Lockbit, Killnet… These cyberpirates who multiply attacks in Europe

The European Parliament fell victim to a DDoS cyberattack on Wednesday 23 November. Its site was taken out of service a few hours after a vote by MEPs describing Russia as a "State promoter of terrorism". The Speaker of Parliament tweeted that a pro-Kremlin group claimed responsibility for the attack, while Deputy Speaker Eva Kaili told the Politico website "strong reasons to believe that it is Killnet, Russian-Linked Hackers".

In France and in Europe, attacks of this kind against the sites of institutions or administrations are increasing. During the French presidential campaign of 2022, the cyberpirates of Killnet had already claimed to be at the origin of the breakdown of the site of Emmanuel Macron, denouncing "France's support for Ukraine". The group also claimed responsibility for a cyber attack on several Lithuanian government sites simultaneously in June: it was a reaction to the blocking of goods in the Kaliningrad enclave.

"This militant group was formed around March 2022, in response to Russia's invasion of Ukraine," says Gérôme Billois, cybersecurity expert at Wavestone, and author of the book Cyberattacks - The Underside of a Threat world. Killnet, which also paralyzed the sites of the Italian Senate, Norwegian administrations, Latvian public radio or the Czech government for a few hours, belongs to the category of "hacktivists". That is, hacker groups that carry out cyberattacks in the name of an ideology.

The group's specialty: DDoS, or "denial of service" attack. "It's a tool of medium intensity, which consists of blocking access to a website by saturating it with the number of connections. It's like a virtual demonstration, when thousands of people go to the same place" , explains the specialist. The consequences remain minor, since this type of attack does not cause long-term damage. "They cannot maintain it indefinitely, just as demonstrators cannot remain in the place they are blocking indefinitely: the connections cease after a while", explains Gérôme Billois.

Structured in a very volatile way, these groups of militant hackers do not have a fundamentally financial goal. "And they work by grouping together on Telegram channels, rallying sympathizers to be part of the attack and making their computer equipment available," says the expert. “Most of the targets are simply the actors who have implemented sanctions against Russia or made negative remarks, but also companies which have withdrawn from Russian territory, he explains. has also created a lot of concern among the companies concerned, which have invested in computer monitoring and protection cells.

More broadly, "according to government figures, cyberattacks have quadrupled in France" since 2020, says Gérôme Billois. Many of them are perpetrated by cybercriminal hacker groups, which are not militant but seek to obtain money through "ransomware" causing computer networks to be blocked and data theft. In recent months, the Corbeil-Essonnes hospital, the cities of Chaville (Hauts-de-Seine) or Caen (Calvados) as well as many companies have been victims. These groups operate "like real small cybercrime SMEs, with 10 to 60 employees, they hire attackers and distribute the ransoms", says Gérôme Billois.

One of the best-known groups, Lockbit, is also affiliated with Russia, although it claims to be apolitical. “Historically, many cybercriminal groups are based in Russian-speaking countries and enjoy a form of impunity when they are smart enough not to attack their own countries and companies. carry out attacks against the countries of the former USSR," he explains.

If these two types of groups operate according to different methods and with different motivations, "we must keep in mind that the world of piracy is very porous", recalls the cybersecurity specialist. “It is not impossible that ransomware groups are protected by states that use them to launch attacks, or that militant groups are joined and funded by state actors.”