‘Killnet’ Adversary Pummels Lithuania with DDoS Attacks Over Blockade

Railway system

Cyber collective Killnet claims it won’t let up until the Baltic country opens trade routes to and from the Russian exclave of Kaliningrad.

Russia-linked cyber collective Killnet has claimed responsibility for DDoS attacks Monday on the Lithuanian government and other entities in the Baltic country over closure of transit routes within the Russian exclave of Kaliningrad, according to researchers. The threat group warns that it will keep up attacks until the issue is resolved.

On Monday, Lithuania’s National Cyber Security Center (NKSC) under the Ministry of National Defense warned of intense and ongoing DDoS attacks against Lithuania’s Secure National Data Transfer Network as well as other governmental institutions and private companies in the country.

The attacks—which the government expects to be ongoing as well as target other critical infrastructure in Lithuania–disrupted access to services of users of the secure data network, the NKSC said in a public statement.

Infosec Insiders Newsletter

“It is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy and financial sectors,” Jonas Skardinskas, acting NKSC director and head of cyber security management department, said in a statement.

Motivation for Attacks

Russia-based Killnet apparently launched the attacks in response to the Lithuanian government’s announcement on June 18 that it would close routes between the Baltic country and the Russian exclave of Kaliningrad for transport of steel and other metals, according to Flashpoint, which published a blog post by the Flashpoint team on the attacks Monday.

“These train routes, according to the Russian government, are essential in bringing in at least half of the exclave’s imports, prompting Russian officials to label the move as a ‘blockade’ and warn of a harsh retaliation,” a Flashpoint spokesperson wrote in an email to Threatpost.

Meanwhile, Lithuania has justified the closure as a necessary requirement to fulfill the obligations of European Union (EU) sanctions against Russia for its invasion of Ukraine in late February, where the war is ongoing.

On its Telegram channel, Killnet claimed that it would stop the attacks as soon as the Lithuanian government reinstates transit routes with Kaliningrad, according to Flashpoint.

A spokesperson for Killnet group also told Reuters it plans to continue attacks until the blockade is lifted, adding that it has already “demolished 1652 web resources–and that’s just so far.”

Cyber Attack as Political Weapon

There was some warning prior to the attacks that they were imminent, according to Flashpoint. Indeed, DDoS attacks have been a typical weapon of choice for Russian cyber actors since Russia’s invasion of Ukraine, with Russian threat actors using them both before the war on the ground started and after alongside other cyber-attacks to support military operations. This year alone, Killnet reportedly already has targeted Romania, Moldova, Czech Republic and Italy with cyber-attacks.

“On June 25, Flashpoint analysts observed chatter regarding a plan for a mass-coordinated attack to take place on June 27, which Killnet referred to as ‘judgment day,'” researchers wrote in the post.  In retrospect, they said that this conversation was likely a reference to Monday’s attacks.

Flashpoint researchers also observed smaller attacks prior to Monday, including one that took place on June 22, they said. This appears to support Killnet’s claim that the attacks were in retaliation to the closure of transit routes to Kaliningrad, researchers wrote.

It also seems that Killnet is using the attacks against Lithuanian as a proving ground for new tools and tactics and even may be gearing up to team up with the Conti ransomware gang, according to Flashpoint.

In a post from June 26, Killnet labeled Lithuania a “testing ground for our new skills” and mentioned that their “friends from Conti” are eager to fight. This pairing would make sense, as both groups had already expressed an allegiance to Russia at the beginning of the group’s invasion of Ukraine, researchers said..

No matter, it’s clear now that cyber-attacks will be used as a frequent weapon—albeit not necessarily a deadly one–for the world’s military powers, either alongside a physical war or to support a political stance, one security professional noted.

“Every significant military power in the world has developed cyber capabilities [that] have evolved from espionage tools into full-fledged weapons to be used as part of a coordinated military response,” observed Chris Clymer, director and CISO of Inversion6, in an email to Threatpost. “Targeting another country with these arguably constitutes an act of war, but one less severe than kinetic attacks with missiles and tanks. This harassment will continue.”

Suggested articles