In today’s globalization, the safety of critical infrastructure is paramount. These critical systems such as power grids, water resources, transport networks, and health services are the lifelines of social activities and economic stability. Their loss of function has a huge impact that can jeopardize public security, national security, and economic well-being. Their rising digitization and interconnection have elevated their vulnerability to cyber threats, making robust cybersecurity protocols both a technical and strategic necessity.
The US. Government Accountability Office (GAO) highlights that the nation’s 16 critical infrastructure sectors rely heavily on electronic systems to deliver essential services, which exposes them to increasingly advanced cyber threats (U.S. Government Accountability Office, 2023). As cyber warfare evolves, this dependency has created new opportunities for non-state players to exploit vulnerabilities in cyber systems and particularly become mainstream with their DDoS-type attacks that hijack global critical infrastructure. There is KillNet, a Russian pro-faction hacktivist that succeeded at launching DDoS-style attacks against Ukraine-allied countries. Unlike ordinary cybercrime cartels that eye financial gains, KillNet operates with political motives. Its attack is aimed at government institutions, banks, transport networks, and energy infrastructure with the aim of undermining national security and economic stability (European Parliament, 2023).
Established in January 2022, KillNet started as a DDoS-for-hire service, offering its botnet services to buyers on a subscription basis. But with the invasion of Ukraine by Russia in February 2022, the collective transformed into a hacktivist collective, matching its operations to Russian geopolitical interests. This was the beginning of a series of cyber attacks targeting countries perceived to be Russia’s adversaries (Forescout Research – Vedere Labs, 2022).
KillNet’s offensive toolkit primarily consists of DDoS tactics intended to overwhelm and incapacitate the target networks and servers. High-profile incidents include attacks on Romanian government websites in April 2022, leading to a disruption of access to several official websites (Judge, 2022). In addition, in May 2022, the group launched a coordinated campaign targeting Italian institutions, including the Senate, the Ministry of Defense, and the National Health Institute. These attacks, conducted using the Mirai botnet, rendered several institutional websites temporarily unreachable for multiple hours (Brucato, 2022; Deutsche Welle, 2022). KillNet targeted Lithuanian infrastructure in June 2022 for the imposition of transit restrictions on goods to Russia’s Kaliningrad enclave (Al Jazeera, 2022). Lithuania’s energy sector had been identified as particularly vulnerable to cyber threats due to ongoing digitalization efforts and increasing interconnectedness (Jakštas, Jasinskienė & Judickaitė, 2021). KillNet also claimed responsibility for attacks on US targets, such as the attempted intrusion into defense contractor Lockheed Martin in August 2022, in retaliation for support to Ukraine by the company (Khaitan, 2023).
KillNet is a decentralized network of subgroups, each with different regional or sectoral objectives. The loose framework gives the organization flexibility and resilience to counter-cyber activity. Leadership has varied over time; the original founder, “Killmilk”, is reported to have stepped down in July 2022, with a hacker named “BlackSide” becoming the leader. In any case, the objective of the group remains operationally consistent (Flashpoint, n.d.).
While KillNet’s operations typically equate to temporary disruption and not permanent destruction, they indicate the growing involvement of politically motivated cyber actors in international conflicts. Their activities highlight the challenges nations face in protecting critical infrastructure from ideologically driven cyber threats that transcend the traditional state borders.
- – Study design:
We conducted a descriptive case-study review with a focused scoping review of open-source reports on KillNet operations during 2022-2023, complemented by a deep-dive vignette on Lithuania’s energy sector.
- – Data sources:
Institutional advisories (e.g., CISA, ENISA, NATO/EU bodies), reputable journalism (e.g., Reuters, DW, Al Jazeera), peer-reviewed and scholarly outputs (e.g., IEEE Access, policy journals), and well-established industry reports (security vendors and research labs). Where possible, claims were cross-verified across at least two independent sources.
- – Search strategy:
Keyword combinations included: KillNet, DDoS, critical infrastructure, energy grid, airport websites, government portals, attribution, zero trust, Lithuania Ignitis, Kaliningrad sanctions. Searches covered 2022-2023 (English). Reference lists and cited-by chains were used to snowball additional sources.
