US Airport Websites Targeted by Russian KillNet Group

A pro-Russian political hacking group is claiming responsibility for distributed denial-of-service attacks that knocked offline the public websites of several major U.S. airports. Air travel was not affected.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

The group, KillNet, also took responsibility last week for a series of DDoS attacks that temporarily disabled a handful of American state government websites.

Among the dozen airports affected by the Monday attack are Chicago’s O’Hare and Midway international airports. Both are owned by the city of Chicago and share the web domain of flychicago.com. A KillNet Telegram channel earlier posted a “list containing more than two dozen targets. Other airports experiencing some difficulty today with public-facing websites include Atlanta’s Hartsfield-Jackson Atlanta International Airport, Los Angeles International Airport and Denver International Airport.

The Russian-language group, whose Telegram channel features memes, digital stickers and news coverage of its exploits, has also called for DDoS attacks against marine terminals and logistics facilities, weather monitoring centers, the healthcare system and online trading systems.

KillNet is one of a handful of cybercrime groups that have declared allegiance to Moscow, the U.S. federal government concluded earlier this year. Some of those groups act in closer allegiance with Moscow than others, possibly constituting a front for state-sanctioned hacking rather than true hacktivism.

The group’s emergence highlights how any war in the information age will have a cyber component – but also how annoyance and defacement rather than fully developed cyberwarfare has been a hallmark of the Russia-Ukraine war to date (see: Major Takeaways: Cyber Operations During Russia-Ukraine War).

Threat monitoring firm Digital Shadows writes that KillNet began as the name of a DDoS tool, and the group behind it transformed from criminal service providers to Kremlin-aligned hacktivists. It recruits volunteers to conduct DDoS attacks, organizing them into squads with names such as “Kratos,” “Rayd” and “Zarya.”

The Italian Computer Security Incident Response Team described a KillNet DDoS attack as coming in three waves.

The first was a network-tier flood of connection requests that overwhelms targets with fake requests to a TCP connection or with UDP traffic. That first wave came bundled with DNS amplification requests, attacks that flood servers with falsely requested domain name system responses, and with IP fragmentation attacks – internet protocol datagrams chopped into smaller pieces designed to consume available memory. The second wave was an intensification of the first, but without DNS amplification. The last wave alternated between network-tier attacks and protocol-based attacks.

KillNet came to particular international attention following its May attempt to stop online voting for the Eurovision Song Contest, held this year in the Italian city of Turin (see: Italian Police Repel Online Attempt to Disrupt Eurovision). Following Ukraine’s win – for the song “Stefania” – KillNet said on Telegram that it “declares war” against 10 countries, “including the deceitful police of Italy.”

Monday is not the first time KillNet has targeted the websites of American airports. In March, it claimed credit for a DDoS attack on Bradley International Airport, a facility the Federal Aviation Administration classifies as a commercial aviation hub of “medium” importance.

“Bradley airport – not sure why they targeted it,” tweeted the account of threat research firm CyberKnow, at the time.