Black Skills: Russian Cyber PMCs?


    1.0. Introduction

    Black Skills is reportedly the name of an upcoming pro-Russian cyber private military company (PMC) orchestrated by Killmilk, leader of the hacker group Killnet. The organisation’s status is currently vague, and openly available information is scarce. Even though Killnet is one of the most active hacker groups conducting operations targeting Ukrainian entities and Western allies, the group is known to exaggerate claims of its significance and does often show attention-seeking behavior. That said, the establishment of Black Skills likely follows the same pattern and, as of now, does not pose any real threat but is most likely an attention-seeking attempt to gain support and media coverage.

    However, Black Skills may also be an attempt to attract further the Russian government’s attention and support to enable more sophisticated operations, which calls for attention and monitoring of the organization’s development and operational activities. 

    2.0. What is Killnet?

    Killnet is a pro-Russia hacker group commonly known for its DDoS attacks targeting governments and private organizations in countries supporting Ukraine since the 2022 Russian invasion. Before the invasion, Killnet sold DDoS-for-hire services but was reformed shortly after the Russian invasion of Ukraine to protect the interests of Russian citizens. Although KillNet’s objectives align with official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR), their ties are unconfirmed.

    2.1. Killnet & Black Skills Symbols

    In their visual logotypes and other symbols, Killnet mainly uses imagery correlating with Russian entities active in Ukraine. Graphic symbols of Black skills are scarce as of now. Still, the masked individual in the group’s logotype suggests an ambition to not explicitly draw attention to military factors like counterparts such as the Wagner Group. Instead, there seems to be more focus on the underground hacktivist symbolism, which is most common among global hacker collectives such as Anonymous. Furthermore, Killnet and Black Skills-related content commonly refer to “the fatherland,” highlighting their pro-Russian and nationalistic focus and ambition to attract like-minded followers.

    3.0. Black Skills

    When Killmilk announced the ambition to develop Black Skills in March 2023, the user also posted an overall organizational structure indicating ambitions of independence from private donations and a move towards the Russian government or other pro-Russian state actors to obtain legitimacy and increase prospects for more predictable funding. However, there are no indications of Black Skills actually moving towards operative capability or any governmental funding. Killnet is likely financed through criminal activity and private donations, which will likely continue to be the case for Black Skills, at least in the early stages of developing the organization.

    3.1. Black Skills Business Structure

    Below are Killmilk’s claims of Black Skills’ 24 divisions:

    1. Support Department: provides and equips departments with everything needed to work in an organization, including devices, special equipment, and other application devices.

    2. Intelligence unit: The office is responsible for extracting preliminary information using OSINT, DOX, and other cyber intelligence tools and methods.

    3. Public Relations Department: Responsible for receiving and searching for orders worldwide and working with the media.

    4. Research Center: Responsible for the development and study of all methods of influencing the target via the Internet)

    5. Personnel Department: Responsible for applying, checking, and hiring at “ChVHK BLACK SKILLS”.

    6. Security Service: Responsible for monitoring all departments. The security service will have full rights and access to all internal information.

    7. Penetration Testers Group: Penetration testing is a method of assessing the security of computer systems or networks using attack simulation of an attacker. The division will have access to client orders.

    8. Operations Group: (A staffed department of eight people to quickly respond to an urgent request to the PMC. The staff will be on duty for 12 hours under the supervision of the security service.

    9. Analytical Centre: Will work with received information and forecast situations. The centre will create proposals for organizational development and monitor cyber and large-scale incidents worldwide.

    10. Control group: Will be responsible for monitoring and tracking the implementation of assigned tasks under the supervision of the security service.

    11. Assault squad: Will be in direct contact with the target to eliminate it. The team will have a separate hotline with the PMC operator for quick requests or transfer of information.

    12. Investor Relations Department: Will create and accept investor proposals, enter contracts and do accounting.

    13. Accounting: Will have access to information about purchases with the right to request information from the commander for any detachment and will be responsible for staff salaries.

    14. Training Centre: Will be responsible for personnel training after registration.

    15. Technical Department: The department will consist of a team of IT specialists to maintain and support PMC devices.

    16. Sabotage Squad: Will be responsible for global “creating disinformation and escalation” using network technology.

    17. Operational Group ALPHAm65: Will conduct information and psychological operations on the territory of hostile countries, including demonstrations, processions, swatting, fake mining, and more.

