Internet services in Lithuania came under “intense” distributed denial of service attacks on Monday as the pro-Russia threat-actor group Killnet took credit. Killnet said its attacks were in retaliation regarding Lithuania’s recent banning of shipments sanctioned by the European Union to the Russian exclave of Kaliningrad.
Lithuania’s government said that the flood of malicious traffic disrupted parts of the Secure National Data Transfer Network, which it says is “one of the critical components of Lithuania’s strategy on ensuring national security in cyberspace” and “is built to be operational during crises or war to ensure the continuity of activity of critical institutions.” The country’s Core Center of State Telecommunications was identifying the sites most affected in real time and providing them with DDoS mitigations while also working with international web service providers.
“It is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy, and financial sectors,” Jonas Skardinskas, acting director of Lithuania’s National Cyber Security Center, said in a statement. The statement warned of website defacements, ransomware, and other destructive attacks in the coming days.
Leaving much to be desired
The attacks came as members of Killnet took to forums on Telegram to boast of the attacks and condemn the Lithuanian government for blocking shipments of some goods to Kaliningrad, which is wedged between Lithuania and Poland and connected to the rest of Russia by a rail link through Lithuania.
“We continue to hint unequivocally to the Lithuanian authorities that they should immediately withdraw their decision to ban the transit of Russian cargo from the Kaliningrad region to Russia,” one message stated. It claimed that websites for four airports in the Baltic country were crippled. “Thanks to our attacks, they are still available only from Lithuanian IP addresses, and their speed, to put it mildly, leaves much to be desired.”
Lithuanian government officials didn’t immediately respond to a request to comment.
Ever since the lead-up to Russia’s invasion of Ukraine in February, a host of hacks have come from groups aligned with both sides. In January, for instance, hacktivists in the pro-Russian country of Belarus said they infected the network of the country’s state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine.
Hackers working for or in allegiance with Russia, meanwhile, have unleashed wiper malware dubbed AcidRain that was used in a cyberattack that sabotaged thousands of satellite modems used by Viasat customers.
Killnet emerged at the start of Russia’s invasion and has posted claims of DDoS attacks on the Lithuanian websites ever since. Targets have included police departments, airports, and governments, according to security firm Flashpoint. On Monday, Flashpoint researchers wrote:
On June 25, Flashpoint analysts observed chatter regarding a plan for a mass-coordinated attack to take place on June 27, which Killnet referred to as “judgment day.” Flashpoint analysts assess with high confidence that the attacks reported on today are the attacks Killnet had planned prior. Smaller attacks have also been observed prior to June 27, including one that took place on June 22, according to our intelligence. Flashpoint analysts assess with high confidence that, based on ongoing chatter regarding Lithuania on Killnet-affiliated Telegram channels that took place over the last week, Killnet made Lithuania its target after the Baltic government closed transit routes to Russia’s Kaliningrad region on June 18.
Notably, in a post from June 26, 2022, Killnet labeled Lithuania a “testing ground for our new skills” and additionally said that their “friends from Conti” are eager to fight, likely pointing to a connection between Killnet and Conti, a ransomware collective that also expressed their allegiance to Russia at the beginning of the Russia’s invasion of Ukraine.
So far, there’s little information about the DDoSes, such as the strength or source of the malicious traffic. DDoSes work by flooding sites or servers with more traffic than they can withstand, causing them to buckle and become unresponsive.