Cyberwar / Nation-state attacks, DDoS protection, Fraud management and cybercrime
KillNet declared ‘war’ in May after foiling Eurovision Song Contest attack
Prajeet Nair (@prajeetspeaks) •
October 10, 2022
A pro-Russian political hacking group claims responsibility for distributed denial-of-service attacks that took the public websites of several major US airports offline. Air travel was not affected.
See also: Building a Secure IoT Deployment Using 5G Wireless WAN
The group, KillNet, also took responsibility last week for a series of DDoS attacks that temporarily disabled a handful of US state government websites.
Among the dozen airports affected by Monday’s attack are Chicago’s O’Hare and Midway International Airports. Both are owned by the City of Chicago and share the flychicago.com web domain. A KillNet Telegram channel previously posted a “list containing more than two dozen targets. Other airports today are having trouble with public-facing websites, including Atlanta Hartsfield–Jackson Atlanta International AirportLos Angeles International Airport and Denver International Airport.
The Russian-language group, whose Telegram channel offers memes, digital stickers and media coverage of its exploits, has also called for DDoS attacks against maritime terminals and logistics facilities, weather monitoring centers, the healthcare and e-commerce systems.
KillNet is one of the few cybercrime groups to have declared allegiance to Moscow, the US federal government concluded earlier this year. Some of these groups operate in closer allegiance to Moscow than others, perhaps constituting a front for state-sanctioned hacking rather than true hacktivism.
The group’s emergence highlights how any warfare in the information age will have a cybernetic component – but also how annoyance and degradation rather than fully developed cyberwarfare has been a hallmark of Russian warfare. -Ukrainian to date (see: Key Takeaways: Cyber Operations During the Russian-Ukrainian War).
Threat monitoring firm Digital Shadows writes that KillNet began as the name of a DDoS tool, and the group behind it grew from criminal service providers to Kremlin-aligned hacktivists. He recruits volunteers to carry out DDoS attacks, organizing them into teams with names such as “Kratos”, “Rayd”, and “Zarya”.
Italy’s Computer Security Incident Response Team described a KillNet DDoS attack as occurring in three waves.
The first was a flood of network-level connection requests that overwhelms targets with bogus requests to a TCP connection or UDP traffic. This first wave was accompanied by DNS amplification requests, attacks that flood servers with falsely requested domain name system responses, and IP fragmentation attacks – Internet Protocol datagrams cut into small pieces designed to consume the available memory. The second wave was an intensification of the first, but without DNS amplification. The latest wave has alternated between network-level attacks and protocol-based attacks.
KillNet has drawn particular international attention following its May attempt to stop online voting for the Eurovision Song Contest, held this year in the Italian city of Turin (see: Italian police repel attempt online to disrupt Eurovision). After Ukraine’s victory – for the song “Stefania” – KillNet said on Telegram that it is “declaring war” on 10 countries, “including the deceptive police of Italy”.
Monday isn’t the first time KillNet has targeted US airport websites. In March he claims credit for a DDoS attack on Bradley International Airport, a facility the Federal Aviation Administration classifies as a “medium” commercial aviation hub.
“Bradley Airport – I don’t know why they targeted it”, tweeted the account of threat research firm CyberKnow, at the time.