Inside the World of NoName057(16): Unmasking the Notorious DDoS Hackers

Executive Summary:

The Ukraine-Russian conflict has had a significant impact on the cyber threat landscape since February 2022, giving rise to a large number of new threat actors and a rise in the popularity of the Cyber Army on both sides. One of the most well-known groups, NoName057(16), has been actively engaged in launching DDoS attacks against western institutions and companies as of March 2022. These attacks are carried out by hacktivists who support Russia and give their bandwidth for free or use bandwidth that has been stolen from other companies by hackers. They frequently attack high-level organizations, where they have targeted big commercial banks, institutions, military facilities, and governmental agencies.

Falconfeeds.io has been conducting investigations to shed light on the behaviour of the notorious NoName057(16) hackers’ group and help identify their true motives. This group has been launching DDoS attacks against the critical infrastructure of numerous countries and organizations.

Key Features:

• NoName057(16) developed and used the Distributed Denial of Service (DDoS) attack toolkit known as DDoSia to target nations opposed to Russia's invasion of Ukraine.
• NoName057(16) has launched around 5200+ DDos attacks, according to our experts.
• NoName057(16) is mostly involved in DDoS attacks and posts links to Check-host.net in its telegram group as evidence of attacks.
• Three hosting companies, MIRhosting, Stark Industries, and Severastra-as, Hu, provide the majority of the DDoS attack infrastructure used in NoName057(16) campaigns.
• Switzerland, Spain, Lithuania, Poland, Ukraine are highest targeted countries in past two months.
• Transportation & logistics, Banking, Government Administration & Public Sector, Airlines & Aviation are highest targeted industries in past two months.
• Entities with infrastructure located in Spain, Czechia, Denmark, Estonia, Germany, Slovakia, and Slovenia have recently been targeted.

Who is NoName057(16)?

NoName057(16) employs Telegram as a platform to claim responsibility for their various attacks, taunt their targets, issue threats, and attempt to justify their collective actions. Interestingly, they also take an educational approach by providing their followers with informative contents like Advance PC protection, security of voice recognition systems, etc.

However, NoName057(16)'s total participation on Telegram has gradually decreased over time. Their audience reach peaked in July 2022, reaching 14400+ viewers. The drop after that suggests that the group is becoming less relevant, both to its adherents and to the larger Telegram user base.

This declining interest could be partly explained by the existence of various other hacktivist groups that have attracted more attention and are having a bigger influence on their goals. As a result, NoName057(16) is up against competition and finds it harder to retain the same level of influence and engagement with their audience.

The group updates its followers not only on its attacks but also on the various topics like security of speech recognition technology, advanced PC security, etc.

Emergence of NoName057(16):

Since March 2022, NoName057(16), also known as NoName05716, 05716nnm, or Nnm05716, has sided with Russia in opposition to Ukraine with KILLNET and other pro-Russian groups Zarya and Xaknet.

NoName057(16) has been active since 11th March 2022.

Motivations and Objectives:

The NoName057(16) group uses Distributed Denial of Service (DDoS) attacks as their main means of operation with the aim of disrupting websites of countries that are opposed to Russia's invasion of Ukraine. Their initial targets were primarily Ukrainian journalistic websites, but they eventually turned their focus to organisations connected to NATO. A noteworthy episode was the group's alleged culpability for the March 2022 DDoS attacks on news and media websites in the Ukraine, including Zaxid, segodnya.ua and Fakty UA, among others. These activities have as their underlying goal the suppression of voices they consider to be anti-Russian.

Manifesto of NoName057(16):

Despite operating since March 2022, the group only made its manifesto public in July of the same year. As per their manifesto, the group justifies their actions as a reaction to those who have shown overt hostility towards Russia, claiming to possess the power and expertise to reinstate justice. They explicitly state that their motivations are not financially driven and express a willingness to collaborate with similar-minded collectives. Emphasizing the significance of truth, the manifesto underscores its role as a source of strength for the group.

Profile Analytics:

The engagement rate by reach (ERR) of the group is increasing again, showing that people are once again interested in it, according to data acquired from TGStat.ru, despite the fact that the group lost some traction around January and march.

Prominent Telegram channel/groups that are disseminating content related to NoName057(16) on their platform.

DDosia project backed by NoName057(16):

The pro-Russian hacktivist group NoName057(16) developed and used the Distributed Denial of Service (DDoS) attack toolkit known as DDosia to target nations opposed to Russia's invasion of Ukraine. In addition, they host their DDoS tool website, dddosia.github[.]io, for free on GitHub Pages, and they host the most recent versions of their tools in the corresponding GitHub repositories, which are linked to their Telegram channel advertisements.

The DDosia project was launched on Telegram Early in 2022. By July 2023, NoName057(16)'s primary Telegram channel had more than 48,000 subscribers, while the DDosia project channels had more than 10,800 subscribers. Administrators introduced the option to pay in cryptocurrency for users who have a valid TONNE wallet depending on their contributions to the DDoS attacks and provided guidelines for potential volunteers interested in taking part in the initiatives.

