Behind the war in Ukraine is a shady war of cyber attackers reveals … – iTWire

admin on July 9, 2023 Leave a Comment

Killnet, Anonymous Sudan, Fancy Bear ... these aren't names you might hear on the daily news, but its a whos who of hacking groups that operate on the fringe of society, launching devastating attacks against computer infrastructure in response to perceived injustices against their political or moral allegiances. And while these attacks may be targeted, they dont happen in a vacuum, taking down other infrastructure in their path.

These are the messages from Radware director of threat intelligence Pascal Geenens, who monitors and tracks hacker groups, working to understand their motives and methods.

"Killnet is back in the news," Geenens said, explaining researchers speculated this pro-Russian hacktivist group may have ceased operations but instead Radwares research finds the opposite is true; the organisation is breathing new life and its founder, Killmilk, is working to refresh his roster with shrewd new members who fit the stringent criteria of his new world order.

According to Geenens, Killmilk is frustrated by the support that Ukraine's IT Army - a Government-sanctioned hacking group based in that country - receives from its government, and has spoken out publicly taunting Russians and even the Russian government for their apathy. He claims he will stand independently and transform his hacktivist group into a private military, cyber elite group, inspired by the Wagner Private Military Company, a group of mercenaries funded by Yevgeny Prigozhin who recently made the news for their almost-coup of Russia.

It's a serious statement and one that could change the face and nature of hacking worldwide, as well as seriously disrupt activities and forces in Ukraine and the Western world. Its thanks to Geenens and his team monitoring and tracking the situation that the rest of the world can be prepared.

Let's rewind; "Killnet is one of the most iconic of the pro-Russian hackers," Geenans explains. His research team at Radware has been following different hacker groups since the Ukraine war began. These groups target Western countries and governments, along with any other government or country that shows support for Ukraine. This includes Australia.

The reason Killnet has such an iconic status is due to its leader, Killmilk; this individual is media savvy and takes part in media interviews within Russia and also in the West. He tries to bring the narrative of a hero in a cyber war, Geenens said.

Previously, Killmilk's attacks were of short-term impact such as distributed denial of service attacks (DDoS). These can impact a business and its reputation and takes resources and servers down. However, when the DDoS stops, the services typically come back up in a normal state.

In August 2022 Killmilk announced he wanted to go more destructive and pivot to more permanent attacks. He announced a new person would take the lead, Black Kite. We believe Black Kite had a background in ransomware operations and groups, Geenans said.

Yet, nothing ended up coming from this; Killmilk announced Black Kite would take over and he would step down, but by late 2022 and early 2023 Killnet appeared to be active in media claiming credit for DDoS attacks actually being performed by others. They were around, but not active in hacking.

Suddenly, in March, Killmilk spoke again. He announced a new group starting; his cyber version of the Wagner Private Military Company, dubbed BlackSkills.

Killmilk's intentions for BlackSkills also include an underground school where he would teach what hed learned during his first few months of attacks.

"He wanted to make a group of cyber mercenaries, and he would model it on Wagner, who he is clearly a fan of, Geenans explained. He supports Wagner group messages and said he would start a new company consisting of multiple units - HR, training, and a big operation.

We consider he might be trying to do this, but we're not yet seeing how he will pull it off in the short-term future.

Killmilk's media savvy made him one of the most influential people in the pro-Russian hacking scene within Killnets first year of attacking Western targets. With this influence, he was able to build a cluster around him, that has allowed him influence, control, and followers.

"When the leader of Anonymous Russia was apprehended in Belarus, Killmilk said he would appoint a new leader for that group and reboot it - and thats what happened, Geenans said. With all his media support many people are looking at him and following him, and it gives him the capabilities of building something bigger, such as BlackSkills.

Prior to the war, Killmilk was active in the hacking and underground scene and sold a botnet-as-a-service dubbed Killnet. It was only after the war commenced that Killnet switched to the activist group that it is known as today. And a major source of inspiration came from Ukraine itself. The day after the invasion, President Volodymyr Zelenskyy announced the voluntary IT Army of Ukraine, a Telegram group where tasks are posted for Ukrainian hackers, and any aligned Western hacker, who wanted to take on the tasks and attack Russian infrastructure on a voluntary basis. Killmilk saw this, and immediately built a Killnet telegram channel promoting Russian narratives and promoting attacks on anti-Russian sentiment.

Surprisingly, Geenans noted, these attacks are almost never on Ukraine itself. Instead, the attacks are waged against France, Italy, Sweden, or other nations if they make pro-Ukrainian remarks. The Killnet cluster attack in campaigns whenever something is said that would upset Russia, he explained.

There's a reason for this. Nation-state groups such as Fancy Bear are attacking Ukrainian targets for the Russian government, and if all these hacktivists groups went after Ukraine they would trip over, or interrupt, or interfere with each other accidentally, Geenans said. So only a couple of groups are specifically performing DDoS attacks against Ukrainian targets. We dont see groups like Killnet or NoName attacking Ukraine.

NoName is another group, that similarly modelled itself after the IT Army of Ukraine and its automated botnet. NoName, which specifically separates itself from Killnet, is a volunteer-based botnet that also performs attacks on Western targets. Volunteers are asked to download software that connects to a NoName server, downloads a list of targets, and starts attacking them.

