Cyber Warfare / Nation State Attacks , DDoS Protection , Fraud Management and Cybercrime
KillNet declared “war” in May after the attack on the Eurovision Song Contest was foiled
Prajeet Nair (@prajeetspeaks) •
October 10, 2022
A pro-Russian political hacking group claims responsibility for distributed denial-of-service attacks that have taken the public websites of several major US airports offline. Air traffic was not affected.
See also: Building Secure IoT Deployment with 5G Wireless WAN
The group KillNet also claimed responsibility for a series of DDoS attacks last week that temporarily disabled a handful of US state government websites.
Among the dozen airports affected by Monday’s attack are Chicago’s O’Hare and Midway International Airports. Both are owned by the City of Chicago and share the web domain flychicago.com. A KillNet Telegram channel previously published a “list of more than two dozen targets. Other airports that are having some difficulty with public-facing sites today are Atlanta’s Hartsfield-Jackson Atlanta International AirportLos Angeles International Airport and Denver International Airport.
The Russian-speaking group, whose Telegram channel features memes, digital stickers and coverage of its exploits, has also called for DDoS attacks on sea terminals and logistics facilities, weather monitoring centers, the healthcare system and online trading systems.
KillNet is one of a handful of cybercrime groups that have pledged allegiance to Moscow, the US federal government found earlier this year. Some of these groups operate more closely with Moscow than others, and may form a front for state-sanctioned hacking rather than genuine hacktivism.
The emergence of the group makes clear that every war in the information age will have a cyber component – but also how anger and defacement, rather than a fully fledged cyber war, has been a hallmark of the Russia-Ukraine war to date (see: Key Takeaways: Cyber Operations During the Russia-Ukraine War).
Threat monitoring firm Digital Shadows writes that KillNet started out as the name of a DDoS tool, and the group behind it morphed from criminal contractors to Kremlin-affiliated hacktivists. It recruits volunteers to perform DDoS attacks and organizes them into squads with names like “Kratos”, “Rayd” and “Zarya”.
The Italian Computer Security Incident Response Team described a KillNet DDoS attack in three waves.
The first was a flood of network-level connection requests that overwhelmed targets with bogus requests for a TCP connection or with UDP traffic. This first wave came bundled with DNS strengthening requests, attacks that flooded servers with falsely requested Domain Name System responses, and IP fragmentation attacks — Internet protocol datagrams that are chopped up into smaller chunks to conserve available storage consume. The second wave was an intensification of the first, but without DNA amplification. The last wave alternated between network layer attacks and protocol-based attacks.
KillNet gained particular international attention after its May attempt to halt online voting for the Eurovision Song Contest, which was taking place in the Italian city of Turin earlier this year (see: Italian police fend off online attempt to disrupt Eurovision). After Ukraine’s victory – for the song “Stefania” – KillNet said on Telegram that it “declares war” on ten countries, “including the fraudulent police of Italy”.
Monday isn’t the first time KillNet has targeted US airport websites. It’s in March claims Credit for a DDoS attack on Bradley International Airport, a facility the Federal Aviation Administration classifies as a “moderate” commercial airport.
“Bradley Airport – not sure why they targeted it.” tweeted the then-account of threat research company CyberKnow.