Full Report
Over a dozen law enforcement agencies took action earlier this week, resulting in multiple arrests. The post Pro-Russian DDoS group NoName057(16) disrupted by international law enforcement operation appeared first on CyberScoop.
Analysis Summary
# Threat Actor: NoName057(16)
## Attribution & Identity
Pro-Russian hacktivist group. Identified as mobilizing an estimated 4,000 members. Two primary operators were identified as residing in Russia.
## Activity Summary
NoName057(16) has conducted Distributed Denial-of-Service (DDoS) attacks across Europe and Israel since early 2022. Activities are politically motivated, chosen based on significant political events. Initial targets were websites in Ukraine, later expanding to NATO countries and organizations supporting Ukraine. Attacks were observed coinciding with the European elections and major political events such as the Ukrainian president’s speech to the Swiss parliament and the NATO summit in the Netherlands. The group was recently the target of "Operation Eastwood," an international law enforcement effort that disrupted over 100 servers worldwide, led by Europol and Eurojust with participation from 12 countries. This operation resulted in two arrests, seven international arrest warrants, and 24 house searches.
## Tactics, Techniques & Procedures
- Initiated Distributed Denial-of-Service (DDoS) attacks.
- Orchestrated coordination and recruitment through Telegram channels, specialized forums, and messaging applications to distribute attack tools, tutorials, and plans.
- Employed gamification techniques (leaderboards, badges, cryptocurrency rewards) for member retention and motivation, specifically targeting younger individuals.
- Utilized the open-source "DDoSia" platform.
- Leveraged a botnet comprising several hundred servers to execute attacks.
- Members downloaded malware enabling them to contribute computing resources to coordinated attacks.
- Active contributors received financial incentives in cryptocurrency.
(MITRE ATT&CK IDs were not explicitly mentioned in the source text.)
## Targeting
- Sectors: Swedish government agencies and bank websites were specifically mentioned as targets during European elections.
- Geography: Countries across Europe and Israel.
- Victims: Entities in countries that support Ukraine; Swedish government agencies; bank websites.
## Tools & Infrastructure
- Malware families used: Malware downloaded by members to contribute resources to attacks.
- Infrastructure (C2, domains, IPs): Used a botnet comprising several hundred servers. Utilized the open-source "DDoSia" platform.
## Implications
This actor represented a significant, organized hacktivist threat leveraging social engineering and gamification to recruit and motivate thousands of volunteers for politically motivated disruptive DDoS operations against NATO-aligned nations and Ukraine supporters. The successful international disruption operation highlights effective cross-jurisdictional cooperation against politically motivated cyber unrest.
## Mitigations
- Monitor Telegram channels, specialized forums, and messaging applications for attack planning and recruitment efforts.
- Implement robust DDoS mitigation strategies across governmental and banking infrastructure, especially during politically sensitive periods.
- Network segmentation and resource allocation designed to withstand large-scale traffic overloading.
- Law enforcement cooperation to identify and arrest key operators and disrupt command-and-control infrastructure (as demonstrated by Operation Eastwood).