The European Investment Bank confirmed the cyber attack without attributing it to anybody, but the strike happened hours after warnings issued by Russian-speaking hackers, who declared themselves the “Darknet Parliament.”
“While we have seen groups claiming responsibility for the incident, we will not speculate at this stage,” a spokesman told reporters while confirming the cyber attack on European Investment Bank.
On June 19, 2023, KillNet hackers boldly announced the cyber attack on European Investment Bank on their Telegram channel, boasting of successfully “paralyzing” the inter-network infrastructure of the EIB, thereby inflicting significant disruption to its operations.
State-sponsored hackers attacking the organizations and facilities of opposing nations is nothing new. What makes this attack interesting is the fact that it is the first after Killnet declared its intentions to become a cyber mercenary group.
Killnet and the emergence of Darknet Parliament
The term “Darknet Parliament,” coined by KillNet, has rapidly gained infamy, capturing the attention of cyber media worldwide.
KillNet unveiled this ominous phrase through a chilling Telegram post on June 16, outlining an elaborate blueprint to dismantle and undermine Europe’s robust banking system.
“Darknet parliament has emerged as a trending keyword among Threat Analysts following the revelation of a meeting by the hacking group KillNet,” threat intelligence service FalconFeeds tweeted on June 16.
“The meeting involved three group heads, including representatives from Revil and Anonymous Sudan.”
Intriguingly, their post adopted the format of a government briefing report, presenting their decisions and solutions with meticulous numerical labeling.
Cyber attack on European Investment Bank
KillNet’s statement divulged a roster of high-value targets, prominently featuring major financial institutions including European and US banks, SWIFT, the US Federal Reserve System, SEPA, IBAN, Wire money transfer service, and Wise, a renowned money transfer company.
As of June 19, 2023, the poll initiated by REvil continued to gain momentum, amassing an overwhelming 13,793 votes, with the majority in favor of targeting the SWIFT system.
Adding to the unfolding developments, the pro-Russian DDoS service provider Radis made a notable announcement on June 18, 2023, signaling their return from a period of inactivity.
In response to Radis’s revival, KillNet affirmed their intent to launch their campaign against the European banking system on the following working day, Monday, June 19.
In a tweet on June 19, EIB officially acknowledged the cyber attack on European Investment Bank, stating that it is actively working to address the incident. Throughout the day, users were unable to access the bank’s website due to the cyberattack.
Motivations behind Cyber attack on European Investment Bank
KillNet emerged in February 2022 as a potent cyber threat for pro-Ukraine countries, leveraging their extensive hacking capabilities to retaliate against countries opposing the Russian invasion, with a particular focus on NATO member states.
Recently, the European Commission and European Investment Bank made an important announcement regarding their support for Ukraine.
They have reached an agreement to provide an EU guarantee, enabling the EIB to offer a loan of $100 million to aid in Ukraine’s swift recovery efforts, specifically for initiatives like municipal or energy infrastructure repairs.
“The EU is stepping up support to address Ukraine’s fast recovery needs,” European Commission President Ursula von der Leyen said in the declaration on June 13.
“In addition to our €1 billion for fast recovery to support critical sectors, the agreed EU guarantee allows EIB to lend to Ukraine an additional €100 million on very favourable terms. We are determined to bring back life to all the communities in Ukraine that suffer from Russia’s aggression.”
The European Union has already made available a substantial sum of €70 billion to aid Ukraine and its people.
While KillNet has previously launched crippling attacks across diverse sectors and nations since their transformation into a hacktivist entity in February 2022, their recent pivot towards targeting financial organizations indicates a broader underlying agenda.
The threat actors driving the Darknet Parliament campaign appear motivated by a profound desire for retribution, seeking to impose their own set of retaliatory sanctions upon European financial institutions in response to the stringent measures imposed by Western financial bodies against Russia.
Interestingly, Killnet’s first attack after its announcement of their change in operations from hacktivism to mercenary operations happened to be on Europe’s banking nerve centre.
Killnet turns cyber mercenary
On April 27, Killnet on Telegram announced its plans to go mercenary.
“Altruism – Killnet’s hacktivism has come to an end. From now on we are: Russian private military hacker company Killnet,” said the post.
“We also defend the interests of the Russian Federation, but now we are taking orders from private and state persons,” it added.
However, the transition move started much before that, reported cybersecurity firm Flashpoint.
Researchers there noticed on March 13, 2023, that Killnet made a significant announcement through their leader, Killmilk, on Telegram on the establishment of “Black Skills,” a private military hacking company.
“The name “Private Military Hacking Company” is a clear riff on the growing presence and cult of private military companies in Russia (primarily the Wagner Group),” said the report.
“It is also likely a not-so-subtle invitation to the Russian government to use Killnet’s resources as a cyber mercenary group, although it’s also unlikely they will deeply vet their clientele.”
This announcement follows closely on the heels of the recent launch of “Black Listing,” a DDoS-for-hire service targeting darknet marketplaces.
The service was officially initiated by Deanon Club, Killnet’s partners, but Killnet actively supports and collaborates with them in this endeavor.
Researchers have spotted several nation-state actors taking up hacking for contract. If the indications are right, Killnet, arguably the biggest pro-Russian operation that popped up since the Ukraine invasion started, is also on the same path.
Cyber mercenaries and Nation State actors: The blurring lines
Nation states have long relied on proxies to do their bidding for various reasons, wrote Beatrice A. Walton in the book Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in International Law.
In the pre-cyber era, their uses included escaping the application of international law, maintaining plausible deniability by masking the identity of the culpable actor, and engaging in warfare under circumstances where the public appetite for traditional military operations has waned.
“As cyberspace has emerged as the new frontier for geopolitics, states have become entrepreneurial in their sponsorship, deployment, and exploitation of hackers as proxies to project power,” wrote Dr. Tim Maurer, Senior Fellow in Carnegie’s Technology and International Affairs program.
“Such modern-day mercenaries and privateers can impose significant harm undermining global security, stability, and human rights.”
Cyber mercenaries develop and sell tools, techniques, and services to clients, irrespective of their affiliation, to break into networks and internet-connected devices.
“We have seen a growing industry of private sector offensive actors, or cyber mercenaries, that develop and sell tools, techniques, and services to clients – often governments – to break into networks, computers, phones, and internet-connected devices,” said a Microsoft report.
“While an asset for nation state actors, these entities often endanger dissidents, human rights defenders, journalists, civil society advocates, and other private citizens. These cyber mercenaries are providing advanced “surveillance as a service” capabilities which many of the nation states would not have been able to develop alone.”