The Storm: KillNet

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 21

Russia (pro-Kremlin hacktivist)

★★★★★

risk 2/5

✦ The Storm ✦

KillNet

KillMilk (leader alias) · sub-groups: Legion, Zarya, Infinity

NATO member governmentsHealthcareAirportsFinancial servicesMedia

Active since ~2022 · Political disruption, Pro-Russia propaganda, Anti-NATO signaling

It is loud and it wants you to know it. KillNet does not steal data - it makes noise. The DDoS is the message. The communique on Telegram is the message. The Storm is geopolitical signaling wrapped in network packets.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1498.001

Direct Network Flood

Impact

T1499.002

Service Exhaustion Flood

Impact

T1491.002

External Defacement

Impact

Notable Operations

◆Romanian and Lithuanian government DDoS (2022)
◆US airport websites DDoS (2022)
◆Attack on European healthcare following Ukraine support
◆US Treasury and congressional websites targeting (2023)

Defenses

▸
DDoS mitigation service with scrubbing capacity
NIST CSF: PR.DS ↗
▸
Rate limiting and traffic shaping on web properties
CIS Control 13 ↗
▸
Anycast network diffusion for DNS and web services
NIST CSF: PR.DS ↗
▸
Monitoring and alerting for volumetric traffic anomalies
NIST CSF: DE.CM ↗

Reversed: Their Weakness

KillNet's operations are largely nuisance-level - short-duration DDoS attacks that rarely cause lasting damage. Its strategic value to Russia is in narrative, not effect. When compared to Sandworm's actual capabilities, KillNet is theater.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Thousand Masks Next →The Thousand Hands

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.