A group of Russian-speaking hackers on Wednesday took responsibility for a denial-of-service attack targeting state government websites, with several states experiencing brief or lengthy outages.
The group, which calls itself Killnet, appeared to have temporarily disabled websites run by the governments of Colorado, Connecticut, Kentucky and Mississippi. Images being shared on the group’s Telegram channel show a target list including sites run by dozens of U.S. state governments. Most of the sites affected Wednesday appeared to be stable Thursday morning, though Colorado’s main website is still replaced by a temporary site as officials work to restore access. (The temporary site contains links to Colorado’s other digital services, which were not affected by the DDoS campaign.)
Colorado officials said Wednesday that the state’s homepage was “taken offline due to a cyberattack claimed by an anonymous suspected foreign actor,” though they declined to comment further on the incident’s connection to Killnet’s threat.
“The Governor’s Office of Information Technology and State Emergency Operations Center are actively working with state and federal partners to restore access to the Colorado.gov Portal homepage,” officials said. “Security measures are also being taken to ensure that state websites and services remain unaffected.”
The state does not have an estimate for when the main site will be restored.
Another site that was briefly downed Wednesday was the Kentucky Board of Elections, which features information about voter registration, candidate resources and polling places, though the site is not involved in the actual voting process.
According to an Elections Infrastructure Information Sharing and Analysis Center email reported by CNN, Killnet’s operation “does not appear to specifically target U.S. elections infrastructure, though election-related websites can be indirectly or directly impacted through the broader operation.”
Killnet emerged shortly after Russia’s late-February invasion of Ukraine and set about targeting websites operated out of countries that have been supporting the Ukrainian defense, including Norway and Lithuania. The group also attempted to disrupt the Eurovision Song Contest — which excluded Russia — but was thwarted by cyber authorities in host nation Italy.
The group’s also targeted U.S. websites before, including that of Bradley International Airport in Hartford, Connecticut, as well as Congress.gov, which was briefly taken down in July.
The group is dubbing this week’s operation “USA Offline.” Since early Wednesday, the group’s members have been posting a list of state-government websites, preceded by an image showing a mushroom cloud behind the Statue of Liberty with the caption “Fuck NATO.” Telegram posts suggest the group intends to attempt to disrupt sites for 72 hours.
But the hacktivist group is considered more of an obnoxious, attention-seeking nuisance than an advanced cyber threat. While the group runs a Telegram channel with nearly 93,000 subscribers — who trade pro-Kremlin propaganda and crude jokes about Ukrainian President Volodymyr Zelensky — it is considered relatively easy to block.
“Killnet seems to be a semi-structured organization with effective communication,” reads an analysis of the group published by the cybersecurity firm Forescout. “Although they have managed some level of success in their campaigns, there is no evidence that they use or develop custom tools or even that they reuse very sophisticated tools in their attacks.”
The analysis recommended patching internet-connected devices and increasing monitoring of network traffic on those devices.
Killnet was also one of several groups included in a Five Eyes alert earlier this year warning of Russian state-sponsored and criminal threats, including DDoS attacks against critical infrastructure.
CyberScoop’s AJ Vicens contributed reporting.