- – Inclusion criteria:
Items were included if they: (i) described an incident claimed by or attributed to KillNet; (ii) reported target sector, country, and attack type (minimum metadata); and (iii) documented operational impact (e.g., service disruption, degraded monitoring) or organizational response.
- – Exclusion criteria:
Anonymous blogs, uncorroborated social posts, duplicated wire copies, and items with no verifiable target/impact details.
- – Data extraction:
For each incident we recorded: date window, country, sector, target type (e.g., energy operator, government portal, airport website), attack vector (primarily DDoS), observable effects (outage, degraded telemetry, website unavailability), duration (if reported), and mitigation/response (e.g., traffic scrubbing, MFA, segmentation, ZTA actions). For the Lithuania case we extracted operator-level impacts (telemetry delays, manual fallbacks) and cross-checked at least two sources.
- – Analysis:
We used thematic synthesis to group findings by sector (energy, government, transportation) and by effect category (service availability, monitoring/telemetry, financial/defensive spend, socio-political). We summarized recurring TTPs and mapped them at a high level to DoS/Network DoS behaviors. Because many sources lack consistent telemetry, results are descriptive, not inferential.
- – Limitations:
Open-source reports vary in depth and measurement; some impacts are qualitative (e.g., “temporary outage”) without uniform metrics. Attribution remains probabilistic; under- or overreporting bias is possible. We mitigate by triangulating across multiple reputable sources.
Across 2022-2023, incidents claimed by or attributed to KillNet were predominantly DDoS against public-facing web properties and APIs in government, transportation, and the energy ecosystem; reported effects were availability disruptions (temporary website/API inaccessibility, slowdowns) and specifically in the Lithuania energy vignette, degraded telemetry with temporary manual fallbacks; no physical damage was credibly reported in our corpus.
Open-source reporting describes coordinated DDoS activity affecting public facing services associated with Lithuania’s energy ecosystem in the context of the Kaliningrad sanctions dispute (Sytas, 2022; Faulconbridge, 2022). While core systems remained intact, observers noted delays in the receipt of selected grid telemetry and alarms used for real-time operational awareness (Meehan, 2022).
These vulnerabilities in Lithuania’s energy infrastructure were previously identified in a comprehensive Regional Cyber Defence Centre assessment, which found that digitalization of energy services significantly expands the attack surface while creating opportunities for malicious actors to access critical assets (Jakštas, Jasinskienė & Judickaitė, 2021).
No physical damage was reported. Documented effects included (i) temporary degradation of monitoring/telemetry feeds that support situational awareness, (ii) limited reliance on manual checks while visibility recovered, and (iii) brief slowdowns in customer-facing portals (European Union Agency for Cybersecurity, 2023; CyberPeace Institute, 2023; National Cyber Security Centre, 2022; Meehan, 2022). Public claims of responsibility accompanied the activity (Al Jazeera, 2022). Swathika et al. (2024) found that smart grid vulnerabilities to DDoS attacks have been well-documented in cybersecurity literature, with recent studies emphasizing the need for multilayered defense strategies to protect critical SCADA systems and grid telemetry.
Post-incident adjustments emphasized DDoS protection (traffic filtering/scrubbing and anomaly detection), redundancy for control/communications paths, and enhanced monitoring and analytics, including AI-assisted detection, changes that shift spending toward recurring operational costs (Jakštas, Jasinskienė & Judickaitė, 2021; Warren, Štitilis & Laurinaitis, 2023; Avertium, 2022).
According to News Staff (2022), several national or state portals experienced intermittent unavailability and slowdowns, including multiple U.S. state government websites that were targeted in coordinated campaigns. The October 2022 attacks disrupted access to Kentucky, Mississippi, and Colorado state portals, with some requiring temporary workarounds to maintain public access to essential services. Reported impacts were concentrated on public information pages and online forms; when stated, back-office transactional systems were not affected. The severity and duration of these disruptions varied across incidents. Durations, where provided, ranged from brief interruptions lasting only minutes to more sustained degradations extending over several hours. Though no sensitive data was compromised, these visible outages attracted significant media attention and raised public concerns about government cybersecurity preparedness.
