Cyber Incident Victim: Congress.gov
Date:
Jul 2022
Location:
United States of America
Summary
A pro-Russian cybercrime group known as KillNet conducted a distributed denial-of-service (DDoS) attack against Congress.gov, causing temporary downtime that intermittently disrupted public access to the site. The Library of Congress, which administers the domain, confirmed the attack briefly affected operations but stated no network compromise or data loss occurred. KillNet, linked to previous attacks on entities perceived as hostile to Russia—including infrastructure in Norway, Lithuania, and a U.S. airport—claimed responsibility via a Telegram message criticizing U.S. spending priorities alongside a Biden image. The group is categorized as a Russia-aligned hacktivist entity, though its exact ties to the Russian government remain unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 7, 2022, beginning at approximately 9 p.m., the Library of Congress-managed Congress.gov website experienced intermittent disruptions due to a distributed denial-of-service (DDoS) attack. The pro-Russian cybercrime group KillNet claimed responsibility for the attack, posting a video on its Telegram channel that displayed a 503 error page from Congress.gov alongside an image of President Joe Biden. The group accompanied this with a message criticizing U.S. spending priorities, stating via Google translation: "They have money for weapons for the whole world, but not for their own defense." Library of Congress officials confirmed the attack caused temporary downtime that "briefly affected public access" to the legislative information site, with normal operations fully restored just after 11 p.m. the same evening. No network compromise or data loss occurred during the incident.
KillNet had emerged earlier in 2022 following Russia's February 24 invasion of Ukraine, conducting DDoS attacks against entities perceived as hostile to the Russian government. Prior to the Congress.gov incident, the group had targeted a Connecticut airport in March 2022, launched attacks against Norwegian entities in late June, and persistently attacked Lithuanian infrastructure after Lithuania restricted transit to Kaliningrad. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously flagged KillNet in an April 2022 alert about Russian-aligned cyber threats to critical infrastructure, noting that such groups might blend ideological alignment with financial motives. Cybersecurity firm Mandiant's May 2022 analysis categorized KillNet alongside other Russia-aligned "hacktivist" collectives like Kaxnet and RahDit, while emphasizing that the precise relationship between these groups and the Russian state remained unclear. The Congress.gov attack represented another geographically dispersed disruption in KillNet's campaign, though it resulted in limited operational impact beyond temporary accessibility issues.