Pro-Russian Hacktivist Groups Take Down Numerous U.S. Airport Websites
More attacks on critical infrastructure could follow these attacks.
![Russian hacker Russian hacker](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltc3d13b0688495faa/652414228accf9b6ee2b4cb6/Russian-Hacker.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Pro-Russian hacktivists have been slow to react, said Radware’s Daniel Smith.
“Only now have pro-Russian hacktivists begun to build and deploy crowdsourced botnets similar to the ones run by disBalance and the IT Army of Ukraine,” he said. “As the war escalates in Eastern Europe and the United States draws closers to the midterm elections, the West will become more vulnerable to panic and discord caused by network or service outages. Organizations at the moment should be following the Cybersecurity and Infrastructure Security Agency’s (CISA) ‘Shields Up‘ recommendations and leveraging existing intelligence to better detect and respond to pro-Russian hacktivists. In addition, organizations need to start looking beyond the war, as national hacktivists will not likely respect any form of an official ceasefire.”
Ivan Righi is senior cyber threat intelligence analyst at Digital Shadows.
“At this time, it is unknown how successful these attacks were, but KillNet attacks are known to take websites down for short periods,” he said. “The attacks began with a DDoS attack on the Chicago O’Hare International Airport, where the group stated its motivation to target ‘American’s civilian network sector,’ which the group deemed to be not secure. KillNet’s targeting of the United States and its critical sectors is not surprising. The group has been targeting critical sectors in NATO countries since the start of the Russia-Ukraine war, and it will likely continue.”
Andrew Hay is Lares Consulting‘s COO. He says there was no vulnerability exploited in the attacks.
“The attackers simply overwhelmed the servers by flooding the sites with garbage requests — exhausting the server’s resources,” he said. “Many of the targeted organizations are already utilizing anti-DDoS content delivery networks (CDNs) to mitigate attacks of this nature. Unfortunately, the content delivery network (CDN) infrastructure couldn’t prevent the flood of requests.”
Lisa Plaggemier is executive director of the National Cybersecurity Alliance (NCA). She said Killnet has made DDoS attacks its signature.
“They most recently were responsible for a series of similar attacks aimed at disrupting the 2022 Eurovision Song Contest,” she said. “Both incidents are in response to global support of Ukrainian war efforts. The group is now calling on like-minded counterparts to partake in disrupting other critical infrastructure across the United States.”
Denial-of-service attacks have been a tool for hacktivists and malicious actors for more than 20 years now, with one of the first known attacks taking place in the late 1990s, Plaggemier said.
“They’ve gradually become more sophisticated through botnets and tactics that can work around HTTPS protocols,” she said. “In recent years, we have indeed seen similar high-profile attacks coming from other nation-state APTs. This year, Cloudflare mitigated a record-breaking DDoS attack. In 2020, Google and AWS suffered major DDoS attacks that were eventually blocked, but could have been devastating. And of course the Mirai botnet, which originated in 2016 has been notably used in some of the largest denial-of-service attacks in recent history are all examples of the ways in which hacking groups have evolved their approach and become bolder in their target choices.”
This attack isn’t necessarily inherent or indicative of a weakness in the travel industry per se, Plaggemier said. Airport activity and travel logistics remained unaffected by the attacks.
“That said, business sectors that are slower to digitize or implement proper security safeguards likely take longer to recover,” she said. “Chances are the travel sector – alongside those that aren’t the frequent targets of cyberattacks – don’t have enough budget allocated to scale in-house cybersecurity prevention measures. And although there’s no foolproof way to have prevented a successful DDoS attack, contracting services from IT service management companies or MSSPs could likely have more quickly detected and mitigated the incident.”
The attacks demonstrate the importance of proper mitigation solutions, Smith said.
“Even if a website is non-critical, an outage can spark panic and cause the public to question the integrity of an impacted system,” he said.
Plaggemier said there “quite likely” will be more attacks beyond those striking airports.
