The attacks against Lithuania started on 20 June. For the next 10 days, government and corporate websites were bombarded by DDoS attacks, overloading them with traffic and forcing them offline. “Normally, DDoS attacks are concentrated on one or two targets and generate huge amounts of traffic,” said Jonas Sakrdinskas, acting director of Lithuania’s National Cyber Security Center. But this was different.
Days before the attacks started, Lithuania blocked coal and metal from being moved through its country to the Russian territory of Kaliningrad, which further strengthens its support for Ukraine in its conflict with Russia. The pro-Russian hacker group Killnet wrote “Lithuania are you crazy? 🤔” on its Telegram channel to 88,000 followers. The group then called on hackers – and named a number of other pro-Russian hacker groups – to attack Lithuanian sites. A list of goals was shared.
The attacks, Sakrdinskas explains, were continuous and spread over all areas of daily life in Lithuania. In all, more than 130 sites in both the public and private sectors were “blocked” or made inaccessible, according to the Lithuanian government. Sakrdinskas says the attacks, which were linked to Killnet, have mostly fallen since early July, and the government has opened a criminal investigation.
The attacks are just the latest wave of pro-Russian “hacktivist” activity since the start of Vladimir Putin’s war in February. In recent months, Killnet has targeted a growing list of countries that have supported Ukraine but are not directly involved in the war. Attacks on sites in Germany, Italy, Romania, Norway, Lithuaniaand United States have all been linked to Killnet. The group has declared “war” against 10 nations. Targeting often takes place after a country offers support to Ukraine. Meanwhile, XakNet, another pro-Russian hacktivist group, has claimed to have attacked Ukraine’s largest private energy company and the Ukrainian government.
While security experts have often warned about it attacks from Russia may be directed at Western countries, the efforts of voluntary hacktivist groups can have an impact without being officially supported or carried out by the state. “They certainly have malicious intent when carrying out these attacks,” said Ivan Righi, a senior cyber-threat analyst at security firm Digital Shadows, which has studied Killnet. “They are not working with Russia, but in support of Russia.”
Killnet started as a DDoS tool and was first seen in January this year, Righi says. “They advertised this app or website where you could rent a botnet and then use it to launch DDoS attacks.” But when Russia invaded Ukraine in late February, the group turned. The vast majority of Killnet’s efforts and its “legion” group – members of the public being asked to participate and launch attacks – have been DDoS attacks, Righi says, but he has also seen the group link to some site disruptions, and the group itself has made unconfirmed allegations that it has stolen data.