Russia-aligned hacktivists behind Lithuania DDoS attack

A Russia-aligned hacktivist collective known as Killnet appears to have taken responsibility for a series of damaging distributed denial of service (DDoS) attacks on government institutions and networks in Lithuania, following a diplomatic row between Moscow and Vilnius.

The row centres on the Russian exclave of Kaliningrad, which lies on the shores of the Baltic Sea. It was formerly part of Germany, when it was known as East Prussia, but became part of the Soviet Union after the Second World War.

Following Lithuania’s independence in 1990, Kaliningrad became cut off from Russia, and there are no ground routes between it and contiguous Russia that do not go through Lithuania.

As a result of Russia’s illegal war on Ukraine, Lithuania recently moved ahead with the implementation of a European Union (EU) ban on Russian exports entering EU territory, which means it has blockaded the transit of materials including coal, metals, construction materials and advanced technology through its territory to Kaliningrad, prompting outrage at the Kremlin.

According to Lithuania’s National Cyber Security Centre (NKSC), the country’s Secure National Data Transfer Network, government bodies and private sector firms came under an “intense” DDoS attack on 27 June, leaving users unable to access services.

The attacks had been managed and services restored at the time of writing, but acting NKSC director Jonas Skardinskas said there may be more interference to come.

“It is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy and financial sectors,” he said.

Claiming responsibility for the attacks, a spokesperson for the Killnet group told the Reuters news agency: “The attack will continue until Lithuania lifts the blockade. We have demolished 1,652 web resources. And that’s just so far.”

Killnet was among a number of hacktivist groups and cyber criminal gangs to have declared their allegiance to the Russian government at the onset of the Ukraine war.

Toby Lewis, head of global threat intelligence at Darktrace, said the attacks were an example of geopolitically motivated hacktivism causing wider disruption, but Killnet’s actions did not come as a particular surprise, as the group has previously attacked organisations in countries supportive of Ukraine, including the UK.

“Killnet’s attack methods are not particularly sophisticated and are easy to mitigate from a technical perspective, but they know these noisy attacks will hit the headlines and spark controversy,” said Lewis.

“As Lithuania is an EU and Nato member state, the potential implications under the EU Mutual Defence Clause or Nato Article 5 mean it will be significant to determine whether Killnet were explicitly directed by the Russian state in this instance or whether they are simply sympathetic to the nationalist agenda.”

According to Flashpoint analysts, the Killnet group has been highly active on its WE ARE KILLNET Telegram account for several days, and on 25 June, Flashpoint’s research team said they observed chatter about a plan for a mass-coordinated attack for 27 June, which was referred to as “Judgment Day”.

“Flashpoint analysts assess with high confidence that the attacks reported on today are the attacks Killnet had planned prior,” the team wrote.

“Smaller attacks have also been observed prior to 27 June, including one that took place on 22 June, according to our intelligence.”

The team added that, based on ongoing Telegram chatter, Killnet did indeed select Lithuania as a target after its government closed transit routes to and from Kaliningrad. It also said it had observed evidence of a potential connection between Killnet members and people associated with the Conti ransomware gang.

Leave a Reply

Your email address will not be published. Required fields are marked *