Killnet

Killnet is a pro-Russia, Russia-linked hacktivist and cybercriminal threat group primarily associated with distributed denial-of-service (DDoS) operations. The content describes it as Russia-affiliated, Russia-based, and pro-Russian, and notes that it became prominent after Russia’s 2022 invasion of Ukraine. Multiple sources in the content state that Killnet originally operated as a criminal DDoS-for-hire or DDoS-selling organization and later shifted toward hacktivism in support of Russia; one source also says it appears to function to some extent as an umbrella group for other pro-Russian groupings. The group’s targeting is consistently described as politically motivated and aligned with Russian interests. Reported targets include Ukrainian and Western organizations, NATO countries, governments, critical infrastructure, media, airports, financial institutions, and entities perceived as supporting Ukraine. Specific victim countries and regions directly mentioned in the content include Lithuania, Latvia, Estonia, Romania, Czechia, Poland, the United Kingdom, the United States, Finland, Germany, Israel, and Ukraine. The content also states that Killnet claimed more than 20 DDoS attacks across critical infrastructure sectors in Czechia, Estonia, Latvia, Poland, the UK, and the US between 15 and 22 April 2022. The group is repeatedly linked to DDoS attacks and service disruption campaigns. Directly mentioned incidents include attacks against Romanian government websites; Lithuanian government, police, airport, tax, e-government, and business websites following restrictions on transit to Kaliningrad; attacks attributed by Latvia after Latvia’s parliament designated Russia a state sponsor of terrorism; attacks claimed against a U.S. airport in March 2022; attacks against more than 200 Estonian state and private institutions claimed on Telegram; and a claimed attack against Israel’s government website on October 8, 2023. The content also notes that Killnet was blamed for attacks on Germany, Czechia, and the Eurovision Song Contest website, and later targeted around 50 Italian institutions. Killnet uses Telegram for public claims, threats, and messaging. The content describes the group issuing claims of responsibility, publishing video messages, threatening additional disruption, and framing attacks as retaliation for political decisions adverse to Russia. One report cites Killnet’s “judgment day” messaging around Lithuania and a post calling Lithuania a testing ground for new skills. The group is also described as having used or originated from a DDoS tool/service called Killnet, with one source stating that before the war the name referred to a dark-web DDoS tool. The content links Killnet to broader pro-Russian cyber ecosystems. It is listed alongside groups such as Xaknet Team, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider, and CoomingProject in warnings about Russia-aligned cybercrime threats. The content also states that groups such as Killnet publicly pledged support for Russia and threatened cyberattacks against those attacking Russia or supporting Ukraine. One source notes a Killnet post referencing “friends from Conti,” but the nature of any operational relationship is not established beyond that mention. Killnet is also described as collaborating with or being closely tied to Anonymous Sudan. The content states that Anonymous Sudan and Killnet jointly targeted Israel’s cyber infrastructure, and multiple sources note similarities between the two groups. One source says Trustwave SpiderLabs assessed Anonymous Sudan is likely a sub-group of Killnet; other sources say Killnet’s ties with Anonymous Sudan are hard to ignore or that the groups collaborated. The content also mentions Killnet alongside Sandworm and XaKnet as part of the pro-Russian response to pro-Ukraine hacker mobilization. Known aliases directly provided in the content: killnet.