Threat Intel

This is an evolving post and will likely be updated over time. Online “community” or “criminal gangs” etc. can be fluin and dynamic, thinking of them in rigid structures and trying to compare them to “In Real Life (IRL)” organisationas directly doesn’t really work. They work generally in a collective fashion. No masters and no slaves etc.

“Hacker” Groups

I don’t really like to use the term “hacker” in this sense, perhaps hacktivist or criminal groups is the right fit, however, words aside there is the question: Who is KILLNET, are they a threat and who are they a threat to?


KILLNET was suposedly formed as a resonse to the IT ARMY of Ukraine (Ukraine Cybe Army) (formed late Feb) which is odd given the first post from KILLNET was on January the 23rd and IT ARMY of UKRAINE setup their telegram on Feb 26th.

The number of “members” of KILLNET is probably hard to determine, in their “main” telegram channel they have over 60K members. This isn’t really that many though.

There’s also the fact it’s split into killnet hacking and Legion Russia, and then further into other subgroups.

High Level Assessment

Given how “easy” attribution and monitoring threats in cyberspace is (NOT) it’s hard to say:

  • Who operated the group
  • Who is active in the group
  • What their capabilities are at a given point in time

However I’ve put together a high level summary view based on what i’ve seen so far.

Group Name


Estimated Skill Level


Estimated Capability Level





Historic Impact



Country/Regional Alignment



Cyber Threat Assessment level


(if you aren’t in the target bracket and/or if you have CDNs/DoS Protections)

Known for

Denial of Service (DoS)

Alternate Names/Pseudonyms

“Cyber Army of Russia”


Currently TargettingRomania
Broadly TargetingCountries supporting Ukraine/The West/NATO
Possible Future TargetsItaly (based on telegram posts), POLAND

Assessment Confidence


SummaryThe pottential for impact could be high for a specific org if they are targetted and have not taken steps to put in place DoS protections. The nature of these style of groups means the capability and skill levels can be significantl varied and dynamic. It should be noted that the risk level to your organisation may signifcantly vary based on geography, political alignment, nature of business and the infrastrctuure, capabilities and controls you have in place to mitigate DoS etc.

The groups noise level vs confirmed impact leads me to believe currently this group is not a significant threat to organisations. Whilst there appears to be intent and motivation, I would be surprised given the inception date and the lack of “confirmed” activity outside of claimed denial of service that this group pose a significant threat beyond any other generic hacktivist or criminal organisation at this time. Clearly that may change, online groups can just as easily change tactics and personnel due to their fluid nature.

Their MO appears to be DoS against very specific orgs, if you are a likely candidate for “targeting” it would be prudent to take measures against the DoS and ensure you have adequate controls and practised proceedures in place to absorb, mitigate or respond to a DoS attack.

Who are KILLNET?

KILLNET appears to be a loosely grouped together PRO RUSSIAN group of actors.

What have they done?

They have claimed to have conducted Denial of Service (DoS) Attacks.

Have they had any real negative impact?

Currently the only real significant impact I’ve seen is they are in mainstream newspapers. They don’t appear to be highly effective from achieving cyber impact.

That being said the romanian security directorate has issued guidance:

They have claimed to attempt to cause disruption to the EUROVISION song contest, but this failed (oh no! anyway!):

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack | IT PRO

Italian police block Russian hackers during Eurovision | News | IBC

this seems entirely not news worthy, but that’s just well my opinion!

There is an incident or two in Romania:

Romanian government says websites attacked by pro-Russian group – The Record by Recorded Future

Now this looks like DoS:

The site isn’t currently online from the UK (will check from Romania soon) so that might indicate some impact (or another event!)

Who are they aligned to?

  • Their telegram channel is written in the Russian language.
  • Their messaging is PRO Russian.

When did they appear?

Their telegram channel was created on January 23rd 2022

Graphical user interface, text, application, chat or text message

Description automatically generated




Possible Affiliates

Capability Level

The reason why i’ve currently rated the capability/skill as low is for a number of reasons:

  1. They don’t appear to be equiping “members” in an adanced manner
  2. A number of the attempted DoS “attacks” have failed
  3. Currently I’ve not seen evidence of custom tooling
  4. The volume of members does not appear to be high

Contrast this with the Ukraine Cyber Army which has 350 Thousand Telegram channel members, deploys custom tooling to aid it’s members and who have had demonstrable impact on it’s targets.

On May 17th 2022 they are advertising for Programmers, members to perform DDoS and Pentesters (everyone in CYBER has a skills gap right!):

Revruitment for LEGION May 17th 2022

DoS IoC Analysis

IPS reported as “DOS from KILLNET” by Romanian Government

We are conducting metadata analysis on public IOCs from a limited successful Denail of Service (4 hoours downtime) reportedly by KILLNET. A quick analysis using Greynoise and IPINFO shows that some of these appear to be beniign, some are known “bad” in greynoise etc. Outside of that we can see evidence of traffic from proxies and “unknown” IPs at a scale that appears to line up with the DoS position.

The romain goverment site is now geofenced for internal romaining traffic only.

The DoS sources appear to be from ~11K IPs, we have not yet enriched all of these however a sample from a clust of IPS shows that a proxy network was leveraged which resides in: AS36352

This is currently listed as: COLOCROSSING

COLOCROSSING do not appear to have a great reputation in the community and are beleived to have been reported to have been hosting infrastrcuture that may have been used in previous DoS attacks.

COLOCROSSING IPs used in Suspected DoS

This hosting provider and AS has historic evidence of abuse. An example of that is here: DraftKings Continues Pursuit of DDoS Attackers –

As such it’s probably not a bad idea to block traffic from this AS.

Sample Evidence

Graphical user interface, text, application, chat or text message

Description automatically generated
Graphical user interface, text, chat or text message

Description automatically generated
Graphical user interface, text, chat or text message

Description automatically generated
Graphical user interface

Description automatically generated
A screenshot of a computer

Description automatically generated with medium confidence
Graphical user interface, text, website

Description automatically generated
Graphical user interface, text, application, chat or text message

Description automatically generated
Graphical user interface, application

Description automatically generated


According to this article:

The Killnet group threatens to cyberattack nearly 300 other sites in Romania –

The list of targeted sites so far is:

It might be interesting to see where that list came from, I’ve not found it in the Telgram channels so far (but i might have missed a sub group).


As you can see they are definatley not aligned with the WEST. However the volume of members when companred the UA Cyber Army is significantly smaller. The level of sophistication appears much lower as well as the level of tooling and co-ordination.

If you have any intel you want to share please get in touch. This was made during a cup of tea so take it for what it is, I might look at doing this against a range of groups.