Threat Groups

KillSec

1. Overview

KillSec (short for “Kill Security”) is a self-proclaimed hacktivist collective that emerged in early 2022, and has since been linked to a series of politically motivated distributed denial-of-service (DDoS) attacks, data leaks, and website defacements. Unlike financially driven ransomware groups, KillSec claims to act in response to geopolitical events, aligning itself with anti-Western, anti-NATO, and pro-Russian narratives.

While the group’s technical sophistication is moderate, KillSec’s ability to coordinate high-visibility disruptions across multiple targets and regions makes it a potent propaganda tool, particularly during global conflicts or political flashpoints. KillSec frequently targets government websites, media organisations, defence contractors, and critical infrastructure—especially in the UK, USA, Poland, and Ukraine.

2. Origin and Evolution

KillSec first surfaced in early 2022 during a period of heightened cyber and geopolitical activity related to the Russian invasion of Ukraine. Originally a fringe Telegram channel, the group grew rapidly in influence through collaborations with other pro-Russian cyber collectives, including NoName057(16) and XakNet Team.

Throughout 2023, KillSec expanded its scope, adopting publicly available DDoS tools, leaking low-level credential dumps, and defacing poorly secured websites. The group leverages both custom scripts and shared tooling, and relies heavily on social media, Telegram, and dark web forums to amplify its operations.

In early 2024, KillSec claimed responsibility for a wave of service disruptions targeting UK public health and transport services in retaliation for perceived Western aggression.

3. Tactics, Techniques, and Procedures (TTPs)

KillSec’s activities fall into several key categories:

  • DDoS Attacks (T1499):
    Flooding websites and APIs using volumetric DDoS tools such as LOIC, HTTP-Flood, and custom botnets. Targets often include public sector websites, government portals, and news agencies.
  • Website Defacement (T1491.001):
    Exploiting weak or unpatched CMS platforms to post propaganda messages, political banners, or anti-NATO slogans.
  • Credential Leaks and Data Dumps (T1530):
    Publishing login credentials, email addresses, and database dumps from compromised services. These are often low-complexity breaches, aimed more at humiliation than deep infiltration.
  • Social Media Manipulation (T1585):
    Disseminating exaggerated claims, screenshots, and manipulated videos of successful “hacks” to influence public opinion or sow fear.
  • Collaboration (T1584.001):
    Frequent alignment with other threat actors, sometimes participating in coordinated “campaign days” during elections or military escalations.

4. Targeting Profile

KillSec targets entities perceived as aligned with NATO, the European Union, the United States, or Ukraine. Specific targeting includes:

  • UK Government Departments and Public Services
  • Healthcare systems and NHS subdomains
  • Airports, transport infrastructure, and payment portals
  • Media organisations critical of Russian foreign policy
  • Ukrainian humanitarian NGOs and digital assets

KillSec often relies on target-of-opportunity selection, focusing on low-hanging fruit and misconfigured infrastructure to maximise disruption without requiring advanced persistence.

5. Notable Campaigns and Victims

  • January 2023 – NHS Service Disruption:
    KillSec claimed responsibility for DDoS attacks that caused intermittent outages of NHS booking portals and patient services.
  • July 2023 – Polish Government Websites:
    A campaign defacing multiple .gov.pl subdomains with anti-NATO banners and disinformation messages.
  • February 2024 – UK Rail Disruption Hoax:
    KillSec distributed false claims of breaching a national rail operator, causing brief panic and service slowdowns, although no breach occurred.
  • March 2024 – Joint Campaign with NoName057(16):
    A coordinated series of denial-of-service attacks across the websites of several Western European foreign ministries during a NATO summit.

6. Propaganda and Public Messaging

KillSec operates with a strong information warfare element. Key channels include:

  • Telegram broadcasts with “kill lists” of upcoming targets
  • Defacement images portraying Western leaders in hostile or satirical forms
  • Social engineering tactics such as hoax leaks and fake press releases
  • Use of multilingual messaging to widen the audience and incite international attention

The group rarely engages directly with victims but relies on the fear of exposure and embarrassment to achieve its strategic goals.

7. Technical Indicators

KillSec’s infrastructure and IOCs are often ephemeral, but known indicators include:

  • IP addresses tied to Eastern European VPS services
  • Referrers from Telegram bots and pastebins
  • Use of free subdomain services (e.g., DuckDNS, No-IP) to redirect traffic
  • Payloads downloaded from public GitHub repositories or Mega.nz links
  • Site defacements referencing “KillSec was here” or “Western lies will fall”

Updated observables are available via UK Cyber Defence Ltd’s intelligence feeds.

8. Defensive Measures and Recommendations

Organisations should take the following actions to defend against KillSec and similar hacktivist groups:

  • Harden public-facing applications and regularly patch CMS platforms
  • Deploy DDoS protection services (e.g., Cloudflare, Akamai) to absorb traffic spikes
  • Monitor for defacement indicators and unauthorised changes to web assets
  • Limit login exposures, and monitor for brute-force and credential stuffing attempts
  • Track Telegram and social media chatter for mentions of your brand, domain, or IPs

KillSec’s attacks are disruptive but rarely sophisticated—defence-in-depth and visibility are key.

9. Attribution and Alliances

While KillSec is not officially sponsored by a nation-state, the group’s consistent alignment with pro-Russian narratives, infrastructure overlaps with known threat actors, and involvement in broader “patriotic cyber campaigns” suggest strong ideological and logistical ties to the Russian-speaking cyber underground.

KillSec frequently coordinates with:

  • NoName057(16)
  • XakNet Team
  • UserSec Collective
  • Smaller Telegram-based threat clusters

These collaborations appear informal but operationally effective.

10. Conclusion

KillSec is a politically aligned hacktivist group that thrives on amplifying disruption, embarrassment, and distrust. Its tactics are rarely advanced, but its visibility and psychological impact—particularly on government and civic institutions—should not be underestimated.

For UK organisations, especially in the public sector or critical infrastructure, KillSec remains a relevant and persistent threat, requiring both technical mitigation and reputational risk planning.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 40 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence