{ "id": "7481c604-894e-464a-b086-6a44c8fb188a", "created_at": "2026-04-06T00:18:58.122314Z", "updated_at": "2026-04-10T03:30:58.72352Z", "deleted_at": null, "sha1_hash": "d72d2c6e545832b39e023572b309b85423c248e1", "title": "KillNet Showcases New Capabilities While Repeating Older Tactics | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 909602, "plain_text": "KillNet Showcases New Capabilities While Repeating Older Tactics\r\n| Mandiant\r\nBy Mandiant\r\nPublished: 2023-07-20 · Archived: 2026-04-05 13:12:02 UTC\r\nWritten by: Mandiant Intelligence\r\nKey Judgments\r\nMandiant Intelligence assesses with high confidence that operations for which the pro-Russia hacktivist\r\ncollective KillNet has claimed responsibility consistently mirror Russian strategic objectives, although we\r\nhave not yet uncovered direct evidence of the collective’s collaboration with or direction from Russian\r\nsecurity services.\r\nMandiant assesses with moderate confidence that the collective’s regular creation and absorption of new\r\ngroups is at least partially an attempt to continue to garner attention from Western media and to enhance\r\nthe influence component of its operations.\r\nKillNet’s claimed operations have overwhelmingly focused on targets in the United States and Europe,\r\neven including operations from its claimed affiliates like Anonymous Sudan that purport to be focused on\r\nobjectives unrelated to the Russian state.\r\nAnonymous Sudan’s successful disruption of Microsoft services in June 2023 marked a significant increase\r\nin observed capabilities of the KillNet collective, which had previously struggled to impact claimed targets\r\nof previous operations. Paired with KillNet’s reported compromise and leak of North Atlantic Treaty\r\nOrganization (NATO) documents, this sudden increase in capability could indicate significant investment\r\nfrom more sophisticated actors, particularly when measured against KillNet’s capabilities since the\r\ncollective’s inception in late 2021.\r\nBackground\r\nIn early 2022, Mandiant predicted that Russian cyber threat activity associated with the invasion of Ukraine would\r\naffect government and private sector targets in third-party countries, particularly neighboring countries, North\r\nAtlantic Treaty Organization (NATO) allies, and other nations voicing support for Ukraine. Russian government-linked actors have historically employed false hacktivist facades as a means of obscuring their role in targeting\r\nWestern countries. Mandiant has previously identified instances of self-proclaimed hacktivist groups coordinating\r\nwith such actors in the context of the war.\r\nWhile we have not observed direct ties between KillNet and the Russian government, we cannot exclude the\r\npossibility of coordination, or more substantial ties, between some or all groups comprising the collective. We\r\nexpect KillNet and its affiliates to continue conducting distributed denial-of-service (DDoS) and hack-and-leak\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 1 of 8\n\noperations intended to disrupt government and critical infrastructure functions in countries providing financial,\r\neconomic, diplomatic or military support to Ukraine.\r\nMandiant has tracked KillNet activity back to January 2022, despite a claim by the collective’s alleged\r\nfounder that it began operations in 2021. This claim could be an attempt to separate the group from Russian\r\ngovernment interests and establish its legitimacy as a genuine hacktivist collective.\r\nThe collective has claimed responsibility for DDoS attacks, data theft, and leaks against entities across\r\nmultiple industries, including transportation, defense, government and military, financial services, global\r\ninstitutions, and telecommunications.\r\nKillNet’s targeting has consistently aligned with established and emerging Russian geopolitical priorities,\r\nwhich suggests that at least part of the influence component of this hacktivist activity is intended to directly\r\npromote Russia's interests within perceived adversary nations vis-a-vis the invasion of Ukraine. The\r\ncollective’s activity also supports domestic Russian promotion of support for the war. As Russian\r\ngovernment rhetoric has focused on various nations, we observed the group claim attacks targeting those\r\nsame nations shortly thereafter.\r\nSince the beginning of 2023, the majority of observed KillNet targeting has focused on the U.S.,\r\nEurope, and international institutions such as NATO. We have previously observed targeting in\r\ncountries including Germany, Denmark, Sweden, France, Poland, Slovakia, Ukraine, Israel, the\r\nUnited Arab Emirates (UAE), and other NATO ally and partner countries such as Japan.\r\nKillNet Appears to Increase Capabilities\r\nThroughout its existence, KillNet’s activities have primarily centered around DDoS attacks that generate only\r\nshallow impacts lasting short periods of time. However, the self-proclaimed hacktivist group Anonymous Sudan\r\nappears to have increased KillNet’s capabilities and the group has become the collective’s most prolific affiliate in\r\n2023, conducting a majority of claimed DDoS attacks. Significantly, Anonymous Sudan has caused significant\r\ndisruptions at a level not observed by KillNet affiliates previously.\r\nIn June 2023, Anonymous Sudan claimed an operation targeting Microsoft services. Later in the month,\r\nMicrosoft officially confirmed that numerous outages of its products were a direct result of DDoS attacks\r\nconducted by Anonymous Sudan.\r\nAdditionally, while KillNet has targeted NATO countries and organizations since early to mid-2022, it declared a\r\nfocused operation against NATO in early 2023 and created a Telegram channel in April 2023 dedicated to this\r\noperation. It began referring to this operation as “FuckNATO” and using the hashtag #fuckNato. Subsequently,\r\nKillNet claimed to have compromised NATO’s training site, Joint Advanced Distributed Learning, and published\r\ndozens of purportedly leaked images on its channels. While we cannot validate these claims, there are indications\r\nthat some of these documents are legitimate, which would demonstrate another significant increase in capability\r\nfor the group.\r\nIn early 2023, KillMilk, the claimed founder of KillNet, attempted to ransom the purportedly stolen\r\ndocuments to NATO for 3 bitcoin, possibly in part to increase attention surrounding the activity. While no\r\nsubstantive posts have been made to the FuckNATO channel since late April 2023, Mandiant anticipates\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 2 of 8\n\nthat KillNet and its affiliates will continue to target NATO for the continued future, with the potential for\r\ndevelopments in the war in Ukraine to reinvigorate targeting.\r\nIn mid-June 2023, KillNet announced that the collective and actors claiming to be from the Russian ransomware\r\ngroup REvil were collaborating in a joint operation targeting Western financial systems. Days later, KillNet\r\nclaimed to target the European Investment Bank (EIB). Beyond the disruptive intent implied by these groups'\r\nclaimed plans, this activity appears at least partially intended to maximize the media coverage of the groups and\r\ntheir anti-Ukraine messaging by prioritizing high-profile targets in a strategic sector.\r\nEIB sites were down for at least a day and EIB confirmed the attack in a tweet in which it stated it was\r\nfacing a cyber attack that had affected the availability of two of its main pages. Similar to the attack on\r\nMicrosoft, the successful disruption of a high-profile organization like the EIB indicates a significant\r\nincrease in KillNet’s DDoS capabilities compared to previous claimed operations with little noticeable\r\nimpact.\r\nDDoS Trends and Statistics Jan. 1, 2023 – June 20, 2023\r\nMandiant reviewed the Telegram channels of KillNet and its affiliates and captured counts of claimed attacks that\r\nincluded checkhost links to corroborate actor statements. Although we cannot verify that the service disruptions\r\noccurred directly as a result of KillNet operations, the data below illustrates claims that overlap temporally with\r\nverified service disruptions. This blog focuses on the most prolific affiliates of KillNet, and as a result several\r\ngroups mentioned in the statistics are not discussed elsewhere in this report.\r\nBetween Jan. 1 – June 20, 2023, Mandiant identified more than 500 distinct victims that the KillNet\r\ncollective has allegedly targeted with DDoS attacks.\r\nConsistent with KillNet activity in 2022, the majority of claimed attacks in 2023 targeted entities in the\r\nU.S. and Europe. Anonymous Sudan appeared to be a core driver of claimed attacks targeting countries\r\nfurther afield, and it is primarily responsible for the recent surge of Israeli targeting; however, nearly half\r\nof claimed Anonymous Sudan attacks still focused on U.S. or European organizations.\r\nAnonymous Sudan accounted for 63% of total identified DDoS attacks claimed by the KillNet collective in\r\n2023. The group only emerged in January 2023, making the proportion of KillNet operations they comprise\r\nadditionally notable.\r\nThe top most targeted organizations included those from technology and social media, NATO, and the\r\ntransportation sector. This generally aligns with historic targeting since KillNet’s inception.\r\nWe observed limited instances of Russia-affiliated domains being targeted. These infrequent instances\r\nappeared to primarily involve fringe domains and stand apart from the collective's core threat activity. We\r\nnote separately that we have previously observed limited other instances of KillNet claiming Russian\r\ntargets, such as high-profile Russian individuals opposed to the war.\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 3 of 8\n\nFigure 1: DDoS attacks by date and actor\r\nFigure 2: KillNet-associated groups claiming DDoS attacks\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 4 of 8\n\nFigure 3: Countries targeted by DDoS attacks claimed by KillNet, January – June 2023\r\nClaimed Cyber Crime Collaboration\r\nSince early 2022, KillNet has claimed on multiple occasions to be partnering or coordinating with several criminal\r\nelements, including multiple occasions in which it claimed to be working with the widely known ransomware\r\ngroup REvil. However, besides actor claims, we have observed no independent information that the groups have\r\ncollaborated. We have not observed indications that the group claiming to be REvil that took part in the attack on\r\nthe EIB was connected to the widely known ransomware group. Notably, the Telegram channel in which actors\r\nclaiming to be from REvil claimed links with KillNet had been created only days before the operation began on\r\nJune 15, 2023. KillNet previously claimed various links to REvil and Conti, which we were unable to verify,\r\nincluding:\r\nOn April 16, 2022, KillNet dedicated its attack on a U.S. energy company to REvil.\r\nOn April 21, 2022, KillNet also stated that \"REVIL is back in the ranks.\"\r\nOn June 16, 2022, KillNet called on both Conti and REvil \"to an unforgettable joint safari in the United\r\nStates, Italy, and Poland.\"\r\nOn June 25, 2022, KillNet messaging suggested that Conti was ready to fight, that Lithuania was its new\r\ntesting ground for DDoS attacks, and that its \"Zarya\" hackers were preparing for cyber operations.\r\nComposition of the KillNet Collective\r\nKillnet’s structure, leadership, and capabilities have undergone several observable shifts over the course of the last\r\n18 months, progressing toward a model that includes new, higher profile affiliate groups intended to garner\r\nattention for their individual brands in addition to the broader KillNet brand (Table 1). Multiple new groups have\r\njoined the collective as others have overtly separated or appeared to become inactive or disbanded. Notably,\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 5 of 8\n\nthrough this process the collective has appeared to pivot from the seemingly hierarchical structure of squads it\r\nestablished in the early months of the Russian invasion of Ukraine.\r\nKillNet has also repeatedly promoted messaging related to changes or expansions in the collective’s\r\noperations, ranging from KillNet reforming to become a “private military hacker company” to purported\r\npartnerships with cyber crime groups. However, these claims often appear to outpace documentable shifts\r\nin the collective’s operations.\r\nAffiliate Name Telegram Channel Creation Date\r\nStill\r\nActive\r\nStill Affiliated with\r\nKillNet\r\nTesla Botnet April 17, 2023 Yes Yes\r\nBlackSkills March 12, 2023 No Dormant\r\nKillNet LATAM Feb. 2, 2023 Yes Yes\r\nAnonymous Sudan Jan. 18, 2023 Yes Yes\r\nUserSec Jan. 8, 2023 Merged Yes\r\nTitan Stealer Oct. 20, 2022 Yes Yes\r\nKillMilk Aug. 7, 2022 Yes Yes\r\nAnonymous Russia\r\nJuly 10, 2022 (original channel); April 15,\r\n2023 (new channel)\r\nYes Yes\r\nDevils Sec June 2, 2022 Yes Yes\r\nZarya March 18, 2022 Yes No\r\nWe Are KillNet\r\n(main channel)\r\nJan. 23, 2022 (original); Feb. 26, 2022\r\n(new channel)\r\nYes Yes\r\nPhoenix Jan. 5, 2022 Yes Unknown\r\nSkyNet Botnet/Godzilla-Botnet\r\nJan. 9, 2023/Dec. 28, 2021 Yes Unknown\r\nTable 1: KillNet-associated Telegram channels of interest\r\nKillMilk: Self-Proclaimed Founder of KillNet\r\nKillMilk continues to be a central coordinator for the KillNet Collective, despite claims of leaving the group in\r\nmid-2022. We cannot independently confirm KillMilk's claims of having previous affiliation with the hacktivist\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 6 of 8\n\ngroup Universal Dark Service. Although KillMilk claims the activity was by their own group, the previous\r\noperations of Universal Dark Service targeted the Russian government and were critical of its actions. This is in\r\nstark contrast to the avowed support by KillNet and KillMilk of the Russian government in its invasion of Ukraine\r\nand against the West. One possibility is that such claims were made disingenuously as an attempt to establish\r\nKillNet's credibility and/or as a means to distance the group from the Russian government.\r\nZarya Splinters from KillNet\r\nZarya’s Telegram channel was created in March 2022, although the group’s alleged leader claimed that elements\r\nof Zarya existed well before this, and were previously known by various names including “0x000000” and\r\n“Quarantine” (Russian: Карантин). Almost immediately after its channel’s creation, the group began posting files\r\nfrom compromised Ukrainian organizations. Zarya was the most active “squad” within KillNet until it announced\r\na rebrand in October 2022 in which ended cooperation with KillNet.