Attacks against Lithuania started on June 20. For the next 10 days, websites belonging to the government and businesses were bombarded with DDoS attacks, overwhelming them with traffic and forcing them offline. “Usually DDoS attacks are concentrated on one or two targets and generate huge traffic,” says Jonas Sakrdinskas, Acting Director of the Lithuanian National Center for Cyber Security. But this was different.
Days before the attack began, Lithuania blocked the movement of coal and metals through its country to the Russian territory of Kaliningrad, further strengthening its support for Ukraine in its conflict with Russia. The pro-Russian hacking group Killnet posted “Lithuania, are you crazy? 🤔” on his Telegram channel to 88,000 followers. The group then invited the hacktivists – citing a number of other pro-Russian hacker groups – to attack Lithuanian websites. The target list was shared.
The attacks, Sakrdinskas explains, were continuous and spread to all areas of daily life in Lithuania. In total, more than 130 websites in the public and private sectors were “blocked” or made inaccessible, according to the Lithuanian government. Sakrdinskas says the attacks, which were linked to Killnet, have largely stopped since early July, and the government has launched a criminal investigation.
The attacks are just the latest wave of pro-Russian “hacktivist” activity since Vladimir Putin’s war began in February. In recent months, Killnet has targeted a growing list of countries that have supported Ukraine but are not directly involved in the war. Attacks on websites in Germany, Italy, Romania, Norway, Lithuania and the United States have been linked to Killnet. The group declared “war” on 10 nations. Targeting often occurs after a country offers support to Ukraine. Meanwhile, XakNet, another pro-Russian activist group, claims to have targeted Ukraine’s largest private energy company and the Ukrainian government.
While security experts have often warned that attacks from Russia could target Western countries, the efforts of volunteer activist groups can have an impact without official state support or guidance. “They definitely have malicious intent when they carry out these attacks,” says Ivan Righi, a senior cyber threat intelligence analyst at security firm Digital Shadows who has studied Killnet. “They are not working together with Russia, but in support of Russia.”
Killnet started out as a DDoS tool and was first spotted in January of this year, according to Righi. “They advertised this app or this website, where you could hire a botnet and then use it to launch a DDoS attack.” But when Russia invaded Ukraine in late February, the group pivoted. The vast majority of Killnet’s efforts and those of its “legion” group — members of the public who are asked to join and launch attacks — have been DDoS attacks, Righi says, but he’s also seen the group linked to some website defacement and the group itself is made unverified claims that she had stolen data.