Event Summary
As part of our proactive and continuous monitoring services and threat research, we have seen widespread DDoS campaigns targeting businesses and government entities across the world. The hacktivist group, Killnet is heavily involved in the Russian-Ukrainian conflict and stands out as the perpetrator for many active DDoS attacks.
As part of our ongoing monitoring service, we have updated our databases, like our Threat Intelligence Platform (TIP), with the information detailed on this document for allowing a faster and automated detection of any possible communication to any suspicious IP.
Background
Killnet is one of many hacktivist groups that has taken a side in the ongoing Russian-Ukrainian conflict. Killnet stands out as one of the most active groups in this conflict, having declared war on Anonymous, a group supporting Ukraine, since February 25, 2022. Killnet is located in Russia and supports its country in the war, alongside other groups such as Xaknet and, often in joint operations, Legion. Killnet has gained certain notoriety for releasing DDoS attacks on the websites of western critical infrastructure operators, such as airports, banks, energy providers and governmental agencies.
Details
At this time, the known IP Indicators of Compromise (IOCs) are listed below.
- 5.2.69.50
- 92.255.85.237
- 92.255.85.135
- 173.212.250.114
- 144.217.86.109
- 156.146.34.193
- 162.247.74.200
- 164.92.218.139
- 171.25.193.25
- 171.25.193.78
- 185.100.87.133
- 185.100.87.202
- 185.129.61.9
- 185.220.100.241
- 185.220.100.242
- 185.220.100.243
- 185.220.100.248
- 185.220.100.250
- 185.220.100.252
- 185.220.100.255
- 185.220.101.15
- 185.220.101.35
- 185.220.102.242
- 185.220.102.243
- 185.220.102.253
- 185.56.80.65
- 185.67.82.114
- 185.83.214.69
- 195.206.105.217
- 199.249.230.87
- 205.185.115.33
- 209.141.57.148
- 209.141.57.178
- 209.141.58.146
- 23.129.64.130
- 23.129.64.131
- 23.129.64.132
- 23.129.64.133
- 23.129.64.134
- 23.129.64.137
- 23.129.64.139
- 23.129.64.142
- 23.129.64.147
- 23.129.64.148
- 23.129.64.149
- 23.129.64.210
- 23.129.64.212
- 23.129.64.213
- 23.129.64.216
- 23.129.64.217
- 23.129.64.218
- 23.129.64.219
- 45.153.160.132
- 45.153.160.139
- 45.154.255.138
- 45.154.255.139
- 45.227.72.50
- 72.167.47.69
- 81.17.18.58
- 81.17.18.62
- 91.132.147.168
Recommendations
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. Currently, we recommend investigating all the connections detected and if possible, blocking all communications to the suspicious IPs listed in the “Details” section of this document.
Additional recommendations are as follows:
- Monitor for any communication to suspicious IPs
- Change defaults or easily guessable passwords of Internet-facing devices, especially IoT devices.
- Identify and patch vulnerable IoT devices to prevent them from being used as SSH tunnels or part of DDoS botnets.
- Ensure that all of your security devices, domain controllers, and highly valuable servers listed in your ThreatWatch service contract are reporting logs through the ThreatWatch platform to give the SOC the most visibility possible.
If Security On-Demand’s SOC has seen any suspicious activity related to these IOCs, we have already notified you. We will continue to monitor and to provide you with relevant updates.
Please contact your Security On-Demand Customer Success Manager if you have any questions about this alert.
Additional Resources
https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
