites with garbage traffic, NoName now uses tools to analyze web traffic and specifically targets impactful pages such as feedback forms or search boxes. This more directed approach enables them to bring down websites by exploiting vulnerabilities in the backend infrastructure.
These hacktivist groups are increasingly targeting critical infrastructure and causing real-world impact. They have started targeting ticketing services for public transport, payment applications, and third-party APIs, which can disrupt various applications. For example, a recent NoName attack against Canada’s Border Services Agency caused significant delays at border checkpoints throughout the country.
The ambitions of these hacktivist groups are growing as well. KillNet’s leader, KillMilk, has expressed interest in incorporating wipers into their attacks. They aim to build a paramilitary cyber army that performs destructive cyber attacks for the highest bidder, similar to the physical Wagner Group.
In conclusion, Russian hacktivist groups have proven themselves capable of causing significant harm and impact on organizations in Ukraine and NATO countries. Their evolving tactics, growing sophistication, and ambitions highlight the need for increased cybersecurity measures to defend against these threats.