The most infamous Russian Hacktivist group’s operational structure
TL:DR:
- Killnet has grown their umbrella organization considerably since March 2022.
- Killnet continues to rally new groups to their large scale campaigns, such as the targeting of Germany and NATO in recent months.
- Killnet and its creator Killmilk continue to have success in impacting the information space of the Russia-Ukraine War.
- Killnet has rallied at least 22 groups to join in various campaigns, highlighting their growing influence and reputation.
- Killnet is a good example of why Intent needs to be a factor for consideration when monitoring threats in cyberspace.
- Killnet will continue to grow as an organization with the likeness of increased and more dangerous capabilities a growing possibility in 2023.
Background:
For those not aware of my work I have been monitoring and reporting on the cyber landscape of the Russia-Ukraine War since the start of the large-scale invasion on 24 February 2022. The main product for this is the cybertracker, which continues to provide insights into the scale of cyber activity of all levels. While many speculated that we would have large scale ‘cyber-war’ what we have instead seen is large volumes of hacktivist activity from both pro-Russian and pro-Ukraine groups who leverage DDoS, Defacement, Doxing, ransomware and breach and leak attacks to not only inflict cyber damage but also to manipulate the information space.
No greater example of this is Killnet, the now infamous pro-Russian hacktivist group who has caused trouble across North America and Europe since February 2022 and continues to grow its network and improve capabilities. Killnet is driven by extremely high intent and with that they are leveraging opportunities without arguably high capabilities.
They are an excellent example of the risk the re-emergence of hacktivism poses to organizations globally, considering we now live in an ‘as-a-service’ world, if a group is motivated and has high intent they will either find opportunities with the capability they have, or simply purchase what they need.
The Russia-Ukraine war has now shifted the threat landscape for both hacktivist cyber activity and norms and also information operations.
Killnet ORBAT:
Below I have provided the most comprehensive ORBAT (order of battle) that I have been able to create from monitoring Killnet for over a year.
As you can see it is vast and shows that despite Killnets perceived reputation as a bunch of ‘skids’ they are well organized and have a decent structure. Some key takeaways:
- Killnet has its own crypto-exchange, this likely helps them fund ongoing operations — they were originally a financially motivated group.
- Killnet has its own forum — Infinity Forum which was created by Killmilk with support from Deanon and possibly Solaris Forum.
- Killnet had a small organization last year with Legion and its ‘special forces’ groups, most of which are now shut-down.
- Killnet now has active groups who are all capable on their own, such as Anonymous Russia and Phoenix. It is worth noting that all the active groups will conduct operations independent of Killnet as well as in support of them.
- Killnet also has huge influence over other pro-Russian groups, this was most noted with the #RIPGermany campaign that saw 22 separate groups join Killnets attacks on German networks.
- Killnet continues to grow in size and support and it is likely this will continue into 2023 as they no doubt have created a strong reputation. In Russian media they conduct interviews and are praised across many Russian media outlets and Telegram groups.
- Killnet continues to use DDoS as its main weapon and this is also true of its many groups, however deface, dox with an interest in ransomware and breach and leak attacks are increasing.
- I am sure I have missed something with my ORBAT, as Killnet sees my work I am sure they will correct any mistakes.
If you have anything to contribute to this ORBAT or further insights on Killnet or any hacktivist group pro-Ukraine or Russian please reach out.
I am just one crazy Australian doing this in my spare time.
For continued updates: https://twitter.com/Cyberknow20