Major airport and transport-authority websites in multiple countries experienced DDoS-driven outages or severe slowdowns, disrupting public information services such as flight information and passenger guidance. In October 2022, Killnet launched coordinated attacks against over a dozen U.S. airports, including LaGuardia, O'Hare International, Los Angeles International (LAX), and Hartsfield-Jackson Atlanta, temporarily rendering their public-facing websites inaccessible (FOX 5 NY, 2022). Sources that addressed operational systems indicated no impact to air-side or core transport operations; the attacks affected only external websites while airport operations, flights, and security systems continued functioning normally.
Across incident summaries and advisories, organizations reported (or subsequently adopted) higher recurring spend on managed DDoS protection and upstream traffic scrubbing, broader use of content-delivery/caching layers for public portals, redundancy for critical communications/telemetry paths, and consolidation of logs/metrics to preserve visibility during availability attacks. These adjustments were characterized as ongoing operational expenditures rather than one-time costs.
Finding out who is behind a cyberattack is ridiculously hard because hackers use tricks to hide their identity. KillNet has been attacking governments, businesses, and important services with large-scale DDoS attacks since the Russia-Ukraine war began.
Even though there is a lot of proof that KillNet is involved, it is still difficult to confirm 100% that they are behind every attack. This is because they use secretive methods, decentralized networks, and advanced techniques to avoid being tracked.
KillNet uses proxy servers and virtual private networks (VPNs) to hide their real location. These tools reroute their internet traffic through multiple servers in different countries, making it look like the attack is coming from many places at once. This method makes it exceedingly difficult to track down the real people behind the attacks (Rid & Buchanan, 2015).
KillNet also controls large networks of hacked computers, known as botnets. These botnets consist of thousands of infected devices worldwide, allowing KillNet to launch massive cyberattacks without revealing their real location. Since other hackers may also use the same botnets, it becomes hard to tell if an attack was organized by KillNet or another cybercriminal group (Hutchins, Cloppert & Amin, 2011).
Many of the hacking tools and software used by KillNet are not originally created by them. Instead, they reuse open source hacking programs or copy tools from past cyberattacks. These tools include common DDoS attack programs, which makes it hard to prove that KillNet is responsible for a specific attack. By recycling old malware, they avoid detection and make it harder for cybersecurity experts to track them (Mandiant, 2021).
Although KillNet has openly supported Russian interests, there is no unambiguous evidence linking the group directly to the Russian government. Unlike state-sponsored cyberattacks, which are usually organized and controlled, KillNet’s actions seem less centralized, making it difficult to confirm their exact relationship with official Russian cyber operations (Sanger, 2019).
Cyber attackers often use false flags to confuse investigators and make it hard to trace attacks back to them. KillNet may be using methods like other hacking groups or foreign nations, which can easily mislead those trying to identify the attackers (Case, 2016). This intentional deception complicates the process of attributing the attacks.
KillNet’s actions show that they may have both political and financial goals. While they claim to support Russia, they have also engaged in ransomware and extortion, which suggests they may also be motivated by financial gain. This mix of political and criminal motives makes it harder to tell if their attacks are purely for political reasons or if they are also driven by financial rewards.
KillNet constantly changes its command-and-control infrastructure, which makes it hard to trace them over time. They use secure hosting services and constantly change domains and IP addresses to avoid being detected (Ames, 2022).
Unlike highly organized cyber groups, KillNet is made up of loosely connected subgroups and affiliates. Some of these affiliates use different identities, making it difficult to link them directly to KillNet. This creates a scattered and incomplete picture when trying to track them (Flashpoint, n.d.).
KillNet carries out its operations through encrypted messaging and dark web forums, which makes it hard for analysts to intercept and analyze their communications. By using encrypted networks, they make the process of identifying them even more difficult (U.S. Department of Health and Human Services, 2023).
Identifying who is behind KillNet’s cyberattacks is very challenging. They use complex methods to hide their actions, their connections to governments are unclear, and they maintain high security measures to cover their tracks. While cybersecurity experts can gather clues and point to KillNet’s involvement, it’s still hard to prove them responsible for attacks. To tackle these growing cyber threats, countries must work together, share information, and stay alert to stop these kinds of attacks effectively.
