This is the first article going into The Moloch’s Opinion section. I’m hoping to write more of these sort-of “op-eds” to give you some insight into my own journey in developing principles and a methodology to improve future investigations. The next feature will heavily reference pro-Kremlin hacktivists, KillNet. The article you’re reading right now is not that piece, but revolves around observations made during an investigation for it.

Credibility, Journalism, And Infosec Grift

Verification is an essential principle in all journalism, but perhaps doubly so when delving into a world of questionable legality in online spaces. While I’m by any definition an amateur in just about every field represented on this website, I know I can’t trust everything I see and am actively working on improving my abilities. Finding leads on a cybercrime or cyberwarfare beat can be as simple as following some sketchy communication channels and seeing what makes waves in them. Unfortunately, the nature of cyberspace offenses can require a lot of technical expertise to solidify attribution when an incident has taken place.

Basically, any idiot on Telegram can start a channel with a Guy Fawkes mask icon and take responsibility for things they didn’t do (or never happened in the first place) for clout. Worse, some do this to raise the profile for their group-as many of them sell products or services. Generally only trained incident responders can prove them wrong if these grifters are careful enough, and this process can take weeks.

Featured: the group avatar from half of hacker Telegram

But sometimes they’re not careful. Or even remotely smart about what they push.

From the other side, indirectly-involved people engaging in the spreading of these claims can be misguided or malicious, as well. At what level are they involved in spreading the group’s message? Are they claiming to be an expert? It’s not terribly different from having a Twitter account and re-sharing “NAFO” content. Are they a fan, do they agree, or are they claiming to be an “OSINT analyst”?

A Tale Of Two KillNet Hacks

As an example, I want to bring attention to two incidents allegedly involving KillNet. One against the US Department of Defense, the other against German weapons manufacturer, Rheinmetall. As of March 10th, neither claim has been substantially attributed to the group, and the claims might not have even originated with KillNet in the first place.

While I do have a personal bias in the war between Ukraine and Russia that I haven’t been shy about, KillNet is a group that has been, at various points, a very real threat. They should be taken seriously. Though, not unlike Anonymous, the group’s seemingly decentralized nature and strong brand makes them an appealing label for lower profile internet pranksters and criminals to appropriate.

US Department Of Defense

KillNet impersonators pushed the envelope earlier this week by claiming that the group had stolen info from the United States’ Department of Defense. While this sort of thing has happened in the past, there’s zero evidence to suggest that this has been the case this week–be it from KillNet or any other threat actor.

The impersonator, a KillNet and Russia-supportive, right-populist, French-language Twitter account, asserted that the details of the US’s upcoming lethal aid package to Ukraine have been leaked and sold.

Link to original source not provided, as I’m not interested in linking back to pro-Russian Twitter and Telegram channels. Credit to CyberKnow for bringing this to my attention.

The claim seems a bit suspicious for several reasons. Unfortunately, the petulant, overly-defensive language is something I see quite a bit on hacktivist Telegram. But the funniest bit was the image accompanying the post:

Several attributable images of photo ID’s were included that I have blurred out.

The images, upon a closer look, fail to show any indication that any incriminating or potentially leak-related documents were found. While very likely from a US Army source, that’s where the relevance ends. In fact, one (seen on the right) seems to be an outdated memo on diagnosing PTSD within a medical clinic, and the other is an outdated procedure for the application process to change duty assignment to the Cyber Branch for Army enlisted personnel. The latter document in particular has a number of traditional US Army document placeholders.

Click to enlarge

In response, KillNet‘s telegram channel re-shared the claims the following day, replying, “When Western impostors have nothing to say, they start posting stuff like this😅”.

