By Natalie Trotter
The level of impact on the cyber security market following the Russian led invasion on Ukraine over the past 8 months has resulted in an unprecedented impact of cyber attacks. Dating back from attacks in 2014 occupying Crimea to the NotPeya worm in 2018, it was unlikely that this pattern would drastically alter during the invasion. Within 6 months of the invasion, Ukraine had registered a total 1,123 cyberattacks (1).
While claims frequency is down significantly across the insurance market, high profile attacks have continued. High profile targets have included Lloyds of London, and four major airports in the US (O’Hare, LAX, Atlanta Hartsfield, and LaGuardia).
Who is the threat actor?
Killnet is the alleged threat actor with regard to each of these attacks, with more than 100,000 subscribers across its Telegram channels.
Killnet was not initially created to be a hacktivist group. It was originally the name of a tool that could be used to launch DDoS attacks. It subsequently transformed from a criminal service provider to a hacktivist group. According to Digital Shadows, Killnet claimed that countries siding with Ukraine, and/or providing support to it, are contributing to this aggression (2).
Killnet specializes in Distributed Denial of Service (DDOS) attacks, which is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.
While DDoS attacks are generally considered little more than a nuisance, they can knock websites offline for hours or even days.
Killnet encourages fellow Russia supporters with entry-level hacker skills to join it in trying to disrupt infrastructure or industry in NATO countries.
Lloyd’s of London was involved in implementing sanctions against Russia earlier in 2022, instructing its insurance syndicates to remove coverage for “nation-state-backed cyberattacks” from insurance policies by March 2023, as well as losses “arising from a war”. On 5 October, 2022, Information Security Magazine reported that Lloyds revealed it had detected “unusual activity” on its systems and had turned off all external connectivity “as a precautionary measure” (3).
US Airports DDOS attack
Monday 10 October, 2022 saw DDoS attacks against multiple US airports (4). These attacks left customers unable to check flight times or obtain information about their flights, although no systems involved with air safety have been reported to have been affected.
Almost since the beginning of the Russian invasion of Ukraine, Killnet group has been continuously posting alleged evidence of DDoS attacks against organizations in NATO member states and those it perceives as supporting Ukraine in the conflict (5). Killnet also is reported to have targeted the websites of several US states (6) at the beginning of October, successfully knocking Colorado.gov offline for more than a day and briefly interrupting Kentucky.gov.
The war in Ukraine is far from over, despite Ukraine’s recent counter attacks, and the role of cyberattacks may continue to evolve in unforeseen ways.
It remains an unnerving time as Europe heads into winter with Russia controlling so much of Europe’s energy supply. There have been multiple reports of Killnet attacks against the energy industry over the past few months. Lithuania, Ukraine’s state nuclear power company Energoatom, Greece’s largest natural gas supplier DESFA, Australian mining company Lynas Rare Earths, and UK utility infrastructure and power provider Fulcrum were all hit by cyber security attacks in Q3, 2022 (7).
Cyber systems for energy assets are naturally on high alert following the increasing cyber threats from Russian aligned threat actors and as the West tightens sanctions on Russia over the invasion of Ukraine.
As much as we hope this won’t be the case, if a cyber attack proves successful please do not hesitate to contact us. Cyberclan has extensive experience in responding to ransomware attacks and is able to provide incident response, investigation analysis, negotiations, sanction review and analysis, and post breach remediation.
If you have questions on how we can help your business to prevent or respond to a cyber attack, or about the payment of a ransomware demand, using cryptocurrency or otherwise, please do not hesitate to contact us, using the form below.