Leader of pro-Russia DDoS crew Killnet unmasked by Russian state media

November 27, 2023 TH Author

Infosec in Brief Cybercriminals working out of Russia go to great lengths to conceal their real identities, and you won’t ever find the state trying to unmask them either – as long as they keep supplying the attacks on Axis nations. It’s the reason why we found it so amusing that of all the ways the identity of an organized cybercrime gang leader could be revealed, it was Russian state media that may have recently outed someone of note.

Moscow-based Gazeta.ru has named a man it alleges to be the leader of pro-Russia DDoS merchants Killnet, known as “Killmilk,” in an expose following earlier claims that he started targeting the Russian Federation.

Known for spearheading major attacks on targets like US government agencies, the European Parliament, and a bunch of hospitals, Killmilk has rarely done any media work but when he has, he wore a balaclava in a continued bid to evade identification.

Gazeta.ru claims to have confirmed its findings with other so-called hacktivists and sources within Russian law enforcement. The outlet alleges the person they named has been convicted of drug dealing in the past, and is claimed to have launched attacks on Russian state infrastructure and private sector organizations.

Killmilk also apparently has critics in the cybercrime underworld, with many “colleagues” considering challenging Killmilk’s authority within the Killnet group, but backing down because of the individual’s tendencies to retaliate.

“A lot of people are tired of Killmilk,” hacktivist NET-WORKER told the publication. “Behind the scenes, a significant portion of pro-Russian groups oppose him. But they are afraid to ‘have a bite’ with him in public. First of all, they are afraid of de-anonymization – Killmilk likes to reveal the identities of its competitors or blackmail them with this information.”

Qakbot all but dead and buried following FBI takedown

As we’ve seen with botnets like Emotet, coordinated law enforcement takedowns aren’t always permanently effective, but the FBI’s shuttering of Qakbot in August appears to be having the desired effect.

Huntress released its SMB security report this week showing that attempted Qakbot exploits have roughly halved since the takedown.

Current attempts are thought to be essentially neutered, the company said, although attempts still remain. By the end of next quarter, it’s expected to be gone for good… off the map completely.

The report [PDF] is rich in insights and is well worth a look. Other highlights note that most attacks (56 percent) use no malware at all and instead use living-off-the-land methods – using legitimate tools like remote monitoring applications to blend in with normal network traffic. Attackers establish stealthy persistence with this method that can open up organizations to various follow-on attacks, such as data theft or having that remote access sold to a ransomware group.

The most often abused tool was ConnectWise, followed by AnyDesk, NetSupport, and TeamViewer. While they’re not strictly remote management tools, Huntress said it aligned with CISA’s more simplified categorizations of these and similar tools.

It also noted that while LockBit is still the ransomware strain used in 25 percent of all attacks, eclipsing it are unknown or defunct strains accounting for 60 percent of all ransomware incidents in Q3 2023.

Australia backs down on ransomware payment ban

A year after saying it was looking at ways to ban ransomware payments, the Australian government backtracked on this proposal, saying “it is clearly not the right time at this moment to ban ransoms” as it launched its 2023-2030 Australian Cyber Security Strategy [PDF].

While Home Affairs Minister Clare O’Neil’s preference was to ban them, this proposal is now being pushed back two years while the country aims to implement the infrastructure required to impose a ban. This would include equipping its law enforcement agencies with the right resources to enforce it, and setting support systems for victims, per the Australian Financial Review.

In the meantime, among the government’s many plans to tackle cybercrime is to implement a no-fault, no-liability reporting service that will mandate ransomware incident reporting across the country. This is so Australia can “build an improved picture of the ransomware threat so that [it] can develop appropriate responses.”

The official line is to not pay ransoms, and that hasn’t changed. Though, many have complained of a lack of support in how to deal with ransom demands, the government said, so it’s going to build a ransomware playbook for victims to follow.

“This playbook will provide clear guidance to businesses and citizens on how to prepare for, deal with, and bounce back from ransom demands.”

It’s also funneling $26.2 million AUD into support for Pacific Island nations suffering serious cybersecurity incidents in a program called Cyber Rapid Assistance for Pacific Incidents and Disasters, or RAPID.

Justin Sun’s bad month got much worse this week

After having his Poloniex exchange attacked and drained of circa $120 million earlier this month, two additional crypto projects linked to the investor have been attacked this week with losses estimated to be in the region of a further $130 million.

The HTX exchange was drained of $30 million worth of assets, CNBC reported, as well as Heco Chain ransacked for $84.5 million – most of which being stablecoins (cryptocurrencies tied to fiat currencies).

Also succumbing to an attack this week was crypto investment house Kronos Research, leading to a total loss of $26 million in crypto assets, it said.

The incident involved an unidentified (for now) third party accessing its API keys. Despite the sizeable theft, the company reassured that the losses wouldn’t materially impact the company or its partners, and that internal funds would cover the losses.

“We’re prioritizing our resources to resume servicing the exchanges and token projects we provide liquidity for,” it said via X. “This is the first time since 2018 we’ve halted trading, and we are confident we will bounce back stronger than ever.” ®