Full Report
Orange Cyberdefense found that hacktivist gang Noname has almost exclusively targeted European countries since March 2022, with no attacks impacting the US
Analysis Summary
# Threat Actor: Noname
## Attribution & Identity
Pro-Russian hacktivist gang.
**Known Aliases and Associated Groups:** Noname057(16) (implied by research context). Part of the current 'Establishment' era of hacktivism (post-2014) characterized by alignment with nation-state objectives, specifically those supporting Russian interests, though no direct strategic relationship with the Russian government has been established.
## Activity Summary
Since March 2022, Noname has claimed over 6,600 attacks. The group is highly reactive to geopolitical events, defining its operational cadence based on real-world occurrences. Recent examples include:
* A spate of attacks against targets in Spain following the arrest of suspected members in July 2024.
* DDoS attacks on Belgian institutions in October 2024 in support of Belgian farmer protests.
* DDoS attacks against numerous UK councils in late October 2024, claimed as retribution for British military support for Ukraine.
* The group aims to use technical disruptions to manipulate public opinion, destabilize confidence in Western institutions, and push pro-Russian narratives on platforms like Telegram and X (formerly Twitter).
## Tactics, Techniques & Procedures
- **Primary TTP:** Distributed Denial of Service (DDoS) attacks against "symbolic" European entities.
- **Operation Technique:** "DDoSia" – declaring targets publicly and soliciting volunteers to boost attack traffic volume.
- **Collaboration:** Overlap and cooperation with financially motivated cybercriminals.
- **Incentivization:** Offering cryptocurrency payments to volunteers assisting with attacks.
- **Targeting OT:** Attribution for 23% of 'Category 2' attacks observed against Operational Technology (OT) systems, aiming for significant disruption without the constraints nation-state actors face.
- **MITRE ATT&CK IDs:** Not explicitly provided in the source text.
## Targeting
- **Sectors:** General services, government/public sector entities, and critically, Operational Technology (OT) systems in manufacturing, energy, healthcare, and transportation (Category 2 incidents).
- **Geography:** Almost exclusively European nations. 96% of targets included Ukraine, Czech Republic, Spain, Poland, and Italy. The group has not targeted the US during this period, possibly to avoid attention from US authorities.
- **Victims:** Symbolic European entities, UK councils, Spanish entities, and Belgian institutions.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed, but leverages DDoS capabilities enhanced by volunteers.
- **Infrastructure:** Relies on public declaration of targets for mobilization. No specific C2 servers, domains, or IPs were provided/defanged.
## Implications
Noname represents the 'Establishment' era of modern hacktivism, whose activities closely mirror state interests, though without formal ties. Their public nature, use of crowdsourced volunteerism ("DDoSia"), and willingness to target critical OT infrastructure make them a significant disruptive force against Western stability and essential services, potentially escalating tensions in specific sectors where nation-states might exercise restraint.
## Mitigations
- Enhanced monitoring and resilience planning for DDoS attacks, including traffic scrubbing capabilities.
- Specific defense preparations for OT environments which hacktivists appear increasingly willing to target destructively.
- Monitoring public domain platforms (Telegram, X) for pre-attack announcements or calls for volunteer mobilization to preemptively defend declared targets.
- Security teams should be aware of the group's reaction patterns to geopolitical events or domestic law enforcement actions affecting their members.