NoName057(16) | |
Other Names | 05716nnm, Nnm05716, NoName057, NoName05716 |
Location | Russia |
Date of initial activity | 2022 |
Suspected attribution | Pro-Russian Hacktivist Group |
Government Affiliation | Yes |
Motivation | Hacktivism, Disruption |
Associated tools | DDOSIA, Bobik Botnet |
Overview
Common targets
Ukrainian Organizations: The group initially focused on Ukrainian news websites and media outlets to disrupt the flow of information. Their attacks aimed to silence voices critical of Russia’s actions.
NATO Members: As part of their broader anti-NATO stance, NoName057(16) has conducted DDoS attacks on NATO-associated entities, reflecting their objective to undermine NATO’s operational capabilities and show support for Russian geopolitical goals.
Government and Critical Infrastructure: They have targeted government organizations and critical infrastructure sectors in various countries that are seen as supportive of Ukraine or critical of Russia. This includes attacks on Polish government websites following Poland’s recognition of Russia as a state sponsor of terrorism.
Financial Sector: Recent attacks have extended to financial institutions in Denmark, causing disruption in the financial sector. This is part of their strategy to target vital economic sectors in nations critical of Russia.
Election Candidates: They have targeted websites of Czech presidential election candidates, aiming to disrupt the electoral process and influence political outcomes in countries involved in opposing Russia.
Attack Vectors
Bruteforce DDoS Attacks
How they operate
Operational Infrastructure and Tools
At the core of NoName057(16)’s operations is their utilization of DDoS attacks, which are facilitated by tools distributed via GitHub. The group has developed and maintained several DDoS tools, including DDOSIA, also known as Dosia or Go Stresser, which is available in both Python and Golang implementations. These tools are designed to overwhelm target websites by flooding them with network traffic. The DDOSIA toolkit is multi-threaded and capable of executing attacks using various network request methods, such as HTTP GET and POST, as well as TCP SYN packets. The Python implementation is distributed as a PyInstaller package, while the Golang version supports more recent protocols like HTTP/2.
The Bobik botnet was reported to have been utilized by the group for DDoS attacks, especially in September 2022. Renowned for its capabilities, this tool played a significant role in orchestrating large-scale cyberattacks during that period.
The group’s operational infrastructure includes Command and Control (C2) servers hosted on platforms like Neterra, a Bulgarian telecommunications provider, and dynamic DNS services such as No-IP. These C2 servers play a crucial role in managing the DDoS attacks, distributing attack instructions, and collecting operational statistics. The servers are frequently updated to evade detection and maintain persistent control over the malware deployed on compromised systems.
Coordination and Recruitment
NoName057(16) leverages Telegram as a primary means of communication and coordination. Through both open and closed channels, the group not only claims responsibility for attacks but also educates and recruits volunteers. The Telegram channels serve as platforms for disseminating tools and providing operational updates. They also engage in propaganda, posting pro-Russian content and justifying their actions against perceived adversaries. This engagement has seen varying levels of success, with peak viewership in mid-2022, but a subsequent decline in engagement as other hacktivist groups gained prominence.
Volunteer-Fueled Attack Model
A significant aspect of NoName057(16)’s strategy is their use of volunteer-based botnets. The group encourages volunteers to use their DDoS tools, which amplifies the scale and intensity of the attacks. This model not only increases the number of resources available for launching attacks but also involves a system of rewards, where contributors are compensated with cryptocurrency based on their contributions. This approach effectively crowdsources the computational power needed for large-scale DDoS operations and maintains a decentralized yet coordinated attack force.
MITRE Tactics and Techniques
T1499 – Network Denial of Service: This technique involves disrupting or degrading network services, which is the core of NoName057(16)’s activities. Their primary method of attack is flooding target networks with traffic to overwhelm and disable services.
T1071.001 – Application Layer Protocol: Web Protocols: NoName057(16) uses HTTP and HTTPS protocols in their DDoS attacks. They send a high volume of requests to target web services, exploiting these protocols to conduct their attacks.
T1040 – Network Sniffing: Although not directly related to DDoS, network sniffing could be a preliminary step used by the group to gather information about their targets’ network infrastructure.
T1071 – Application Layer Protocol: This technique involves using application layer protocols to communicate with compromised systems or external systems, which is relevant for the command and control (C2) aspect of their operations.
T1082 – System Information Discovery: This technique might be used by the group to gather information about their targets before launching attacks, although it is not the primary focus.
Danish Financial Sector Attack (January 2023):
Details: NoName057(16) targeted major financial institutions in Denmark, including Danske Bank and Danmarks Nationalbank. The attacks aimed to disrupt financial services and operations, impacting the country’s financial sector significantly.
Impact: The attacks caused service disruptions across the Danish financial industry, affecting banking operations and financial transactions.
Polish Government Website Attack (December 2022):
Details: Following Poland’s recognition of Russia as a state sponsor of terrorism, NoName057(16) launched DDoS attacks against Polish government websites. The group’s actions were a direct response to Poland’s political stance on Russia.
Impact: The attack disrupted access to various Polish government websites, affecting official communications and online services.
Lithuanian Cargo and Shipping Sector Attack (January 2023):
Details: At the start of 2023, NoName057(16) focused its efforts on Lithuanian organizations, particularly in the cargo and shipping sectors.
Impact: The attacks targeted critical infrastructure related to shipping and logistics, potentially causing delays and disruptions in trade and transportation.
Czech Presidential Election Targets (January 2023):
Details: In the lead-up to the Czech presidential election, NoName057(16) targeted the websites of several candidates, including Pavel Fischer and Danuše Nerudová, as well as the Ministry of Foreign Affairs of the Czech Republic.
Impact: The attacks aimed to disrupt the election process and target political figures, potentially influencing public perception and election integrity.
Ukrainian News Websites (March 2022):
Details: Early in their campaign, NoName057(16) conducted DDoS attacks against Ukrainian news and media websites such as Zaxid and Fakty UA.
Impact: The attacks disrupted news dissemination and online media access, aligning with the group’s broader objective to silence voices critical of Russian actions.