KillNet has gained notoriety for conducting cyberattacks against entities in countries that support Ukraine. There have been a number of responses that arose out of the persistence of KillNet attacks on a global scale. Some of these are enumerated below:
- –
Governmental Actions
United States: In response to KillNet’s actions and other Russian cyber threats, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued several warnings. These warnings highlight the risks of Russian state-sponsored cyberattacks and suggest stronger cybersecurity measures. CISA has advised both government organizations and businesses to take proactive steps like segregating networks, using multifactor authentication, and constantly monitoring systems to prevent cyberattacks (CISA, 2022).
European Union: The European Union Agency for Cybersecurity (ENISA) has been actively monitoring cyber threats and offering security advice to EU countries. After the June 2022 attacks on Lithuania, ENISA highlighted the need for a cooperative defense approach. They encouraged EU countries to improve their cybersecurity resilience by sharing information, coordinating responses to incidents, and regularly assessing ongoing threats (Al Jazeera, 2022).
- –
International Collaboration
Five Eyes Alliance: The Five Eyes intelligence alliance, comprising the United States, United Kingdom, Canada, Australia, and New Zealand, has recognized the significance of cyber threats posed by groups like KillNet. In April 2022, the alliance issued a joint advisory warning of Russian cyber activities targeting critical infrastructure. This advisory provided detailed recommendations for mitigating DDoS attacks, including strengthening firewall configurations, utilizing anti-DDoS services, and adopting zero-trust security frameworks (CISA, 2022).
NATO’s Cyber Defense Initiatives: Dyner (2023) stated that NATO has increasingly recognized cyber threats as a significant component of modern warfare. In response to the growing number of cyberattacks linked to Russian-affiliated groups, NATO has enhanced its cyber defense posture through joint exercises, intelligence sharing, and developing rapidresponse cyber units. NATO’s commitment to strengthening cybersecurity across its member states highlights the strategic importance of cyberspace in modern military and political conflicts.
- –
Public-Private Partnerships
Collaboration with Technology Companies: Governments worldwide have partnered with major technology companies to counter cyber threats from groups like KillNet. Companies such as Microsoft have played a crucial role in identifying, mitigating, and preventing cyberattacks. Microsoft has provided cybersecurity intelligence and technical assistance to affected nations, helping them defend against malicious cyber activities (European Parliament, 2023).
Information Sharing Initiatives: Public-private partnerships have facilitated the rapid exchange of threat intelligence, allowing governments and businesses to coordinate their responses to cyber threats in realtime. Information-sharing platforms, such as the Cyber Threat Intelligence Integration Center (CTIIC) in the U.S. and the European Cybersecurity Competence Center, have enabled quicker threat detection and mitigation strategies against DDoS attacks launched by groups like KillNet (European Parliament, 2023).
- –
Challenges and Considerations
Despite all the efforts to fight cyber threats, there are still big challenges when it comes to dealing with hacktivist groups like KillNet. One of the main challenges is that cyberattack tactics keep changing, so cybersecurity defenses must keep up with these new methods. Also, identifying who is behind cyberattacks is complicated, making it hard to hold attackers accountable on a global level (Dyner, 2023).
Even though international cooperation has improved cyber defenses, the differences in cybersecurity capabilities between countries remain a problem. One of the key goals for the global community is to develop standardized rules for responding to cyber incidents and sharing information.
The observed KillNet campaigns underscore that ostensibly “low-complexity” DDoS activity can still shape public risk perception and geopolitics. Recurrent service disruptions, especially when linked to interstate tensions, feed narratives about vulnerability and state capacity, aligning with work that situates cyber activity as an instrument of political influence as much as technical harm (Shandler et al., 2022; Shandler & Gomez, 2023).
– Public Fear and Loss of Trust: when public-facing portals (government, transport, energy) become intermittently inaccessible, the immediate technical effect is limited availability, but the social effect is broader: visible outages erode confidence in institutional readiness and protection, even when core operational systems are unaffected. Scholarly analysis has noted that the primary impact of groups like KillNet lies not in technical disruption but in shaping the cognitive environment, with media amplification of threats often exceeding the actual operational damage inflicted (Smith, Lonergan & Starck, 2022). This trust dynamic is consistent with empirical findings that frequent exposure to cyber incidents reduces confidence in government defense capacity (Shandler et al., 2022).
