Published by The Lawfare Institute
in Cooperation With
On Oct. 4, a cryptic message first appeared in the Telegram forum We Are Killnet, hosted by the pro-Russian hacktivist collective Killnet, and spread quickly across Twitter. The message roughly translates to: “Weather forecast for 7 days! 14:00 USA—A L4 level flood is expected throughout the United States. 16:00 USA—All Tax web resources are experiencing difficulties in performance.” A clever play on words, the message implied that Killnet was planning a series of distributed denial of service (DDoS) attacks—also called floods—against U.S. government websites over a 72-hour time period. The group dubbed its operation “USA Offline” and paired its cyber-doom narrative with an image of Lady Liberty backlit by a fiery mushroom cloud. On Twitter and Telegram, Killnet and its followers were signaling that a catastrophic cyber event designed to cripple U.S. networks was forthcoming.
Killnet's "USA Offline" DDoS operation (https://t.me/killnet_reservs/2939)
And then, nothing really significant happened. For the next few days, Killnet conducted DDoS attacks against a series of U.S. targets, including the National Geospatial-Intelligence Agency, state government websites, military health care and benefit-related websites (such as Tricare Online), airport websites, and JPMorgan Chase.
But these attacks had little, if any, effect. For instance, after targeting U.S. state websites, the group self-reported that their DDoS “control went down” and lamented that states “just fixed everything.” The attacks against Tricare Online rendered services unavailable for a few minutes—a stark contrast to the ominous 30-second video announcing the attack, which concludes with a short clip of a U.S. service member kneeling and crying. Similarly, the DDoS against U.S. airport websites had no impact on airport operations or flights but did prevent users from accessing some sites for sustained periods of time. The New York Port Authority noted that LaGuardia Airport’s website suffered intermittent delays for roughly 15 minutes but that “airport [and Port Authority] operations were never disrupted by the 3 a.m. cyberattack.” And, lastly, JPMorgan indicated that it did not experience any issues related to Killnet’s DDoS.
This raises a puzzling question: What was the point of all of this? In particular, the gap between nuclear imagery and the ultimate effect is significant. Moreover, this is not the first time that groups like Killnet have paired hyperbolic rhetoric with actions of minor impact, like DDoS attacks. Yet Killnet and other hacktivist groups continue to do so despite the limited effectiveness of these types of cyber operations for coercive purposes, not to mention the existence of DDoS prevention and mitigation technologies that limit their effects.
Killnet’s cyber activities in the context of the Ukraine conflict offer additional support to the growing chorus of experts who are skeptical about the coercive utility of cyber operations on the battlefield. These actions should, however, also prompt analysts to revisit competing paradigms about cyberspace as being either a domain of conflict or an intelligence contest. Instead, Killnet demonstrates how cyberspace can be used for overt political mobilization and ideological socialization for group members and target audiences alike. Therefore, the primary effect of groups like Killnet is not disruption or damage to the target. Instead, their activities are a mechanism for mobilizing cadres and sustaining support for political and ideological goals internally, while simultaneously creating noise, hysteria, and hype over an artificially inflated threat among target and external audiences.
Who Is Killnet?
Killnet first emerged in January as a hack-for-hire vendor, selling a DDoS tool. But when Russia invaded Ukraine in late February, the event precipitated an identity shift and Killnet became a patriotic hacker collective. The group congregates in the Telegram channel We Are Killnet, which has attracted over 92,000 subscribers, and its sister channel, Killnet Mirror, which contains over 23,000 subscribers. These channels are public spaces that researchers can observe and follow.
Publicly, the relationship between Killnet and the Russian government seems clear: Killnet has overtly stated that it is not working for, or directed by, the Russian government. But across its statements and actions, the group operates in a way that is consistently pro-Russian and aligned with Moscow’s broader strategic goals. For instance, Killnet’s leader, “Killmilk,” said in an interview that “everything we have done since the very first day [of the special military operation] is only for the sake of helping our country.” Furthermore, NATO members are Killnet’s priority targets, and the group has claimed responsibility for several other DDoS attacks targeting NATO countries that publicly voiced their support of Ukraine, such as Romania, Italy, Lithuania, Norway, Poland, Finland, and Latvia. Most recently, Killnet targeted Bulgarian government officials after rumors circulated about the truck that exploded on the Crimea bridge, claiming the truck had traveled from Bulgaria. These cyberattacks were coupled with similarly blustery language, like the claim that “[m]illions of people around the world began to piss in their pants at the phrase ‘It’s them, it’s Killnet attacking!’”
This underscores the difficulty of ascertaining the precise relationship between cyber groups and state governments. Killmilk attempts to dispel the notion that Killnet is a Russian proxy group and has even lamented that “not a single official from the Russian Federation, not a single businessman [has paid] attention to us!” Yet, despite these grumblings, Killnet adheres to Russian hacker norms and requires group members to attest that they will never work on the Russian segment of the internet or attack Russian targets or initiatives. Ultimately, Killmilk keeps the groups’ activities within the bounds of what the Russian government considers to be acceptable behavior to avoid any negative pushback from the state. For instance, Killmilk has referenced Moscow’s arrest of Alexey Stroganov, a former state cybersecurity professional who was allegedly responsible for cybersecurity at the 2018 FIFA World Cup in Russia, and some 25 others for their role in a credit card fraud ring.
