Cyber Threat Actor: Just Evil/Kill Milk
| Actor Type | Location | Known Incidents |
Activist
|
Russia
|
1 incident |
|---|
Profile
Just Evil/Kill Milk is a threat actor that operates under the aliases Just Evil and Kill Milk and has been associated with Russia. Public reporting identifies a Russian national named Nikolai Serafimov as an alleged leader of the group and links the actor to previous distributed denial‑of‑service campaigns and broader geopolitical cyber operations. The actor’s known infrastructure and activity have been observed primarily in European targets, though no broader geographic pattern is explicitly defined in the available sources.
On May 19 2024 the group claimed responsibility for an intrusion into Hamburg Airport’s IT infrastructure, asserting that they had gained access to secured areas and providing screenshots of a control panel and surveillance camera feeds as proof. The airport confirmed that the attack affected an externally hosted system used for monitoring security patrol documentation, emphasizing that this system was isolated from the airport’s core operational networks and that no safety‑critical data were compromised or air traffic disrupted. Despite the group’s assertions, investigators found no evidence that sensitive information had been exfiltrated during the incident. The episode illustrates the actor’s capability to breach peripheral aviation‑related systems and to publicize the intrusion as a demonstration of access.
Beyond the Hamburg Airport case, the actor has been tied to earlier DDoS activities and unspecified prior geopolitical cyber campaigns, although specific malware families, initial‑access vectors, or tooling styles have not been detailed in the public record. Consequently, the threat actor’s tactical profile remains limited to observed intrusion attempts, the use of screenshots to validate claims, and an apparent focus on signaling access rather than data theft or financial gain. The available to these incidents.
