[Update: January 30, 2023]
Killnet has updated its alleged target list of healthcare organizations. The list includes roughly 150 hospitals, mainly in Europe and the United States. On this list, there are 25 U.S. healthcare institutions. Within Europe, the Netherlands and Great Britain are the most frequently targeted. Darkweb chatters show that two U.S. institutions were already hit as part of the Killnet campaign.
Killnet-supported threat actor, Infinity, recently claimed to have hacked IRS records, threatening to publish 198 million lines of records on their dark web channel. U.S. companies and citizens are in the midst of planning for tax filing, therefore it is possible that Infinity wants to boost its reputation in the cybercrime society. The group openly glorifies Russia and Belarus in their messaging and supports the Killnet group, a threat actor famous for DDoS attacks against public institutions.
Infinity (active since 2016) is famous for targeted spear-phishing attacks against various organizations, including government agencies, financial institutions, and companies in the technology sector. Killnet-originated DDoS attacks are quite infamous for targeting CISA and other security agencies. In April 2022, CISA published an alert about this Russian state-sponsored group’s attacks and the possible attacks on critical infrastructure. Health Sector Cybersecurity Coordination Center (HC3) also published an analyst note about the group’s DDoS attacks against healthcare institutions in December 2022. DDoS attacks with brute-force tactics have become Killnet’s MO. For this research commentary, Black Kite Research studied more than 1,300 federal and state agencies in the US to understand how resilient they are to similar DDoS attacks.

Who is Killnet?

Since the Russian invasion of Ukraine, Killnet has become popular for carrying out DDoS (Distributed Denial of Service) attacks against countries supporting NATO countries. The purpose of DDoS attacks is to interrupt services by sending too many requests to websites or API services. Even though those are short-duration attacks, the interruption of critical services can create massive expenses and cause damage to society. Killnet consists of lesser-known Russia-supporting groups working with other infamous cybercrime groups such as XakNet Team. Their DDoS attacks have targeted multiple NATO countries, including the U.S., Canada, Australia, Italy, and Poland, as well as Ukrainian supporters in practically all Eastern European, Nordic, and Baltic countries. The group experienced some leadership change last year. The previous leader, nicknamed KillMilk, stepped down to form their own threat group. Blackside, an expert in phishing, ransomware, and crypto theft has become the group’s new leader. KillNet uses a Telegram channel to share their attacks and announcements.

Victim List of KillNet

KillNet is responsible for DDoS attacks on several organizations in 2022, such as the European Parliament on November 23, U.S. airports (at least 24 airports on or after October 10), and government agencies in different countries (ex. Romanian government institutions on April 19).

Techniques, Tactics, and Procedures (TTPs) of Killnet

Killnet’s attack vector of choice is Distributed Denial of Service (DDoS). They do not use or develop custom tools or very sophisticated tools. The group has a preference for brute-forcing credentials on TCP ports 21 (FTP), 80 (HTTP), 443 (HTTPS), and 22 (SSH). During the Killnet’s DDoS attacks between April and May 2022, cybersecurity researchers from Avertium observed 381 attacks coming from 58 unique IP addresses – 56 of which were dictionary attacks using well-known default credentials in hopes that their target wouldn’t change them. It also appeared that this action could be their way of conducting reconnaissance or credential harvesting for later use. Observed password attempts did not contain a specific pattern except for weak passwords. After Killnet carries out a DDoS attack, the group falsifies its target’s website and posts a pro-Russian message. This behavior shows us that the Killnet group works for retaliation or to support Russia. But their tactics and techniques are limited as they only attack institutions with DDoS attacks.

DDoS Resiliency of US Federal and State Government Agencies

DDoS resiliency can be measured from multiple aspects.
    • Lack of redundancy of name (DNS) and email (MX) servers
    • Being open to brute-force or other types of DDoS attacks
    • Having a configuration that helps threat actors exploit and attack others
The Black Kite platform rates the DDoS resiliency of companies and organizations with an A-F letter grade by using the aspects mentioned above. The good news is that only four out of 1,300 federal and state organizations have a DDoS Resiliency rating of C or below. However, when we analyze the details, we do still see some warning signs.
killnet graphic 4

Lack of redundancy of name (DNS) and email (MX) servers

Threat actors target companies that do not have proper redundancy of critical servers such as nameservers and mail servers. Hosting all the DNS or MX servers in the same subnet poses the risk of a single point of failure. If threat actors like Killnet execute DDoS attacks on the nameserver, the server will not be available during the attack, and certain services will be interrupted.

Being open to brute-force or other types of DDoS attacks

Some configurations in Content Management Systems (CMS) or Border Gateway Protocol (BGP) systems make an organization a suitable target for DDoS attacks. For example, suppose a website control panel on a content management system (such as XML-RPC on WordPress) is discoverable easily and open to brute force attacks. In that case, threat actors can see this as an opportunity to execute DDoS attacks (sending too many login requests with false credentials) that can take a website down. Our study discovered that only four (0.31%) agencies have a misconfigured XML-PRC (available access to xmlprc.php). XML-RPC on WordPress is an API or “application program interface.” Attackers can launch brute force amplification attacks against WordPress XMLRPC. Attackers leverage the “system.multicall” method to attempt to guess hundreds of passwords within just one HTTP request.
Similarly, open BGP ports can attract threat actors to execute DDoS attacks. By design, BGP routers accept advertised routes from other BGP routers by default. It allows for automatic and decentralized traffic routing across the Internet, leaving it vulnerable to accidental or malicious disruptions. Threat actors can utilize publicly accessible BGP ports to execute a DDoS attack (known as the BGP attack), where attackers take control of many fast routers to overwhelm their victims. Attackers take advantage of the ability of routers to exchange router tables. They let the controlled routers know that their target is a router asking for a routing table’s exchange, which sends an enormous amount of incoming packets to the victim, overwhelming it. Among 1,300 agencies, 53 (4%) have publicly available BGP Ports.

Having a configuration that helps threat actors exploit and attack others

Some configurations that the organization created may help attackers amplify the traffic targeted for another company (the actual victim). Organizations with these configurations may become the middle-man in this type of DDoS attack. Examples of such configurations are DNS amplification and NTP amplification. Like other amplification attacks, a DNS amplification attack is a reflection attack. Threat actors execute the attack by instructing bots or a botnet to send DNS queries with a forged source address to a legitimate server. The operation results in a significant response sent back to the victim, the owner of the generated address. The process typically involves an attacker sending a DNS name lookup request to a company’s DNS server, spoofing the source IP address of the targeted victim. Here the company’s servers are not the victim but are forced to act like a medium in the attack. Black Kite discovered that more than 67% of agencies have DNS configurations that may help attack to execute amplified DDoS attacks against target companies.

Recommendations for Improved DDoS Resiliency

    • Have multiple nameservers in different subnets.
    • Have multiple email servers in different subnets.
    • Block all access to xmlrpc.php if possible. If you can’t block XML-RPC, block “system.multicall” requests using a WAF (web application firewall).
    • Apply whitelisting to access BGP ports (TCP:179), enable BGP Neighbor Authentication, check BGP Time To Live Security, and set AS Path Length Limiting
    • Block specific DNS servers or all open recursive relay servers and rate limiting (ignoring ANY requests).
    • Use Public NTP for external hosts, configure Internal NTP hierarchical service for your network, limit or firewall UDP:123 from the internet if necessary.
    • Reconfigure your perimeter firewall to disable pings that block attacks from outside your network.
    • Use ISP-level DDoS protection against ICMP floods by limiting the size of ping requests and the rate at which they can be accepted.
    • Filter out ICMP requests at the server level.