Source: securityboulevard.com – Author: Flashpoint Intel Team
Restructure, rebrand
Killnet announced on April 27 on Telegram that it is ending its hacktivist activities and rebranding as Black Skills, which the group dubbed a “private military hacking company.” According to the group, it will continue attacking Western entities—but instead of doing so “altruistically” it will instead take orders from private and public entities for money.
The group also announced another “reorganization” of its ranks. This is at least the third reorganization that Killnet has announced since last fall when it turned itself into a “collective,” aiming to absorb smaller hacktivist groups under its umbrella.
The announcement happened a couple of days after information about the alleged real-life identities of Killnet’s core group members had started circulating online.
Killnet’s founder “Killmilk” also claimed that an unidentified person attempted to convince them to attack the website of the Immortal Regiment, a massive government-sponsored commemorative event in Russia, and suggested to the group to be more vigilant about their moves. This was reposted by a number of Killnet-affiliated channels. It is unclear whether someone actually made such an offer, as only Killmilk’s account is known.
Notably, Killnet has not posted any updates regarding Black Skills since March.
Money remains the aim
The past months have also seen Killnet trying to make money in various ways, although it appears that these attempts to attract funding were mostly unsuccessful, or at the very least insufficient. They include:
- Publicly applying for sponsorship from the Russian state and from Russian businesspeople several times over the past months
- Selling access to various documents exfiltrated from NATO countries
- Selling the “Infinity” forum, which the group created in December 2022
- Promoting its paid “hacking school” ($249 for a course) which is apparently yet to launch
- Advertising its paid DDoS services
- Soliciting money from its followers
Under ridicule
Killnet remains widely ridiculed on top-tier Russian-speaking forums. On Exploit, for example, a thread in which the group’s leader, Killmilk, was advertising the sale of Infinity, drew widespread mockery, with users offering a couple hundred dollars for what many of them saw as a lost cause.
Several users of top-tier forums Exploit and XSS were also speculating that through the “hacking school” Killnet would simply resell old hacking manuals available on WWH-Club, another illicit forum that has specialized in spreading such instructive materials.
Motivations and partnerships
Flashpoint has pointed out several times that, for all of its nationalistic antics, Killnet has remained a primarily financially-motivated group that has used the media exposure provided by an eager Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services. Killnet has partnered with several botnet providers as well as the Deanon Club, a partner threat group, to target narcotics-focused darknet markets.
While there is no indication that Killnet has acquired more sophisticated TTPs over the past months, the group’s more open move towards becoming paid “cyber mercenaries” should be a cause for concern, as it provides a blueprint or a model for other groups. Earlier, Phoenix, AKUR and Legion—groups formerly associated with Killnet—had made clear moves towards cybercrime. Phoenix even set up a Telegram channel to advertise and sell accesses and exfiltrated data. Legion created its own “private military hacking company.”
The degree of the association of pro-Kremlin hacktivist groups with Russian security services is unknown and likely varies. Earlier, Mandiant researchers linked XakNet and the Cyber Army of Russia to Russian security services, suggesting that the groups acted as fronts to share information obtained illegally by state-backed groups. The arrangement gave the groups fame, while the state-backed organizations had plausible deniability. A more decisive move toward cybercrime may result in a situation where state-backed groups use “cyber mercenaries” as proxies to probe the cyber defenses of Western organizations. There is definitely interest to do so: see ransomware attacks in late 2022 on Polish logistics companies, attributed to Russian APT groups.
Killnet is definitely interested in such an arrangement… as long as it brings money.
Keep a close eye on illicit communities with Flashpoint
Flashpoint provide teams with actionable intelligence on illicit online communities, including Killnet, and have the agility to move collections capabilities to be where adversaries are. Sign up for a free trial today to see how Flashpoint intelligence can enable you to take rapid, decisive action to mitigate across your organization.
Original Post URL: https://securityboulevard.com/2023/05/for-money-and-attention-killnet-apparently-reorganizes-again/
Category & Tags: Security Bloggers Network,cyber threat intelligence,FEATURED,Illicit communities – Security Bloggers Network,cyber threat intelligence,FEATURED,Illicit communities
Views: 0