Rheinmetall

Image found circulating throughout various “Z”/Pro-Russia channels

On the morning of March 7th, KillNet called for an attack on a number of Rheinmetall-associated URLs and IP addresses for their support of Ukraine. About seven hours later, the KillNet Telegram shared what they are claiming is a screenshot of employee emails and what looks to be hashed passwords, which led them to a high-level sysadmin account. Despite noone actually in their organization proper taking credit for the attack, they’re now trying to sell the information to anyone willing to pay for five Bitcoins.

While a corporation the size of Rheinmetall certainly has its own IA countermeasures, I was unable to find issues with any of the URLs just three hours after this claim was made. The only confirmation that the attack was successful came from pro-Russia Twitter legions. They mostly re-post, verbatim, the same message, just translated into their local languages:


#Killnet cyber-warriors have hacked the resources of the weapons company #Rheinmetall , the main contractor for grenades and military equipment that helps #Oekraïne German concern, founded on April 13, 1889. It is one of the largest manufacturers of military equipment and weapons in Germany and Europe. “The company network was hacked, which made it possible to read information. Apparently German specialists do not keep a close eye on their company network. Russian hackers have stolen the login and password of one of the system administrators Liam O’Connor, many thanks This allowed us to use the pattern to guess the password in the “chambers of the rheinmetall sysadmin”. Where they have already been able to delete corporate data on the company’s employees, the cyberfighters told us.”

Twitter, various

While perhaps I could make more sense of the communication if I was a Russian speaker, as far as I can tell, there are at least two accounts being attributed with the original hashed-password images. As well, the methodology for how they got the credentials is unclear. It sounds like just clear enough of an explanation to satisfy fans, but not a whole lot for someone with a background in infosec to grab onto. It’s been my (admittedly limited) experience that people in this position tend to be more specific when bragging about their successes.

And then there’s the limited response from Rheinmetall, themselves. News of any attack seems to have been limited, and they’ve only reported a largely unsuccessful and forgettable DDoS attack:

That’s not to say that there can’t be further disclosure on the incident. Perhaps the leaked credentials haven’t been detected yet by the company, or they’ve suppressed the information to stifle a panic. However, now that the rest of the week has passed after such a serious breach, I find it hard to believe this wouldn’t make a bigger splash, had it been substantiated.

The Takeaway

Of the last four cyber attacks I’ve investigated for what I thought would be a timely scoop, I ended up finding nothing worth reporting, and it’s just going to happen.

My hot take on the cyberwarfare beat: hours of investigation can draw away your attention and energy on what ends up being empty bravado, and you have to be prepared to just accept that. I only do this blog part time (ten hours-ish of work most weeks), and I’ve had to “kill my baby” no less than fifteen times in six months of operation. For every one of the “short” articles on The Moloch, there were at least three planned at some point.

As I grow in experience, gain better tools, and go through more writing-conducive lifestyle changes, this will become a more efficient process. At this amateur level, however, I think any journalist or blogger has to be prepared to throw their hands up and move on. Healthy detachment.

And to be honest, you have very little reason to trust anything most of your subjects will say. They’re more-often-than-not, willingly committing crimes. They will lie for a number of reasons. Some of these reasons are totally understandable and ethical (concealing identities, protecting sources, etc.). Some of them may be being dishonest, but for what they feel is the right reason, such as finding passion and awareness for their cause more important than whatever direct action they can take at the time.

Always remember, though, that every actor you investigate in cybercrime, hacktivism, and cyberwarfare, must be taken seriously. It doesn’t matter how informal, unprofessional, unreliable, or chaotic they seem. Respect that you’re reporting on, and often judging the activities of someone who may actually have the ability to fuck. your. life. up. You have to determine a level of distance you want to keep from the beat. Would you rather play it safe and cover publicly reported security incidents? Do you want to lurk and scratch purely the surface of public communications between threat actors? Do you want to approach them for actual statements and interviews on their own back channels? Each of these entails their own levels of accepted risk, and an increased demand for literacy in cybersecurity or opsec best practice. When it comes to high risk tolerance, I know The Moloch isn’t there yet. So for now, respectful distance it is.