Russian-affiliated hacking group Killnet has claimed responsibility for disrupting communications between NATO and organisations delivering earthquake relief in Turkey and Syria.
The recent earthquake has killed at least 28,000 people, and rescue teams continue to recover victims from collapsed buildings. Countries and humanitarian organisations around the world mobilised resources, including transport and airlift aircraft, to support relief operations.
Strategic Airlift Capability (SAC), a multinational organisation that operates with NATO support to conduct airlifts, was transporting search-and-rescue equipment to the affected area and reported being affected by Killnet’s cyberattack.
Messages posted by Killnet’s leader in Telegram channels signalled the group’s involvement, and other Russia-aligned hacking groups reportedly joined the effort soon after.
Killnet and allied groups targeted communications linking NATO aircraft and other humanitarian providers operating in the disaster zone, using distributed denial-of-service (DDoS) attacks to interrupt services.
Muhammad Yahya Patel, Security Engineer at Check Point Software, said:
“Again Killnet is causing disruption through DDoS attacks as opposed to a full offensive attack to garner publicity. By targeting NATO and Strategic Airlift Capability, they were clearly trying to disrupt the humanitarian efforts in place to support the Turkey and Syria crisis response. This has been their MO for some time, and I am sure we haven’t seen the last of these attempts. It would be wise for all businesses but, in particular, those with public-facing services, to strengthen their defences to ensure they remain operational.”
One SAC C-17 aircraft reportedly received a warning via ACARS (Aircraft Communications Addressing and Reporting System) that NATO’s NR network was experiencing a DDoS disruption. NATO officials said cyber teams were actively addressing the incident.
A NATO official commented: “NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously.” NATO’s public website did go offline briefly but was restored after a few hours.
Jake Moore, Global Cybersecurity Advisor at ESET, added:
“Killnet is attempting to make some noise online, building its profile and endeavouring to disrupt organisations where possible, especially those in support of Ukraine. Now we are seeing them hone in on dedicating attacks on NATO, but – when specialising in DDoS attacks – the attacks are usually easier to defend against. Denial-of-service attacks are often not seen in the same light as a cyberattack where data is stolen due to the disruption induced. Although access denial to a website can be frustrating, this can be mitigated with simpler efforts such as reducing the attack surface area and deploying firewalls for sophisticated application attacks. When data is not stolen, the threat is immediately reduced, but this is not to suggest that the attacks will not have an impact on the use of the website. DDoS attacks can also be the gateway to more serious cyberattacks also so it would be vital for NATO to step up security nevertheless.”
NATO has previously warned that cyberattacks could prompt a collective response from member states, but what exactly would trigger such a response and how it would be carried out remains unclear. Generally, DDoS attacks that do not directly endanger lives are more likely to be met with cyber countermeasures. Attacks that disrupt hospitals, transport networks, energy grids, or other critical infrastructure with the potential to cause loss of life or severe damage are more likely to cross a threshold that could escalate beyond cyberspace.
Andrew Egoroff, Senior Cybersecurity Specialist at ProcessUnity, noted that if cyber operations—whether accidental or deliberate—knocked out essential public services or power in a NATO-aligned country, the tangible, harmful effects could make a military response conceivable.
The conflict between hacktivist and state-aligned groups continues to intensify. Killnet has previously clashed with Western-affiliated collectives such as Anonymous. Internal divisions also appear within some ransomware groups: for example, a member of the Conti ransomware group, believed to be Ukrainian, leaked internal chats after a leader posted a pro-Russian message following Russia’s invasion of Ukraine. That message pledged support for the Russian government and warned of retaliation against critical infrastructure in countries that act against Russia.
Cyber activity against Ukraine has been extensive: roughly 288,000 cyberattacks were estimated against Ukraine in the first ten months of 2021 alone. Governments and businesses in countries that have supplied Ukraine with military equipment or imposed sanctions on Russia have been urged to take pre-emptive measures to defend against potential cyberattacks.
(Image Credit: UK-ISAR Team under CC BY 2.0)
Interested in learning more about cybersecurity and cloud technologies from industry experts? Cyber Security & Cloud Expo hosts events in Amsterdam, California, and London for professionals seeking insights into cybersecurity trends and cloud innovation.
Explore other upcoming enterprise technology events and webinars organised by TechForge.