Russian cyberattacks are happening here in the U.S. right now. A pro-Russian political hacking group has claimed responsibility for distributed denial-of-service (DDoS) attacks that brought several major US airports’ public websites offline. The Cyberattack did not affect U.S. air travel, and the Russian hacking group has targeted other countries opposing Russia’s invasion of Ukraine.
In addition to the airport attack, KillNet has also claimed responsibility for several DDoS attacks that temporarily took down several American state government websites last week.
Due to the attack, several major airport websites in the United States were briefly taken offline. A DDOS attack involves flooding a website with traffic to take it offline. The airport websites were attacked after the pro-Russian hacking group “KillNet” published a list of sites and encouraged its members to attack them.
The DDOS attacks only affected the airports’ websites, which provide flight and service information and have no effect on operations.
Chicago’s O’Hare and Midway international airports were among the dozen airports hit by the Monday attack, and the city of Chicago owns both and shares the web domain flychicago.com. A KillNet Telegram channel had previously posted a “list containing over two dozen targets.” Other airports experiencing DDoS issues due to the attack include Atlanta’s Hartsfield-Jackson International Airport, Los Angeles International Airport, and Denver International Airport. Los Angeles, New York, Phoenix, and St. Louis were also included.
Hartsfield-Jackson Atlanta International Airport said its website was back up and running after an incident early Monday morning that rendered it inaccessible to the public. The statement said that an investigation into the cause of the incident is currently underway. “At no time were airport operations disrupted.”
Most of the airport websites targeted appeared to be operational after being temporarily taken offline.
KillNet claimed responsibility for attacks on several state government websites in the United States last week. The group has openly stated that its target was countries opposed to Russia’s invasion of Ukraine. KillNet has previously targeted Italy, Romania, Estonia, Lithuania, and Norway, all of which condemned Russia’s invasion of Ukraine.
No immediate response was received from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The Russian-language group has also called for DDoS attacks on marine terminals, logistics facilities, weather monitoring centers, the healthcare system, and online trading systems on its Telegram channel. The Telegram channel features memes, digital stickers, and news coverage of its exploits.
The U.S. federal government concluded earlier this year that KillNet is one of a few cybercrime groups declaring allegiance to Moscow. Some of these groups are more loyal to Moscow than others and maybe a front for state-sanctioned hacking rather than true hacktivism.
The group’s formation demonstrates how any war in the information age will have a cyber component – but also how annoyance and defacement, rather than fully developed cyber warfare, have been a feature of the Russia-Ukraine conflict to date.
According to threat intelligence firm Digital Shadows, KillNet began as the name of a DDoS tool, and the group behind it evolved from criminal service providers to Kremlin-aligned hacktivists. It recruits volunteers to carry out DDoS attacks, grouping them into squads called “Kratos,” “Rayd,” and “Zarya.”
A KillNet DDoS attack, according to the Italian Computer Security Incident Response Team, came in three waves. The first was a network-tier flood of connection requests that overwhelmed targets with bogus TCP or UDP requests. That first wave was accompanied by DNS amplification requests, which flood servers with falsely requested domain name system responses, and I.P. fragmentation attacks, which chop internet protocol datagrams into smaller pieces to consume available memory. The second wave was an intensification of the first, but it did not include DNS amplification. The previous wave switched between network-tier and protocol-based attacks.
KillNet has previously targeted airport websites in the United States. It claimed responsibility for a DDoS attack on Bradley International Airport in March, a facility classified as a “medium” commercial aviation hub by the Federal Aviation Administration.
“Bradley airport – not sure why they targeted it,” threat research firm CyberKnow tweeted at the time. On Monday, Bradley Airport was targeted once more.