I. Targeted Entities
- Colorado’s official website
Colorado state officials say that on Wednesday, October 5, 2022, Colorado’s website was rendered unusable as the result of an apparent cyberattack after a known Russia-based hacker group made a Telegram post saying that it would be targeting U.S. state websites. While the U.S. election system is largely disconnected from the Internet, state websites are prime targets for hackers who want to undermine confidence in elections.
III. Background Information
The cyberattack flooded the state’s website with web traffic, and is a common and simple way to disable websites. There is no indication that any of Colorado’s internal systems were accessed or that its election systems were compromised. However, given how close this attack is to the U.S. midterms, experts say that the attack could give the false impression that U.S. elections are vulnerable to foreign interference.
Killnet, the group responsible for the attack, is a Russian-aligned group that claims to be made up of amateur hacktivists who support Russian’s international interests. Killnet adheres to the same model that Ukraine’s IT Army (the IT Army is a Ukrainian government-affiliated movement that frequently posts a list of Russian websites on Telegram for supporters around the globe to try to overwhelm with traffic). The tactic Killnet uses to overwhelm websites with traffic is known as a distributed denial of service, or DDoS. On Wednesday, KillNet posted a list of 12 target states to its Telegram channel: Alabama, Alaska, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Indiana, Kansas, Kentucky, and Mississippi.
It is unclear if other states were affected, but federal officials have repeatedly stated that they do not expect a cyberattack to affect the midterm elections. The Cybersecurity and Infrastructure Security Agency (CISA), which oversees federal cybersecurity support for election infrastructure, released a joint announcement with the FBI saying, “any attempts by cyber actors to compromise election infrastructure are unlikely to result in large-scale disruptions or prevent voting.”
Because DDoS attacks are simple to conduct and don’t inflict lasting damage or give criminals access to hidden information, cybersecurity professionals and other hackers generally regard them as unimpressive. However, Killnet has started becoming more effective at making websites unreachable, and has the potential to cause significant disruptions.
IV. MITRE ATT&CK
- T1498 – Network Denial of Service
Killnet performed a DDoS attack to degrade and block the availability of targeted websites. Network DoS can be performed by exhausting the network bandwidth services rely on.
- Set antivirus programs to conduct regular scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
- Monitor malware
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
- Turn on endpoint protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
VI. Indicators of Compromise (IOCs)
Because of the nature of this threat advisory, there are no IOCs. However, it is important that businesses and entities create a business continuity and disaster recovery plan in case a DDoS attack were to occur.
(1) Collier, Kevin. “Cyberattack on Colorado State Website Follows Russian Hacktivist Threat.” NBCNews.com. NBCUniversal News Group, October 6, 2022. https://www.nbcnews.com/tech/security/colorado-state-websites-struggle-russian-hackers-vow-attack-rcna51012.
(2) “Malicious Cyber Activity Against Election Infrastructure Unlikely to Disrupt or Prevent Voting.” FBI & CISA Public Service Announcement, October 4, 2022. https://www.cisa.gov/uscert/sites/default/files/publications/PSA_cyber-activity_508.pdf.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, and Uday Bilakhiya.