KillNet

Threat Actor updated 13 days ago (2024-11-08T12:40:39.887Z)

Download STIX

Preview STIX

Killnet is a threat actor or group with potential ties to the Russian government, known for its disruptive cyber-attacks. This group has been linked to several politically motivated attacks, including a significant assault on the Israeli government's website leading to its paralysis. Killnet has also targeted NATO websites and has launched multiple DDoS attacks against governments that expressed support for Ukraine, such as Moldova, Italy, Romania, the Czech Republic, Lithuania, Norway, and Latvia. The use of stresser services, popular in the current threat landscape, is a common tactic employed by this group. This threat actor gained notoriety following Russia's ban from participating in the 2022 FIFA World Cup due to its war against Ukraine and strained relations with Qatar. It was hypothesized that the Russian government might encourage or tacitly approve disruptive attacks conducted by nationalistic Russian "hacktivist" groups like Killnet. Such groups can further the Russian government’s strategic objectives and provide plausible deniability. Killnet has also been associated with other hacktivist groups like XakNet and ransomware operators, serving as proxy forces for larger entities. There is speculation about affiliations and rebranding within the hacktivist community involving Killnet. Some researchers suggest that Anonymous Sudan, another threat group, may be a front for Killnet or a subgroup within it. Similarly, BlackMeta, a group that previously attacked targets alongside Killnet, is believed to be a rebrand of Anonymous Sudan. It remains unclear whether these changes represent a complete overhaul of Killnet’s de facto umbrella organization for pro-Kremlin hacktivist groups or an attempt to capitalize on their gains by becoming a more efficient organization.

Description last updated: 2024-11-04T11:01:56.384Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Killmilk is a possible alias for KillNet. KillMilk, a threat actor and leader of the hacking group Killnet, has been identified as Nikolai Serafimov, a 30-year-old Russian citizen. KillMilk has been instrumental in consolidating Russian hacktivist groups under Killnet's leadership, amassing a following of 8,000 members on his personal Teleg	6
Black Listing is a possible alias for KillNet. Black Listing, a threat actor group also known as Killnet, emerged in the cybersecurity landscape with malicious intent. This group has been particularly active since late 2022 and early 2023, when they partnered with Deanon Club to conduct Distributed Denial of Service (DDoS) attacks against severa	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ddos

Russia

Denial of Se...

Ransomware

denial-of-se...

Ukraine

Sudan

Hacktivist

russian

Botnet

Proxy

Cybercrime

Healthcare

Azure

Nato

Israel

Mandiant

Germany

State Sponso...

Malware

Exploit

Health

Extortion

European

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with KillNet. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	3
The REvil Malware is associated with KillNet. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Anonymous Sudan Threat Actor is associated with KillNet. Anonymous Sudan, a threat actor group known for its large-scale distributed denial-of-service (DDoS) attacks, emerged in January 2023. Between January 2023 and March 2024, the group conducted numerous DDoS attacks against various entities worldwide. Notably, they targeted Telegram, a popular social	is related to	6
The Black Skills Threat Actor is associated with KillNet. Black Skills is a newly established Private Military Hacking Company (PMHC), announced by Killmilk, the leader of the Russian hacktivist collective Killnet, on March 13, 2023. The initiative, launched via Telegram, appears to be an effort by Killnet to establish itself as a corporate entity and furt	is related to	4
The Cyber Army of Russia Threat Actor is associated with KillNet. The Cyber Army of Russia, a threat actor believed to be linked to the notorious Sandworm group, has been active in carrying out malicious cyber activities since 2022. The group, also known as the Cyber Army of Russia Reborn (CARR), has been particularly involved in a series of low-impact distributed	is related to	3
The XakNet Threat Actor is associated with KillNet. XakNet is a notable threat actor, potentially aligned with Russian interests, that has been implicated in various cyber attacks. This group emerged prominently during Russia's conflict with Ukraine and the subsequent ban on Russia from the 2022 FIFA World Cup. The Russian government was suspected of	is related to	3
The Anonymous Russia Threat Actor is associated with KillNet. Anonymous Russia, a malicious software (malware), has been associated with significant cyber-attacks, accounting for more than 30% of such incidents. This malware is affiliated with other hacktivist groups including Killnet, MIRAI, Venom, and has been involved in promoting Passion. Anonymous Russia,	Unspecified	3
The Infinity Forum Threat Actor is associated with KillNet. Infinity Forum is a threat actor group associated with Killnet and its allies. Established as a project to raise funds for these groups, it serves a dual purpose: expanding their capabilities and numbers while also facilitating the interaction between novice hacktivists and financially driven cyberc	is related to	2
The NoName057 Threat Actor is associated with KillNet. NoName057 is a pro-Russian threat actor or hacking group that has been implicated in several major cyber attacks, particularly distributed denial of service (DDoS) attacks. In August 2023, NoName057 launched significant DDoS attacks against Czech banks and the Czech stock exchange. The hackers deman	Unspecified	2
The Deanon Club Threat Actor is associated with KillNet. Deanon Club, a threat actor group, emerged as a significant entity in the cybersecurity landscape through its collaborations with Killnet, another threat actor group. The two groups have been involved in multiple malicious activities, including distributed denial-of-service (DDoS) attacks on several	Unspecified	2
The Siegedsec Threat Actor is associated with KillNet. SiegedSec, a threat actor group with both hacktivist and crimeware tendencies, has been involved in several significant cyberattacks. As part of an alliance known as The Five Families, which includes another prominent hacktivist group, GhostSec, SiegedSec has targeted various entities around the glo	Unspecified	2

Source Document References

Information about the KillNet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	17 days ago	UK Council Sites Recover Following Russian DDoS Blitz
Securityaffairs	17 days ago	International law enforcement operation shut down DDoS-for-hire platform Dstat.cc
DARKReading	a month ago	Anonymous Sudan Unmasked as Leader Faces Life in Prison
Securityaffairs	a month ago	Two Sudanese nationals indicted for operating the Anonymous Sudan group
Securityaffairs	2 months ago	Poland thwarted cyberattacks that were carried out by Russia and Belarus
DARKReading	4 months ago	Pro-Palestinian Actor Levels 6-Day DDoS Attack on UAE Bank
ESET	5 months ago	Hacktivism is evolving – and that could be bad news for organizations everywhere
RIA - Information System Authority	6 months ago	Trends and Challenges in Cyber Security – Q1 2022
Securityaffairs	6 months ago	Pro-Russia hackers targeted Kosovo government websites
DARKReading	6 months ago	87% of DDoS Attacks Targeted Windows OS Devices in 2023
InfoSecurity-magazine	6 months ago	RSAC: Threat Actors Weaponize Hacktivism for Financial Gain
InfoSecurity-magazine	7 months ago	Hackers Target New NATO Member Sweden with Surge of DDoS Attacks
DARKReading	7 months ago	How Nation-State DDoS Attacks Impact Us All
InfoSecurity-magazine	8 months ago	US Government Releases New DDoS Attack Guidance for Public Sector
CERT-EU	8 months ago	French Government Suffers Severe Cyber Attacks
CERT-EU	8 months ago	Cyber Attack on France government websites - Cybersecurity Insiders
CERT-EU	8 months ago	Operational Technology Threats - ReliaQuest
Securityaffairs	8 months ago	National intelligence agency of Moldova warns of Russia attacks ahead of the presidential election
CERT-EU	9 months ago	Down, Not Out: Russian Hacktivists Claiming DDoS Disruptions
BankInfoSecurity	9 months ago	Down, Not Out: Russian Hacktivists Claiming DDoS Disruptions