DDoS attack Types:

DDosia bots currently offer support for four types of DDoS techniques:

HTTP [L7]: This technique involves generating classical HTTP GET/POST requests with advanced customization and request randomization capabilities. Bots can receive precise HTTP request patterns and customize them with host-based random variables, making the DDoS traffic blend better with legitimate traffic.

nginx_loris [L7]: Nginx Loris is a specific DDoS attack targeting web servers running Nginx software. It employs a slow-rate attack strategy to overwhelm the server's resources by establishing multiple connections and sending partial HTTP requests. Exploiting the way Nginx handles incoming HTTP requests, the attack leaves open connections by sending partial HTTP requests and gradually adding more headers over time, a technique known as slowloris. As more connections are established and kept open, the server's resources become overwhelmed, hindering legitimate users' access to the service.

HTTP2 [L7]: Similar to the HTTP module, this technique leverages the modern HTTP2 protocol for DDoS attacks

TCP [L4]: This classic technique involves TCP-SYN flooding support, where bots forge TCP segments with the SYN flag activated and randomly spoofed source addresses, along with randomized source ports.

The administrator released an update on the money rewards for the top contributing attackers one month following the DDOSIA Project's debut. The top attacker would get 80,000 rubles (about $1,240) in cryptocurrency equivalents, followed by second place with 50,000 rubles ($775), and third place with 20,000 rubles ($310). Additionally, the attackers in positions 4 through 10 would get a total of 50,000 rubles, proportionally equivalent to their respective number of successful attacks.

Our platform Falconfeeds.io has been used to track the threat actor NoName057(16)'s attacks over the past two months, and we have determined that the organisation primarily targets Ukraine and NATO nations. The countries that support Ukraine during the conflict with Russia have been targeted most frequently. However, the group did not have a clear motive for its attacks; therefore, we can only assume that it will continue to target the nations that support Ukraine.

World Map view of most Countries affected by NoName057(16)'s attacks:

The most severely impacted industries by NoName057(16)'s attack over the past two months were found to be transportation and logistics, followed by banking, the government and public sector, and airlines and aviation industries.

Conclusion:

Following the war in Ukraine, a hacktivist group known as NoName057(16) has emerged, despite lacking advanced technical skills, they can still pose a threat to service availability, though for relatively long periods. What sets this group apart is its growing inclination towards volunteer-driven attacks, with a recent addition of offering payments to their most impactful contributors. NoName057(16) focuses solely on DDoS attacks, and there have been no observed instances of them utilizing other attack types. However, their manifesto indicates a preference for targeting companies and organizations that express support for Ukraine or hold an "anti-Russian" stance. Hence, companies situated in NATO member countries or those supporting Ukraine and operating in the industries mentioned above (transportation and logistics, banking, government, airlines and aviation & newspaper and journalism domains) should take proactive measures by acquiring DDoS protection services as a precautionary step against potential attacks from NoName057(16).

Effective DDoS Protection Essentials:

1. Hybrid DDoS Protection: Implement a comprehensive DDoS protection solution that combines both on-premise and cloud-based protection mechanisms. This hybrid approach ensures real-time DDoS attack prevention while addressing high-volume attacks. By leveraging both on-premise and cloud resources, the system can handle large-scale attacks without saturating the network pipe.
2. Behavioural-Based Detection: Utilize behavioural-based detection techniques to quickly and accurately identify and block anomalies caused by DDoS attacks. This approach focuses on analyzing traffic patterns and behaviour, allowing the system to differentiate between legitimate user traffic and malicious requests. Legitimate traffic is allowed to pass through while suspicious or malicious traffic is promptly blocked.
3. Real-Time Signature Creation: Employ a system that can rapidly create and deploy real-time signatures to protect against unknown threats and zero-day attacks. Real-time signature creation ensures that the DDoS protection system can adapt to emerging threats and vulnerabilities, even if they haven't been previously identified.
4. Cybersecurity Emergency Response Plan: Develop and maintain a dedicated emergency response plan for handling DDoS attacks. This plan should involve a team of cybersecurity experts with experience in Internet of Things (IoT) security. The team should be well-versed in detecting and mitigating DDoS attacks, as well as handling IoT outbreaks effectively.
5. Intelligence on Active Threat Actors: Gather and analyze high-fidelity data on currently active known attackers. By monitoring and understanding the tactics, techniques, and procedures (TTPs) used by these threat actors, pre-emptive measures can be taken to protect against potential DDoS attacks. This threat intelligence allows for early identification of malicious actors and helps in building robust countermeasures.

Overall, an effective DDoS protection strategy should integrate these essential elements to ensure a proactive and comprehensive defense against DDoS attacks. The combination of on-premise and cloud-based protection, along with behavioural-based detection and real-time signature creation, offers a strong defence against various DDoS attack vectors. Additionally, having a skilled emergency response team and access to threat intelligence enhances the overall security posture, enabling organizations to better safeguard their online assets and services from DDoS threats.

Who is FalconFeeds.io?

The dedicated team of researchers at Technisanct works tirelessly to constantly monitor the activities of various threat actors in the digital landscape. The vigilant efforts involve gathering and analysing vast amounts of data to uncover and understand the latest tactics, techniques, and procedures employed by these malicious entities. With unwavering dedication to staying at the forefront of cybersecurity, our researchers diligently update and disseminate new findings on the Threat Actor page, accessible through the Falconfeeds.io threat intelligence platform. By providing up-to-date and relevant information about active threat actors, this valuable resource empowers organizations to bolster their defences, proactively mitigate potential risks, and fortify their cybersecurity posture against emerging threats.