Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Pro-Russian Killnet Group in DDoS Attacks on Czech EntitiesGroup Also Claims to Have Targeted the US, Poland, Germany and UK
Pro-Russia threat group Killnet has attacked several entities in recent days. It targets victims that it believes are adversaries of Russia in the Russia-Ukraine war. This specifically includes NATO and its allied members. According to a post viewed by Information Security Media Group in the group's Telegram channel, Killnet, the group says that it does not wish to harm the people of other countries and it does not provide any hacking services to others. It says "the task of killnet is to create maximum damage to the network info structure of enemy countries."
See Also: Cyberwarfare in the Russia-Ukraine War
In the latest development in this campaign, several critical infrastructure entities in the Czech Republic were successfully targeted. In a press conference, the interior minister of the Czech Republic, Vít Rakušan, did not name the threat actor, but he attributed the attacks to Russian hackers. Rakušan also said no information or private citizen data was stolen in the attacks.
Attacks on Czech Critical Services
According to the Czech National Cyber and Information Security Agency - NÚKIB or NCISA - some Czech websites have been under severe DDoS attacks by hackers since the beginning of the week. These include Czech railways, the Karlovy Vary and Pardubice airports, and the public administration portal, which was not operational for several days.
And the NCISA official website was targeted with a DDoS attack on Thursday, which made the website unreachable from outside the country, the NCISA says in a tweet.
Naše webové stránky jsou pod DDoS útokem a může se stát, že nebudou ze zahraničí dostupné. Doporučujeme držet se našeho Varování, kde jsou popsány kroky jak DDoS útoky zmírnit. pic.twitter.com/8MMvefct5j— NÚKIB (@NUKIB_CZ) April 20, 2022
The Czech railways - or České dráhy - posted a similar notice on Twitter, stating that a cyberattack was detected on their website and sales channels and had affected their online operations and possibly made some of the railway applications unavailable.
Omlouváme se zákazníkům #CeskeDrahy za zpomalení a případnou nedostupnost některých aplikací ČD. Zaznamenali jsme kybernetický útok na naše webové stránky a prodejní kanály. Děláme vše pro to, aby dopad na cestující ČD byl co nejmenší. Děkujeme za pochopení. #CyberAttack— České dráhy, (@ceskedrahy_) April 20, 2022
Local Czech media agency iDNES.cz cites Lukáš Kubát, a spokesperson for the railways, who says, "It [the railways] has been solving the problem with outages of the 'My Train' mobile application since Tuesday. Buying tickets online did not work and there were also problems finding connections."
At the press conference addressed by Rakušan, the interior minister said two airports in the country - the Karlovy Vary and Pardubice airports - had also faced DDoS attacks.
Neither of the two airport authorities immediately responded to ISMG's request for comment on the incident. But in a clarification given to the local media agency, a spokesperson for Karlovy Vary Airport says an attack was recorded on Wednesday night. "This is a DDoS attack, which means that a large number of queries are trying to disable [our] server. However, our website is normally accessible from the Czech Republic. We are dealing with the attack with our IT technician," says Alice Undus, CEO of Karlovy Vary Airport. According to her, the attack on the airport's website does not affect traffic safety.
Pardubice Airport was also targeted on Wednesday. "It caused a failure of the entire web system and our website does not work," the local media agency cited an airport spokesperson as saying. "The operation of the airport should not be affected by the attack, but East Bohemian Airport will have everything checked by the company that provides the computer system," the spokesperson added.
Killnet Claims Responsibility
None of the Czech government authorities or international partners publicly attributed the DDoS attacks to a particular threat actor apart from Rakušan, who simply said the attacks were coming from Russia.
Based on this lead, ISMG observed the chatter on various social media forums and Telegram channels, which led to the discovery of a recently formed Telegram channel "KILLNET" - created on Jan. 24.
The Killnet group is known to support Russia, based on a video published by the group on Twitter, addressing the people of Russia and telling them to never doubt their country. Little is known about the group, but a joint cybersecurity alert published by CISA on Wednesday says that Killnet is an emerging threat actor and should be watched.
CISA says that the group has claimed credit for carrying out a DDoS attack against a U.S. airport, [Bradley International Airport,] in late March 2022, in response to U.S. material support for Ukraine.
The Killnet group in its Telegram channel has not only claimed responsibility for all the attacks mentioned earlier in this article that are known to be targeted at the Czech Republic but also claimed additional victims, including the defense department a commercial bank, a cellular provider, a hosting company, and two additional airports in Czech Republic - the Brno-Turany and Ostrava airports.
In its latest post, the group also claimed responsibility for the DDoS attack on the Prague international airport. The additional claims could not be verified by ISMG as no official responses have been received from the claimed victims at the time of writing.
Not Just Czech Republic, But All of NATO
Killnet, as was thought earlier, is not just targeting the Czech Republic in this ongoing campaign, but all the NATO and associated nations that are supporting Ukraine in some way, be it accepting refugees or providing military assistance.
Poland is known to be providing Ukraine's military with ammunition to fight the war. Citing this as treason against the Russian Federation, the Killnet group claims to have targeted eight Polish airports to stop their operations and the subsequent transfer of weapons.
The group has also claimed attacks on several elements of critical infrastructure in Germany, Poland, the U.K. and, most recently, Estonia. To date, however, none of these claims have been verified by any of these countries or the respective claimed victims.