Hot on the heels of attacks against US state government websites, pro-Russian threat group Killnet on Monday disrupted the websites of multiple US airports in a series of distributed denial-of-service (DDoS) attacks.
It also called on similarly aligned groups and individuals to carry out DDoS attacks on other US infrastructure targets, in what appears to be an escalation of a recent campaign protesting the US government’s support for Ukraine in its war with Russia.
Airport websites that were affected by Killnet’s DDoS attacks included Los Angeles International Airport (LAX), Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, and the Indianapolis International Airport. While the DDoS attacks made some of the sites inaccessible for several hours, they do not appear to have had any impact on airport operations.
Researchers from Mandiant who have been tracking the attacks said they observed a total of 15 US airport websites being impacted.
Mostly Brief Interruptions
In a statement to Dark Reading, airport authorities at LAX confirmed the attack.
“Early this morning, the FlyLAX.com website was partially disrupted,” an LAX spokesperson noted in an emailed statement. LAX officials described the service interruption as being limited to portions of the public-facing FlyLAX.com website only. “No internal airport systems were compromised and there were no operational disruptions,” according to the statement, adding that the airport’s IT team has restored services and that the airport has notified the FBI and the Transportation Security Administration (TSA).
Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, says Killnet has also asked its supporters to join in on the airport attacks and posted a list of domains to be targeted on its Telegram channel. In total, the group mentioned 49 domains belonging to airports across the US, he says. Killnet’s target list includes airports in some two dozen states including California, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, and Michigan.
“At this time, it is unknown how successful these attacks were, but Killnet attacks are known to take websites down for short periods,” Righi says. The attacks began with a DDoS attack on O’Hare, where the group stated its motivation to target US civilian network sector, which the group deemed to be not secure, he says.
O’Hare did not immediately respond to a Dark Reading request for comment. But as of noon, Central time, the airport’s website was accessible.
Calls for Broader Attacks
Vlad Cuiujuclu, team lead for global intel at Flashpoint, says the DDoS attack on O’Hare International Airport came shortly after Killnet announced new rounds of DDoS attacks against domains that belong to the civilian infrastructure of the United States. Among the targets it is urging supporters to attack are marine terminals and logistics facilities, weather monitoring centers, healthcare systems, ticketing systems for public transit, exchanges, and online trading systems, Cuiujuclu says.
Killnet’s post urging other pro-Russian groups to launch DDoS attacks against domains that belong to the US civilian infrastructure was shared by other Russian-speaking cyber-collectives, including Anonymous | Russia, Phoenix, and We Are Clowns, Cuiujuclu noted.
Killnet has been among the more active pro-Russian cyberthreat groups in recent months. Just last week it claimed credit for DDoS attacks on the government websites of Mississippi, Kentucky, and Colorado. In July, the group claimed credit for a DDoS attack on the website of the US Congress, which briefly affected public access.
In August, Killnet said it planned to attack Lockheed Martin, the company manufacturing the US-made rocket launchers that the Ukrainian military has been using in the conflict. The group claimed it had compromised Lockheed Martin’s identity authorization infrastructure, but Flashpoint, which tracked the campaign, said it was unable to find any verifiable evidence of the supposed attack. “This is possible, but Killnet has this far shown little verifiable evidence of this beyond a video and a spreadsheet allegedly containing employee data, the authenticity of which could not be determined,” Flashpoint said at the time.
An Especially Active Threat Actor
Almost since the beginning of the Russian invasion of Ukraine, Killnet has been continuously posting alleged evidence of DDoS attacks against organizations in NATO member states and those it perceives as supporting Ukraine in the conflict. Flashpoint has previously described Killnet as a media-savvy threat group with a tendency to try to inflate its profile by bragging about attacks. “While Killnet’s threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible.”
Killnet’s attacks — and those it is urging others to carry out — are examples of what security experts say is the tendency in recent years for geopolitical conflicts to spill over into the cyber domain. The threat group’s apparent escalation of its campaign against US and other NATO countries, for instance, comes just days after an explosion destroyed a section of a critical bridge connecting Russia to the Crimean Peninsula.
So far, most of the cyberattacks by pro-Russian groups that impacted US organizations have not been nearly as disruptive as attacks by Russian groups against Ukrainian entities. Some of those attacks — including many going back to Russia’s annexation of Crimea — were designed to destroy systems and degrade power and other critical infrastructure in support of Russian military objectives.