Of course, with all these groups performing DDoS attacks, there's a big problem for the rest of the world. These packets dont magically appear on the Russian border, Geenans said. They go through all the infrastructure, from the US, through France, whichever path it takes. It has an impact on all our infrastructure.

We understand people may have good reasons, but even if they are ethically correct, it doesnt mean DDoS is something we should all reach out for, Geenans said.

Meanwhile, another hacking group is Anonymous Sudan. Despite the name, there's a view this group is a Russian black flag operation that is unrelated to Sudan but designed to look like Sudan is attacking.

Anonymous Sudan came onto the hacking scene in late January attacking Sweden and Denmark, following a protestor burning the Quran outside the Turkish embassy in Denmark in objection to Turkeys blocking of NATO.

The act outraged Muslims, and Anonymous Sudan appeared on the scene out of nowhere DDoSing targets in Sweden and Denmark.

Of course, the Russian people also didn't want NATO support, and while Anonymous Sudan claimed its motivations were religious and Killnets were political, the latter reached out to welcome Anonymous Sudan to the Killnet cluster.

Anonymous Sudan has since used the Killnet cluster name on its own branding and has further launched cyber attacks on airports in France, citing the Charlie Heddo cartoon about Mohammed as their motivation.

When fashion label Not A Man's Dream sent a model on a catwalk with transparent clothing bearing the wording, Allah walks with me pro-Muslim hackers in Pakistan and Bangladesh announced an operation against Australian companies including ports, governments, and other online businesses.

Anonymous Sudan picked up on this and joined the fight. The organisation has a well-established infrastructure, Radware has identified, and rents large space in data centres. It also rents anonymous proxies to route the traffic, to appear as if it is coming from someones home when in fact it is coming from huge cloud-based servers.

This type of attack bucks the trend; Geenans explained typically you'd see all these attackers going after applications because they dont have a lot of infrastructure themselves.

NoName perfected the skill with its volunteer botnet named project DDoSia, where volunteers can install software that starts attacking a list of targets from a central command-and-control server.

While these attacks don't have a lot of members, it's the first time, Geenans noted, that researchers saw an attacker perform reconnaissance. They would look at a website and determine if specific pages would impact infrastructure more than others. For example, a search query might go to a backend database and bringing that down could be more impactful than hitting the static website home page.

Their research sees them going to a website and looking for pages like contact forms, or feedback forms. They analyse the form and copy all the parameters and arguments and randomise what they post into the form. They make realistic random variables to fool boots - like phone numbers, email addresses, and long text-building attacks to minimise real traffic that makes it harder to block.

Even if the attack doesn't bring down the resource it still has a large impact. You can imagine the Government receiving a million feedback forms and having to trawl through them to find one or two legitimate messages from constituents.

By contrast, Anonymous Sudan goes a different way. It ramps up fast, using its extensive infrastructure to perform millions of requests per second.

Radware's researchers have observed Anonymous Sudan performing campaigns on multiple companies and countries. This includes a recent attack on Microsoft. Microsoft published a blog saying Office applications and the Azure cloud were attacked and while Microsoft called the attacker Storm, Radware is almost certain it was Anonymous Sudan due to the consistent attack vectors.

In contrast to many attacking groups, Anonymous Sudan somehow has equipment, and funding to run its own servers to perform such high-hitting attacks.

Radware itself has been targeted by some of these groups, although at other times they have been delighted by Radware charts on the top attacking groups taking these to the hacking forums as evidence of how dangerous they are.

Killnet is found in a lot of social circles, and people in the general public follow them. The rapper Kasha made a song about the group in 2022, KillnetFlow (Anonymous diss) and, Radware believes, made donations to Killnet. Killnet also receives donations from an artist who made a special line of Killnet jewellery such as rings and earrings, with 50% going to the group. Its a clever move by the artist, with their small business leveraging Killnets social channel.

Additionally, Killnet advertises DDoS services, and anonymous VPN servers, and manages other deals where their celebrity status sees the advertisers coming forward with offers. Additionally, Killnet has been associated with forums that are used for underground transactions like selling drugs.

There's more; the Killnet exchange is a crypto exchange for hacktivists to exchange crypto to Roubles, even delivering to your door.

However, "where Anonymous Sudan gets money from is still a mystery," Geenans said. Thats why some people think it is a Russian black-flag operation.

Geenans believes Killmilk works as a DBA for an IT company. "We see many hacktivists, criminals, and others have a day job in IT and then go home and start their second job with hacking and crime, he said.

However, one thing that's clear; if a criminal wants to perform a DDoS attack the public almost never finds out because theres no advertisement. The hacktivists are the complete opposite, Geenans said. They want people to know; they shout it to the world. Theyre sending all those messages and thats how we can track them.

You can follow Pascal Geenan on LinkedIn and on Radware's blogs. You can also follow Radwares security research centre.

For more reading on the topics covered in this story, please visit these pages:

Excerpt from:
Behind the war in Ukraine is a shady war of cyber attackers reveals ... - iTWire

Related Posts
Posted in Cloud Servers

Comments are closed.