    18. Network Battalion Black Skills “NBBS”: Will consist of black hackers that report only to the head of the organization.

    19. Anti-fraud Department: Will manage applications, track crypto transactions, collect information, identify criminals, and transmit data to law enforcement agencies.

    20. Business Centre: Will primarily work with advertising.

    21. Main Archive: Will primarily work with collecting information on the implementation of PMC tasks and gathering public and private information related to database leaks from around the world.

    22. Knowledge Centre: Will give classes and lectures to improve the skill set of personnel.

    23. Polygon: The place for testing new ways of influencing the network, working under the supervision of the research centre and training centres’ supervision.

    24. Headquarters of PMC Black Skills.

    3.2. Key Figures

    It is difficult to assess who will emerge as key figures in Black Skills from openly available information. However, as of now, Killmilk will likely proceed as a leading figure in further developing the organization.

    3.3. Recruitment

    Openly accessible information suggests that Black Skills will primarily recruit from channels similar to Killnet, i.e., mainly from Telegram. Russian hacktivist collectives and groups generally differentiate themselves from Western counterparts in their use of Telegram compared to Twitter and other social media.

    4.0. Tactical-Operational Information

    Between March 2022 and early February 2023, Killnet claimed about 90 attacks (mostly DDoS on websites) against organizations in Europe and North America (source).

    The group is very active on its social media channels which has brought them a large follower base of clusters of like-minded hacktivist groups that share and act on common objectives. Prominent members of the cluster include UserSec, Anonymous Russia, Infinity Hackers Group, BEAR.IT.ARMY, Akur Group, Passion Group, SARD, National Hackers of Russia, and more recently, the New Anonymous Sudan.

    4.1. Operational Focus

    Drawing from the operational focus of Killnet and groups operating under the Killnet umbrella, it is likely that the main focus of Black Skills will be per Russia’s broader geostrategic objectives. For now, such focus will highly likely be targets in Ukraine and organisations in countries that support Ukraine in the ongoing war. The group’s pro-Russian loyalty indicates incentives to continue conducting disruptive operations such as DDoS attacks and information operations following the general behaviour of pro-Russian hacker groups.

    4.2. Tactics

    If Black Skills becomes operational, it will likely conduct operations using tactics with a relatively limited impact on national security. This assessment is purely based on pro-Russian hacker groups’ earlier and current behaviour and their limited resources. However, if Black Skills develops into the cyber PMC, which is the outspoken ambition, such resources may increase. The organization will likely enjoy more contract-based and predictable funding and gain an increasing platform for recruiting skilled personnel.

    5.0. The Future of Black Skills

    It is unclear whether the group will completely replace Killnet’s collective of pro-Kremlin hacktivist groups or if it is just an attempt to capitalize on their gains over the last year and restructure where the rebranding serves as a recruitment campaign of more skilled personnel. Furthermore, it may be an attempt to attract further the Russian government’s attention and support to enable more sophisticated operations.

    In general, Killnet’s capabilities have often brought limited impact followed by exaggerated claims of their significance. That said, the establishment of Black Skills likely follows the same pattern and, as of now, does not pose any real threat but is most likely an attention-seeking attempt to gain support and media coverage.

    6.0. Conclusion

    Information on Black Skills is currently scarce, which calls for caution. However, drawing from openly available data, Black Skills’ operational status should be monitored and further analysed without raising the alarm. Such measures are likely one of the objectives behind Killmilk’s announcement in March 2023. Currently, the organization does not constitute any real threat. Still, it may be able to do so soon, depending on the response from pro-Russian actors ranging from nation-states to skilled individual hackers.

    Oscar Rosengren
    Oscar Rosengren
    Oscar Rosengren is a student at the Swedish Defence University in Stockholm. His main focus area is the Sahel Region and West Africa. Specific interests are asymmetric threats, mainly terrorism, covert action, and cyber threats.

    Table of contents


    Get the weekly email from Grey Dynamics that makes reading intel articles and reports actually enjoyable. Join our mailing list to stay in the loop for free!

    Related contents

    Learn to create professional videos and have fun in the process of creating videos.
    Video Review And Collaboration.
    Get Started
    Subscribe to our Free Newsletter!