– People Losing Faith in the Government: sustained or repeated disruptions to citizen-facing services can be reframed domestically as leadership or policy failure, especially when targets include high-salience systems (e.g., elections, health, finance). That political reframing elevates the consequences of availability attacks beyond IT service levels and into questions of competence and legitimacy (Shandler & Gomez, 2023).
– Cyber Warfare as a Political Weapon: Contemporary analyses of cyber operations increasingly frame attacks on energy infrastructure as modern instruments of warfare, where disruption of critical systems serves strategic geopolitical objectives (Aljohani, 2022). KillNet’s strategic timing and choice of targets demonstrate how nation-states and their affiliated groups can use cyber attacks as political tools that remain below the threshold of military conflict. These operations achieve multiple objectives: they impose financial costs by forcing organizations to invest in defenses, they generate widespread media attention and public concern, and they overwhelm cybersecurity response teams, all without causing the physical damage that would trigger military retaliation. Analyses of Russia-linked activity highlight this “political weapon” logic in contemporary competition (S&P Global, 2023), complementing scholarship that frames cyber means as tools to weaken rivals and accrue leverage (Shandler & Gomez, 2023). Research on KillNet specifically suggests that the group’s effectiveness stems less from actual technical disruption than from its ability to shape public perception and generate inflated threat narratives (Smith, Lonergan & Starck, 2022).
– Countries Working Together to Fight Cyberattacks: international and public – private coordination observed in 2022-2023 reflects a strategic turn toward collective cyber defense. On the state side, the Five Eyes joint advisory emphasized practical mitigations, including anti-DDoS services and zero-trust measures, while EU bodies (via ENISA) pressed for informationsharing and coordinated incident response following Lithuania’s June 2022 events (CISA, 2022; European Union Agency for Cybersecurity, 2023; Al Jazeera, 2022). EU restrictive measures also created a framework to sanction responsible actors, signaling a policy toolkit that extends beyond technical guidance (European External Action Service, 2020). Complementing this, public – private partnerships (e.g., CTIIC and the European Cybersecurity Competence Centre) facilitated real-time threat-intelligence exchange to accelerate detection and mitigation (European Parliament, 2023).
– Attribution Limits and Policy Implications: a key constraint on deterrence and accountability is technical and organizational opacity: proxy/VPN routing, botnet reuse, and shared tooling obscure actor identity; decentralized coordination and intentional false-flagging further complicate high-confidence attribution. These features, documented in threatintelligence and academic work, explain why open-source attributions often remain probabilistic and why policy responses lean on broad defensive postures rather than legal action against specific perpetrators (Rid & Buchanan, 2015; Hutchins, Cloppert & Amin, 2011; Case, 2016; Sanger, 2019).
– Sectoral Significance – Energy Vignette: the Lithuania smart-grid case shows how availability attacks can degrade operator visibility (telemetry delays, manual fallbacks), increasing operational risk despite no physical damage. The episode’s timing amid Kaliningrad-related tensions and the subsequent advisory posture in Europe make it a salient example of how geopolitical shocks, hacktivist claims, and CI monitoring challenges intersect in practice (Faulconbridge, 2022); Meehan, 2022; European Union Agency for Cybersecurity 2023).
– Practical Implications for Operators: taken together, the findings support continued investment in (i) upstream traffic scrubbing and anti-DDoS services for public portals, (ii) zero-trust controls around internet-exposed services, and (iii) resilience of monitoring, e.g., out-of-band telemetry and cached dashboards, so situational awareness is preserved during availability attacks. These directions align with the joint guidance and collaborative mechanisms noted above (CISA, 2022; European Union Agency for Cybersecurity, 2023; European Parliament, 2023).
– Practical Implications for Operators: in short, the strategic value of DDoS for politically motivated actors lies not in destruction but in narrative leverage and administrative stress, effects that ripple through public trust, international signaling, and budgetary priorities. Strengthening collective defense, sharpening attribution where possible, and hardening monitoring pathways are the actionable levers suggested by this case corpus (See also chapter 6 for collaborative responses).