From Cyber Criminals to Cyber Patriots
More so than the nature of its relationship with Moscow, what makes Killnet interesting is its abrupt identity change on Feb. 26—a direct reaction to Anonymous publicly announcing its support for Ukraine after the Russian invasion. Killnet went from being a moderately lucrative criminal business to a donation-funded, politically oriented group that describes itself as a coalition of “like-minded hackers from the fraternal Slavic peoples.” Of course, hacktivism is not a new phenomenon, but the war in Ukraine has drawn attention to the role of third-party actors in cyberspace and their ability to influence an ongoing conflict.
The groups that have emerged in the context of the conflict between Russia and Ukraine, however, have demonstrated radically different approaches and levels of organizational maturity. For instance, another third-party cyber actor to emerge because of the war is Ukraine’s IT Army. The group proactively targets Russian websites and companies, maintains a consistent and focused pro-Ukraine messaging schematic, and provides in-depth impact assessments—when possible—without political jargon. Target sets and themes for the day are released at 9:00 a.m. CET (3:00 a.m. EST) each day, creating a steady and predictable operational tempo for IT Army volunteers who are scattered across the globe.
Comparatively, Killnet’s operations are reactive, sporadic, compulsive, and tied to the evolving dynamics of the Ukrainian conflict—such as the Bulgarian example above—and broader geopolitical issues related to the war. In many ways, Killnet’s primary impact is not its unsophisticated cyberattacks but its ability to shape the cognitive environment and the narratives surrounding the war—both for its followers on Telegram and among the Western media. The DDoS attacks are like a sideshow. Indeed, subscribers are self-aware about the ineffectiveness of their cyberattacks. Instead, the main event is the cultivation of a vibrant virtual community that internally fosters and reinforces pro-Russian political narratives, and the genesis of inflated cyber threat narratives that externally shape the cognitive environment in targeted countries.
It’s All About the Hype
The risk, therefore, stems not from the cyberattacks themselves but, rather, from the reaction of Western audiences, which may be playing into Killnet’s self-generated hype inadvertently. The media’s response to Killnet’s “USA Offline” campaign illustrates this threat inflation dynamic.
At the same time that Killnet fans cheered the attacks, Western media outlets were quick to publish articles that amplified the threat narrative surrounding Killnet. Newsweek published an article on Oct. 5 restating Killnet’s dramatic warnings and sounding the alarm bells even before many of the targets had been attacked. Later that day, CNN went a step further and drew a (nonexistent) connection between the Killnet group and election interference, depicting Killnet to be a more significant threat than the low-level hacktivists they are. NPR covered the airport website attacks with the headline “Pro-Russian hackers claim responsibility for knocking U.S. airport websites offline,” implying a more sophisticated attack than what took place. Moreover, Killnet relishes the attention it receives from Western media. Comments on the Telegram channel extoll the fact that the group is mentioned on CNN, calling on all hackers who “take part in the liquidation of the United States of America” not to stop.
Since Russia invaded Ukraine, anticipation about if, when, where, or how Russia would launch its “cyber war” has generated countless debates about the role of cyberspace operations in warfare. The release of Microsoft’s report in June added more buzz to the cyber frenzy by providing a rich storyline and emphasizing the significance of the war’s cyber dimension. Further, the Cybersecurity and Infrastructure Security Agency (CISA) and other U.S. government agencies continue to issue warnings to the private sector, encouraging corporations to keep their “Shields Up,” a slogan created by Jen Easterly, the director of CISA. Abroad, leaders and government officials are using similarly aggressive language to emphasize threats from cyberspace, with the Danish defense minister, Morten Bødskov, noting that “[t]he cyber threat is constant and evolving. Cyberattacks can do great damage to our critical infrastructure, with fatal consequences.”
With all the talk about Russian malicious cyber actors and the apparent determination of analysts to find evidence of the impact of cyber operations in conflict, media outlets have been quick to latch onto anything related to cyber and Russia—even Killnet’s unsophisticated DDoS attacks. Therefore, the media may only be fueling the fire by amplifying their overblown rhetoric and tacitly legitimizing those claims.
Additionally, because media outlets devote attention to Killnet’s DDoS activity, rather than to the political discourse among Killnet’s members, this risks overlooking how the group truly may be affecting the Ukraine conflict—both within Russia and among external audiences. The real impact of Killnet is cognitive, not coercive. Therefore, analysts should prioritize identifying and understanding the effects and implications of Killnet’s efforts at political mobilization. This can help inform how scholars understand the role of cyberspace in conflict from the perspective of political discourse and mobilization among various audiences, shifting away from analysis that focuses on the coercive or battlefield impact of this kind of cyber behavior.
Most importantly, practitioners and commentators should be aware that public discussion about and reporting on Killnet’s activities are not separate from the conflict but are an important component of the war’s cognitive dimension. In other words, through the very act of reporting on these groups in a hyperbolic manner, the media itself becomes a participant in the broader narrative, with the potential to shape the dynamics of the broader conflict in negative ways. Commentators should proceed with caution when reflecting on the impact of groups like Killnet.