Content, Content, Breach, Content, Malware, Ransomware

Killnet, a Pro-Russian Hacktivist Crew, Pivots to Cyber Mercenaries for Hire, Report Says

Credit: Getty Images

Killnet, a cyber crew that has touted itself as “hacktivists” actively targeting opponents of Russia’s invasion of Ukraine, has rebranded itself as "Black Skills."

And they say that it’s all about the money now.

Now Operating as a "Private Military Hacking Company"

The hacking group, responsible for widespread distributed denial of service (DDos) attacks in Europe and the U.S., posted on the instant messaging service Telegram in late April that it is ending its altruistic activities and reorganizing as a “private military hacking company,” Flashpoint, a risk management and mitigation specialist said in a blog post.

According to the group, it will continue attacking Western entities but will now take orders from private and public entities for money. Last fall, Killnet announced it had reorganized into a “collective” under which smaller hacktivist groups could operate.

Killnet apparently has not posted any updates regarding Black Skills since March. According to Flashpoint:

“The past months have also seen Killnet trying to make money in various ways, although it appears that these attempts to attract funding were mostly unsuccessful, or at the very least insufficient.”

The moves for financial gain include:

  • Publicly applying for sponsorship from the Russian state and from Russian business people several times over the past months
  • Selling access to various documents exfiltrated from NATO countries
  • Selling the “Infinity” forum, which the group created in December 2022
  • Promoting its paid “hacking school” ($249 for a course) which is apparently yet to launch
  • Advertising its paid DDoS services
  • Soliciting money from its followers

Several users of top-tier forums Exploit and XSS have speculated that through the “hacking school” Killnet would simply resell old hacking manuals available on WWH-Club, a Russian illicit forum that has specialized in disseminating instructive materials.

As Flashpoint stated:

“While there is no indication that Killnet has acquired more sophisticated TTPs over the past months, the group’s more open move towards becoming paid cyber mercenaries should be a cause for concern, as it provides a blueprint or a model for other groups.”

Flashpoint said it has “pointed out several times” that Killnet has remained a primarily financially motivated group that has used the media exposure provided by an “eager Russian pro-Kremlin media ecosystem” to promote its DDoS-for-hire services.

Killnet Targets German, U.S. Websites

Killnet’s hacktivist activities are well-known in the security community. For example, this past January, Killnet kicked a number of German websites offline with DDoS attacks in response to Berlin’s decision to deploy tanks to Ukraine to support its war efforts.

In October 2022, Killnet, is believed to be behind the attacks of more than a dozen U.S. websites flooded with DDoS attacks, in protest of U.S. support of Ukraine.

It was another stark example of cyber warfare entering an arena with traditional war with Killnet attacks on government websites, banks and airports. Hackers, such as Killnet and an allied group called XakNet, are said to be more concerned with protecting social and political causes than financial gain.

Cybersecurity experts have long worried about the Kremlin carrying out cyber strikes on countries that have backed Ukraine with weapons and using state-sponsored cyber crews to do its bidding. But Killnet’s ties to Moscow are not clear. For its part, XakNet has previously denied any Russian government-affiliation.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.