\r\nIn April 2023, media reports suggested that the U.S. government determined that Zarya breached a Canadian oil\r\npipeline. Furthermore, these reports indicated that Zarya was cooperating with or being handled by officers of\r\nRussia’s Federal Security Service (FSB). Currently, Mandiant can neither validate claims related to Zarya’s\r\nhacking capabilities, nor those related to the group’s potential links to the FSB. Russia has historically used self-proclaimed hacktivist groups as a means to obfuscate its role in operations against Western nations and it is\r\nplausible that Zarya or various pro-Russia hacktivists that have risen to prominence since Russia’s invasion of\r\nUkraine may either be cooperating or coordinating with, or a front for, the Russian security intelligence services.\r\nFigure 4: Quote from interview with Zarya’s alleged leader (machine translated from Russian)\r\nAnonymous Sudan\r\nMandiant first observed the self-proclaimed hacktivist group calling itself \"Anonymous Sudan\" in January 2023\r\nand the group soon after declared allegiance to KillNet. Initially, the group claimed DDoS attacks against entities\r\nlocated in Western countries, seemingly prioritizing Sweden, the Netherlands, and Denmark. Anonymous Sudan\r\nhas targeted organizations associated with infrastructure and key services, including in government and private\r\nsectors. The attacks that Anonymous Sudan has claimed in support of KillNet, both before and after it officially\r\njoined the collective, have broadened the geographic scope of its targeting to include entities elsewhere in Europe\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 7 of 8\n\nand the U.S.; it has since continued to expand the scope of its targeting further afield to include countries such as\r\nIsrael and Ethiopia.\r\nThe group’s initial post on the Anonymous Sudan Telegram channel stated, \"We will attack any country\r\nwith cyber attacks against those who oppose Sudan,\" and continued messaging from the group has asserted\r\nthat it is comprised of Sudanese individuals and has explicitly denied that the group is comprised of\r\nRussians or that it has links to Russia beyond support for KillNet's cause.\r\nMessaging that Anonymous Sudan has promoted surrounding attacks it has claimed to take under its\r\nown initiative has cited motivations related to the defense of Islam and/or the interests of Sudan.\r\nThe name “Anonymous Sudan” is likely an attempted appropriation of the brand of the well-known\r\nhacktivist collective “Anonymous,” similar to another KillNet affiliate, “Anonymous Russia.”\r\nOutlook\r\nKillNet has remained relatively consistent in its targeting of Ukraine’s supporters and prioritization of DDoS\r\nattacks since Russia invaded in February 2022, and despite new capabilities, the collective has hardly altered its\r\ntargeting patterns. While Mandiant cannot confirm collaboration or cooperation with Russian security services,\r\nKillNet’s targeting of victims consistently reflects the interests of the Russian state. The collective’s apparent\r\nsignificant growth in capabilities, demonstrated by Microsoft’s confirmation that Anonymous Sudan was\r\nresponsible for the outages they experienced, potentially indicates a significant increase in outside investment in\r\nthe collective, further suggesting a potential tie to the Russian state. We anticipate that KillNet and its affiliates\r\nwill continue DDoS attacks and become more brazen in their targeting of organizations.\r\nMandiant’s Mitigation and Hardening Recommendations for DDoS Attacks\r\nOrganizations that may be targeted by KillNet or any self-proclaimed hacktivist fronts should look to harden their\r\nnetworks to protect against DDoS attacks: Distributed Denial of Service (DDoS) Protection Recommendations.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nhttps://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics" ], "report_names": [ "killnet-new-capabilities-older-tactics" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "e53fc09e-24cc-40d4-b38d-7e2d6dbe81d8", "created_at": "2023-03-17T02:01:50.851615Z", "updated_at": "2026-04-10T02:00:03.362605Z", "deleted_at": null, "main_name": "Anonymous Sudan", "aliases": [], "source_name": "MISPGALAXY:Anonymous Sudan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76d871c3-96cd-41d3-8889-f0396e480e91", "created_at": "2023-11-14T02:00:07.093421Z", "updated_at": "2026-04-10T02:00:03.449641Z", "deleted_at": null, "main_name": "Zarya", "aliases": [ "UAC-0109" ], "source_name": "MISPGALAXY:Zarya", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3917c91-ec7d-485f-8784-bfb1b1a78359", "created_at": "2023-11-08T02:00:07.13872Z", "updated_at": "2026-04-10T02:00:03.424164Z", "deleted_at": null, "main_name": "UserSec", "aliases": [], "source_name": "MISPGALAXY:UserSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434738, "ts_updated_at": 1775791858, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d72d2c6e545832b39e023572b309b85423c248e1.pdf", "text": "https://archive.orkl.eu/d72d2c6e545832b39e023572b309b85423c248e1.txt", "img": "https://archive.orkl.eu/d72d2c6e545832b39e023572b309b85423c248e1.jpg" } }