Threat Intel

Cyberwarfare in Ukraine was hyped as a MASSIVE thing, yet largely it’s been more bark and bite, but perhaps people need to understand that you can’t just “CYBER” a remote network, and even if you could, let’s say you get RCE on 30 networks in a country, so what? There needs to be value, purpose and something that will support other objectives, this isn’t a CTF.

  • Espionage (Collection/CNE)
  • Information Warfare (PsyOps)
  • Computer Network Attacks/Operations (CNA/CNO)

In CYBERSPACE all of the above can/will be leveraged to various EFFECT, not just in times of conflict but all the time. With this we have to think about a range of actors:

  • Nation State Orgnisatons (Espionage)
  • Law Enforcement (LE)
  • Armed Forces (AF)
  • Organized Crime Groups (OGC)
  • Lone Wolf Threat Actors
  • Hacktavists

Now it’s the Hacktavists that we are going to take a glance at today:

Some of the Known Hacktavist Groups that are PRO RUSSIA

Here’s some of the common names of groups

  • Killnet
  • Bear IT Army
  • Legion
  • KillMilk
  • JokerDPR
  • 1877Team
  • Passion Botnet
  • Cyber Army of Russia Reborn
  • National Hackers of Russia
  • Killnet Collective
  • Anonymous | Russia
  • Anonymous Sudan
  • Killnet Community Chat
  • Red Hackers Alliance
  • XakNet Team 🇷🇺
  • Чат (18➕) BEAR.IT.ARMY.
  • LIRA

Evidence of Groups Activity

Lots of activity seems to be conducted under the KILLNET banner:

Bear this in mind, the use of “Anonymous” appears to be an evolutionary step so the way I see lots of these “groups” is that they are linked by the KILLNET brand (the ANONYMOUS RUSSIA logo even has KILLNET in it!” (that’s my opinion from looking at these people for a while)


Largely these groups employ Distributed Denial of Service (DDoS) to “overload” and resource consume a website/webservice so that it is unable to serve legitimate requests. They can do this in a number of manners using different methods, including:

  • Volumetric
  • Logical

Volumetric may leverage botnets, rotating proxies, sites that have open redirects etc.

Logical DoS may be there specific queries are submitted to say a search feature on a site that causes excessive load.

We have also recently seen some website defacement.

There has often been chatter of groups adding ransomware/wiper capabilities but so far we haven’t seen evidence of this capability developed or deployed for effect.


  • Skill Level: Low
  • Capability: DoS, DDoS, Defcement
  • Risk: Low
  • Impact: Availability
  • Impact Rating: Subject to site DoS Protection/Countermeasures

These groups can create seemingly limited impact to availability, they create media noise (which may cause brand damage), they are known to deploy source IPs numbering up to ~10,000 nodes

These groups might be low skilled but they can cause impact, they are motivated and they certainly have some numbers.

A good account to follow is:

They keep tabs on the activities of these groups in detail