The Russian hacktivist collective Killnet has carried out a series of distributed denial of service (DDoS) attacks against Nato, causing temporary disruption to some of the military alliance’s public-facing websites.
The Killnet operation had previously said via its closed channel on the encrypted Telegram service that it was commencing attacks against Nato. It also appears to have been soliciting cryptocurrency donations to maintain the attacks.
A Nato spokesperson confirmed the alliance had briefly come under attack: “Nato cyber experts are actively addressing an incident affecting some Nato websites. Nato deals with cyber incidents on a regular basis, and takes cyber security very seriously.”
Speaking at a press conference convened ahead of a meeting of defence ministers, Nato secretary general Jens Stoltenberg told reporters that the alliance has deployed additional protective measures since Sunday 12 February.
“The majority of Nato websites are functioning as normal. Some Nato websites are still experiencing availability issues, but our technical teams are working to restore full access,” he said.
Stoltenberg said that Nato’s classified networks – those used to communicate on active missions and within the alliance’s command structure – were not attacked.
However, according to reports, the cyber attack may also have affected networks used by Nato’s Strategic Airlift Capability (SAC), a programme within Nato that provides military airlift capabilities to 12 member states using Boeing C-17 Globemaster III aircraft. The UK is not part of this unit, although the Royal Air Force does operate C-17s.
SAC, which has been flying search and rescue equipment and teams into an airbase in south-eastern Turkey, reportedly found itself unable to communicate with a C-17 in flight due to network disruption, although it is understood it never lost contact with the plane.
At the time of writing, the death toll from the 7.8 magnitude earthquake had risen to more than 33,000 in Syria and Turkey. A week after the disaster, hopes of finding any more survivors are fading fast as the relief operation moves from the search and rescue phase to one of support and recovery.
Killnet’s attacks on Nato targets will come as little surprise to long-time observers of the cyber element to Russia’s war on Ukraine.
Since the early days of the conflict the Kremlin-aligned group has targeted organisations and governments that have supported Ukraine, and recent announcements of more military aid to Kyiv prompted a series of attacks on targets in Germany and the United States.
The group’s stock-in-trade DDoS attack is a relatively affordable variety of cyber attack designed to cause temporary and noisy disruption, rather than damage, to its targets, by flooding their public-facing infrastructure with an overwhelming number of junk requests. As such, Nato will likely have been prepared to be targeted in this way.
Sam Curry, chief security officer at Cybereason, said: “The group claiming responsibility for the attack, Killnet, is known best for their use of DDoS as a tool. Building large botnets is significant, but it is also defensible; and resilience can be built. It’s in some ways the ‘poor man’s’ cyber tool, because it gets a big splash for relatively little investment.
“Dogs run in packs, and this is no different. DDoS produces a lot of barking, but the pack isn’t that large. Targeting local and state governments is optimising for the most visibility. If they could do more, they would. At this time, the best assumption is that we are seeing Killnet’s loudest attempt to get attention. However, the world is more-or-less divided for or against Putin, and attacks like this aren’t likely to either sow debilitating fear or sway hearts and minds.”