The world’s cybersecurity situation today is mostly shaped by the growing connections and use of digital systems in important sectors. As power grids, water supplies, transportation, and healthcare systems become more reliant on technology, they become more vulnerable to cyber threats. This vulnerability is even greater when decentralized, politically driven hacker groups like KillNet are involved. Originally starting as a service for hiring DDoS attacks, KillNet quickly grew into a hacktivist group with political motives. KillNet represents the many challenges countries face when dealing with cyberattacks that are not aimed at making money quickly, but at weakening national security and damaging economic stability.
One of the main challenges in dealing with groups like KillNet is attribution – figuring out who is behind a cyberattack. KillNet uses proxy servers, VPNs, and botnets to hide where their attacks come from, making it harder to trace them. They also use open-source tools and reused malware, which makes it difficult to tell who is behind the attacks. This obscures the real origin and complicates the process of confirming who is responsible. As seen in attacks from Romania to the United States, the evidence is often convincing but not enough to prove guilt for sure. To catch attackers, cybersecurity experts must keep improving their techniques and share information in real time.
The difficulty of identifying KillNet is also made worse by political and strategic factors. Although KillNet clearly supports Russian interests, there’s no solid proof of direct government involvement. They also use false flag tactics, misleading investigators and confusing perceptions worldwide. KillNet combines political motives with financial incentives, like ransomware and extortion, blurring the lines between state actors and cybercriminals.
Additionally, KillNet has adapted its operational strategies to stay ahead of cybersecurity defenses. They constantly change their command infrastructure, switch domains, and use encrypted communications on the dark web to avoid detection. This means cybersecurity experts must always update their defenses to stay effective. Even when affiliates work together, KillNet can be hard to trace and stop, making traditional defense methods increasingly less useful.
As cyber threats grow more complex and widespread, the KillNet experience shows that traditional cybersecurity methods need to be improved with new, flexible strategies. A key recommendation is better international cooperation. Countries must create global standards for handling cyberattacks and sharing information, ensuring that they can work together to deal with rapidly changing threats.
There must also be more investment in advanced cybersecurity research. Technologies like artificial intelligence (AI) and machine learning can help detect threats in real time and automatically respond to attacks. However, these technologies should be used as part of a larger strategy that understands the challenges of attribution and focuses on continuous innovation.
To address the growing challenges of cyber threats like those posed by KillNet, there is a critical need for multidisciplinary research. Future efforts should focus on the following areas:
- –
Improved Attribution Techniques: Developing better methods for identifying cyberattackers, using artificial intelligence (AI) and machine learning to speed up and improve the accuracy of attribution, even when attackers use advanced tactics to hide their identity.
- –
Stronger Infrastructure Design: Creating new ideas for building more resilient infrastructure that includes adaptive security and proactive measures to protect and help systems recover quickly from cyberattacks.
- –
Global Standards and Frameworks: Creating international rules and legal frameworks for responding to cyber incidents. This will help nations work together and reduce gaps in cybersecurity capabilities.
- –
Public-Private Partnerships: Encouraging closer collaboration between governments and businesses to combine expertise and technology. This will help improve threat intelligence sharing and speed up responses to attacks.
- –
Exploring Emerging Technologies: Researching disruptive technologies like blockchain for secure information sharing and quantum computing for stronger encryption, to stay ahead of future cyber threats.
The world of cybersecurity is unique because of its borderless nature and rapid technological changes, which have reshaped how we think about warfare, security, and sovereignty. KillNet’s operations, which are marked by strategic uncertainty and advanced technology, show the challenges we will face in the future. The need to respond quickly to immediate threats while also building long-term defense strategies highlights the complex relationship between technology, politics, and security.
In conclusion, although it remains difficult to fully identify the attackers behind cyberattacks, the combined efforts of international organizations, governments, and businesses are essential in moving toward a safer digital future. The fight against cyber threats requires strong technology and clear strategic planning, along with cooperation and constant innovation. To protect critical infrastructures from evolving cyber threats, the global community must work together through coordinated approaches and focused research. Only by doing so can we hope to secure our digital world.