International Law Enforcement Delivers Major Blow to Pro-Russian Hacker Group NoName057(16)
Operation Eastwood, a significant international law enforcement initiative coordinated by Europol and Eurojust, has successfully disrupted the pro-Russian hacktivist group NoName057(16). This joint effort, carried out between July 14 and 17, saw simultaneous actions by law enforcement and judicial authorities from over a dozen countries, including Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States. The operation also received support from ENISA, Belgium, Canada, Estonia, Denmark, Latvia, Romania, Ukraine, and private cybersecurity firms ShadowServer and abuse.ch, highlighting the broad collaboration necessary to combat such cyber threats.
The impact of Operation Eastwood on NoName057(16) was substantial, leading to the disruption of their extensive infrastructure.
Over 100 computer systems and key central servers used by the group were taken offline, severely crippling their operational capabilities. Authorities issued a total of seven arrest warrants, with six targeting Russian nationals, two of whom are identified as the primary instigators of the group’s activities. These suspects are now internationally wanted, with five prominently featured on the EU Most Wanted website. Beyond arrests and infrastructure takedowns, the operation also included a significant outreach effort: hundreds of the group’s supporters were directly warned via messaging applications about their potential legal liabilities for participating in or aiding the group’s Distributed Denial of Service (DDoS) attacks.
Operation Eastwood’s operational phase resulted in tangible actions against the group’s members and enablers. Two arrests were made, one in France and another in Spain. Furthermore, law enforcement conducted 24 house searches across multiple countries, including Czechia, France, Germany, Italy, Spain, and Poland, gathering crucial evidence. Thirteen individuals were questioned as part of the ongoing investigation. In a broader move to deter future involvement, over 1,000 supporters, including 15 identified as administrators, received direct notifications about their legal responsibilities, underscoring the severity with which international authorities view participation in such cyber activities.
NoName057(16) has been a persistent threat, known for escalating DDoS attacks against nations that support Ukraine, many of which are NATO members.
Since 2023, the group has targeted a wide array of entities, including Swedish government and banking sites, over 250 German entities across 14 attack waves, and disruptions during high-profile events in Switzerland, such as the Ukraine Peace Summit. The group was also linked by Dutch authorities to an attack during a recent NATO summit. While these attacks aimed to cause significant disruption, the proactive measures by cybersecurity defenses and rapid response by targeted organizations have largely mitigated the impact, preventing major service interruptions.
The group’s operational model relies heavily on a large base of over 4,000 supporters and a self-built botnet comprising hundreds of servers. NoName057(16) actively spreads its propaganda and recruits new members through various online channels, including social media, forums, and niche chat applications. They leverage tools like “DDoSia” to lower the technical barrier for participation, making it easier for individuals to contribute to their attacks. A key element of their recruitment strategy involves gamification, where participants are paid in cryptocurrency and incentivized through game-like dynamics such as leaderboards, shout-outs, and badges, fostering a sense of status and involvement. This manipulative approach, often targeting younger individuals, is reinforced by a narrative that frames their actions as defending Russia or avenging political events.
Reference:
