Active DDoS threat against New Zealand government and critical infrastructure organisations

Published by CyberCX Intelligence on 20 June 2025

Pro Russia ideologically motivated threat actor, ServerKillers, has now executed on their threat to target New Zealand organisations, which they claim is a response to the New Zealand Government’s position on the Russia-Ukraine conflict

Key Points

• On 19 June 2025, ServerKillers claimed to have taken offline eight New Zealand airport websites including Aukland, Christchurch and Queenstown airports.
• This followed ServerKiller’s 15 June 2025 post announcing its intent to target New Zealand organisations due to the New Zealand Government’s support for Ukraine.
  • ServerKillers named targets including the Ministry of Foreign Affairs and Trade, Ministry of Transport, New Zealand Defence Force, Civil Aviation Authority and the govt.nz website.
• CyberCX Intelligence assesses this campaign has increased the incidence of DDoS activity against New Zealand organisations, and the threat of further DDoS attacks against government and critical infrastructure organisations will highly likely remain elevated for at least the next seven days.
• CyberCX Intelligence continues to recommend that all New Zealand and Australian organisations review and test their DDoS protection levels and the security of public-facing assets including websites, as ideologically motivated targeting can occur with little warning.

ServerKillers’ campaign

• On 19 June at 2024 hr NZT, ServerKillers posted the following on their Telegram channel.[1]

• CyberCX Intelligence notes that several airport sites listed in the ServerKillers post appeared to be suffering ongoing degraded service as late as 20 June 0000 NZT and others have blocked scanning originating from host checking sites such as check-host.net.
• On 15 June at 1718 hr NZT, ServerKillers posted the below on their Telegram channel, announcing its intent to target New Zealand organisations due to the New Zealand Government’s support for Ukraine, including New Zealand’s extension of “$6.5 million for weapons and ammunition.”

• CyberCX Intelligence is aware that threat actors frequently use point-in-time links to host checking services, such as check-host.net, to inflate the appearance of efficacy of their attacks, which may be only momentary. It is also common for administrators to block services like check-host from scanning their websites, potentially further boosting threat actor claims.
• CyberCX Intelligence assesses the ServerKillers campaign has increased the incidence of DDoS activity against New Zealand organisations. The threat of further DDoS attacks against government and critical infrastructure organisations will highly likely remain elevated for at least the next seven days.
  • ServerKillers may pivot to other sectors, including airlines, ports, financial services or energy.
  • The ServerKillers campaign may increase targeting of New Zealand organisations by other pro-Russia threat actors, given ServerKillers’ alliance and relationship with these actors.
  • Given ServerKillers has invested in reconnaissance to identify the domains of the organisations listed in their two posts, these organisations may be retargeted by ServerKillers or other ideologically motivated actors in future campaigns.
• CyberCX continues to assess high profile Australian and New Zealand organisations are a likely target for pro-Russia hacktivists. During periods when Australia and New Zealand are supplying additional military aid to Ukraine, the likelihood of pro-Russia hacktivist targeting will temporarily, but significantly, increase.

Background on ServerKillers

• ServerKillers are a pro-Russia ideologically motivated threat actor group which primarily conducts DDoS attacks against organisations supporting Ukraine. However, it also has pro-Palestinian and anti-NATO sentiments. ServerKillers has claimed to conduct targeting of government, finance, airports, and energy organisations in multiple countries worldwide, including Italy, Lithuania, Poland and Israel.
  • ServerKillers has also previously claimed hack-and-leak attacks, with limited evidence.
• ServerKillers likely works with other pro-Russia hacktivist groups, including the notorious NoName057(16) and Russian CyberArmy. It declared an alliance with these groups in 2024 and may conduct activity in concert with these organisations.
• ServerKillers appears to maintain a DDoS-as-a-tool capability known as Kraken. Kraken claims to have the following capabilities:

• CyberCX Intelligence assesses that, given ServerKillers’ alliance and work with other pro-Russia ideologically motivated groups, ServerKillers likely has a moderate capability to conduct disruptive action. We have observed its allied partners, particularly NoName057(16), conducting significant malicious activity against Australian organisations in the past.

Recommendations

• The organisations listed in the ServerKillers’ posts should actively prepare for ongoing DDoS activity, and other New Zealand government and critical infrastructure organisations should be aware of the potential for expansion of the campaign to target their networks.
• We continue to recommend that all New Zealand and Australian organisations review and test their DDoS protection levels and the security of public-facing assets including websites.
• All New Zealand organisations should adopt a position of heightened readiness and awareness, including:
  • Implementing temporary heightened monitoring or additional controls.
  • Ensure surge capacity operational teams are on standby to reduce the potential impact of an attack.
• Additional recommendations can be found from CERT NZ (Preparing for denial-of-service incidents | CERT NZ and Mitigating denial-of-service attacks | CERT NZ) as well as the Australian Cyber Security Centre (Preparing for and responding to denial-of-service attacks | Cyber.gov.au).

[1] Source: hxxps://t[.]me/xServerKillers/88