“In fact, there were 60% more malicious DDoS events during the first six months of 2022 than during the entire year of 2021,” she said. “Bad actors and hacking groups use this attack method as a means of disruption, rather than monetary gain or data exfiltration. In this case, Killnet’s objective has been to use DDoS attacks to relay a political statement in retaliation for the U.S. backing Ukraine against Russia. And given the continued nature of the war, chances are Killnet and any like-minded groups will take up the call to arms to carry out similar attacks – whether in the U.S. or within the borders of other Ukrainian allies. Critical infrastructure (e.g., agriculture, energy, water treatment, natural gas, etc.) could once again become major targets and the powers that be should remain vigilant.”
Plaggemier said there “quite likely” will be more attacks beyond those striking airports.
“In fact, there were 60% more malicious DDoS events during the first six months of 2022 than during the entire year of 2021,” she said. “Bad actors and hacking groups use this attack method as a means of disruption, rather than monetary gain or data exfiltration. In this case, Killnet’s objective has been to use DDoS attacks to relay a political statement in retaliation for the U.S. backing Ukraine against Russia. And given the continued nature of the war, chances are Killnet and any like-minded groups will take up the call to arms to carry out similar attacks – whether in the U.S. or within the borders of other Ukrainian allies. Critical infrastructure (e.g., agriculture, energy, water treatment, natural gas, etc.) could once again become major targets and the powers that be should remain vigilant.”
Pro-Russian hacktivist groups on Monday attacked numerous U.S. airport websites, causing temporary disruptions. Fortunately, there was no impact on flight operations.
The distributed denial of service (DDoS) attacks overwhelmed the servers hosting these sites. That made it impossible for travelers to connect and get updates about their scheduled flights or book airport services.
The hacktivist groups targeted airports in 24 states.
According to a Radware cybersecurity alert, following a series of DDoS attacks targeting government websites in the United States last week, Killnet’s founder, KillMilk, announced via an interview with Russia Today that the threat group would target civilian network infrastructure in the United States over the coming days. Less than 48 hours later, pro-Russian hacktivist groups began listing targets and announcing outages related to their DDoS attacks on websites of U.S. airports.
Daniel Smith is head of research for Radware’s Cyber Threat Intelligence.
Radware’s Daniel Smith
“DDoS attacks against civilian infrastructures, such as informative airport websites, are designed to cause panic and discord among the victims, but are often performed by low-level threat actors who cannot drive more significant outages,” he said. “While there is always a possibility of a cyberattack resulting in flight disruption, the tactics, techniques and procedures (TTP) of pro-Russian hacktivists KillNet, NoName057(16), and Anonymous Russia present a low-to-moderate level of risk for targeted organizations. DDoS attacks launched by these groups are only effective against unprotected assets or misconfigured devices.”
With that said, pro-Russian hacktivists have shown a desire over the last few months to match the successes of pro-Ukrainian DDoS campaigns by groups like the IT Army, Smith said.
“If successful in reaching their ability, the pro-Russian hacktivists could pose a more significant threat to targeted organizations,” he said.
KillNet and NoName057(16)
Killnet is a pro-Russian threat group known for launching DDoS attacks against those in public and private sectors that directly and indirectly support Ukraine or have in some way offended Russia, according to Radware. The group formed in January, selling DDoS services. However, it quickly transitioned into a hacktivist group following the Russian invasion of Ukraine.
The security industry knows NoName057(16) for launching defacement and DDoS attacks against Ukraine, and those directly and indirectly supporting Ukraine. The group formed in March on Telegram and became a notable threat group by June. Since then, the group has gathered a following of nearly 13,000 subscribers. It has been seen operating in support of Killnet operations.
The hacktivist groups deny any association with the Russian government, Radware said.
During the attacks, Chicago’s air travel website was inaccessible. Following the outage in Chicago, Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), and Phoenix Sky Harbor Airport (PHX) websites were all offline.
The hacktivist groups present a moderate threat to the current landscape, according to Radware. However, these threat groups have recently demonstrated the ability to evolve into a more advanced threat.
Scroll through our slideshow above for more about the attacks on U.S. airport websites.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like