On May 15, Russian threat group Killnet published a video on their Telegram channel declaring war on 10 nations, including the United Kingdom. But how worried should we be?
Who are Killnet?
Killnet are a pro-Russian aligned threat group active since March 2022. They have largely been seen to be targeting organisations across Europe and the United States with distributed denial of service attacks (DDoS) or ‘hack and leak’ attacks of data, in retaliation for those countries’ support for Ukraine in the conflict with Russia, specifically NATO-aligned countries.
The threat group were initially established in response to the IT Army of the Ukraine and as such are comprised of individuals from around the world with differing levels of skillsets and competency.
The attacks attributed and claimed by Killnet to date have primarily involved DDoS attacks against airports globally, including Gatwick, and more recently have included attacks specifically directed at foreign police forces.
Killnet were also involved in attempts to disrupt the viewing of Eurovision, hosted by Italy on May 14. While attempts were foiled, there have been subsequent reports that at least one Italian State Police site was also targeted (www.poliziadistato.it) simultaneously.
The attack against Italian police appears to have had some success as the site was reported as unavailable over the weekend and since May 17 has not been available from outside of Italy.
Despite disputing their involvement in the attacks on Eurovision, the group has published an Anonymous-style video on their Telegram channel which when translated gives the following message:
“Greetings to all our enemies, today we officially declare cyber war on the government of ten countries. From now on, our attacks will include the United States, Great Britain, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland and Ukraine.”
Given the recent statement and focus on police forces by Killnet, the risk to UK organisations is deemed to be high. As such, an attack against organisations and those associated with UK policing and the UK Government is deemed to be highly likely.
Should statements of further support for the Ukraine be made by the UK Government, further Killnet arrests be made within the UK or further action be taken which is deemed by Killnet to be aggressive towards Russia, the likelihood of attack may raise to almost certain.
Key tactics
The consistent attack vector behind Killnet’s campaigns is the leveraging of DDoS attacks. The group also show focus towards governments that provide support to Ukraine, as the Russian invasion continues.
Evidence of these tactics is demonstrated by their attacks against Romania border police, German state police and Italian state police.
One type of DDoS leveraged by the group is a technique known as slow HTTP, also known as low and slow. This technique requires very little bandwidth in comparison to other denial-of-service (DoS) methods.
Slow HTTP utilises a web server's need for complete packets, meaning that an attack can be successful with less resources than other methods. The aim of the attack is to target thread-based web servers by occupying every thread with slow requests that are sent just above the time out limit, preventing genuine users from connecting.
There are two tools commonly used for this:
Slowloris: connects to the server and then slowly transmits partial HTTP headers. This maintains the connection as the server is expecting the rest of the header, therefore tying up the thread.
R.U.D.Y: generates HTTP POST requests that are sent to the server. The server is told how much data to expect however this is a trick and the data is then sent very slowly to maintain the connection.
Mitigations: what should I do?
In addition to ensuring that DDoS mitigations are in place and are in line with this threat, especially where interruption to uptime and business continuity will have serious impact, attention is drawn to the fact that rate detection techniques used to identify traditional DDoS attacks, such as flood, will often not be effective against low and slow attacks since they appear too similar to normal traffic.
Therefore, we recommend careful monitoring and logging of server resource usage, identifying normal behavior and resource usage that can then potentially highlight unusual activity.
Increasing server availability may also help mitigate the effectiveness of a slow HTTP attacks as an increase in server connections, will make it more difficult for a threat actor to occupy each thread.
Nevertheless, this recommendation is not the perfect solution since a threat actor can scale their attacks and at present, it is not clear what resources are at Killnet’s disposal.
Mitigations suggested by Italy’s CSIRT include:
Rejecting connections with HTTP methods not supported by the URL.
Limiting the message header and body to a reasonable length.
Setting an absolute connection timeout.
These recommendations are based on attacks attributed to Killnet so far as this group is still relatively new to the threat landscape. As Killnet continue to develop, it is likely that their attack vectors will also expand.
Government agencies and cyber experts will continue to monitor activity and identify any new techniques in use by the group and disclose them to organisations.
Organisations are additionally encouraged to complete and brief their incident management teams of their incident response plans to ensure that they are equipped if an attack, or attempted attack, was targeted against organisational infrastructure and assets.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).