Full Report
The Russian hacktivist group NoName057 (16) has been active since March 2022, and their goal is to launch DDoS attacks against targets with anti-Russian views. In November 2024, NoName05, along with the pro-Russian hacktivist groups Cyber Army of Russia Reborn and Alixsec, launched DDoS attacks against the websites of major South Korean government agencies. The […] 게시물 Report on DDoSia Malware Launching DDoS Attacks Against Korean Institutions이 ASEC에 처음 등장했습니다.
Analysis Summary
# Incident Report: Coordinated DDoS Attacks Against South Korean Government Agencies
## Executive Summary
In November 2024, a coalition of Russian and pro-Russian hacktivist groups, including NoName057(16), launched coordinated Distributed Denial of Service (DDoS) attacks against major South Korean government websites. The motivation appeared to be political retaliation for statements made by South Korean officials regarding military aid to Ukraine. The attacks leveraged an automated, crowdsourced botnet tool called DDoSia, causing service disruptions across various government entities.
## Incident Details
- **Discovery Date:** November 2024 (Implied, corresponding to the month of the attacks)
- **Incident Date:** November 2024
- **Affected Organization:** Major South Korean government agencies
- **Sector:** Government/Public Administration
- **Geography:** South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** November 2024
- **Vector:** Automated DDoS tool (DDoSia) activated by subscribers.
- **Details:** Attackers promoted targets and progress via Telegram. Individual users executed the DDoSia client after downloading necessary files (e.g., `client_id.txt`) from the threat actor's Telegram channel.
### Lateral Movement
- *Not applicable for this specific DDoS campaign, as the primary action was volumetric/availability disruption via external attack.*
### Data Exfiltration/Impact
- **Impact:** Service disruption to various South Korean organizations. The goal was political disruption and causing social chaos through service unavailability.
### Detection & Response
- **Detection:** Incidents were likely reported by the affected agencies experiencing service outages.
- **Response Actions:** Not explicitly detailed, but implied necessary remediation for DDoS mitigation and service restoration.
## Attack Methodology
- **Initial Access:** Exploitation of known vulnerability/setup within the DDoSia "crowdsourcing" mechanism, where participants execute a pre-compiled client.
- **Persistence:** N/A (Volumetric attack tool execution).
- **Privilege Escalation:** N/A
- **Defense Evasion:** The DDoSia client randomly selects User-Agents when sending HTTP requests to evade basic security product detection.
- **Credential Access:** N/A
- **Discovery:** Attack targets are delivered from the Command and Control (C&C) server via the `/client/get_targets` URL after successful authentication.
- **Lateral Movement:** N/A
- **Collection:** System basic information is collected during the authentication phase (`/client/login`).
- **Exfiltration:** N/A
- **Impact:** Service availability disruption via various supported layer 7/4 attack methods (HTTP, HTTP2, potentially TCP SYN Flood in older versions).
## Impact Assessment
- **Financial:** Damages implied due to service unavailability and required mitigation efforts.
- **Data Breach:** No data exfiltration confirmed; impact was focused on service denial.
- **Operational:** Disruption to the availability of major South Korean government websites.
- **Reputational:** Political signaling and demonstration of capability during heightened geopolitical tension.
## Indicators of Compromise
(Note: Since this is an external DDoS attack utilizing numerous volunteer bots, traditional internal IOCs are less relevant. The following are C&C communication artifacts and known malicious file hashes.)
- **Network Indicators (Defanged):** Command and Control (C&C) communication occurring at URLs like `<C&C_SERVER>/client/login`, `<C&C_SERVER>/client/get_targets`, and `<C&C_SERVER>/set_attack_count`.
- **File Indicators:** MD5 hashes associated with the DDoSia client binaries: `0d5cac778ec1f9a1471e0d78742d3fe9`, `161b8fcfc27636c51890a7c84644844a`, `1cd8d1073dc4e1f5c7265e6658f32544`, `2add4181b214dc516e7f7a6c74699457`, `52fb14f74ef5d0dcf89285a60d5c5a73`.
- **Behavioral Indicators:** High volume of connection attempts utilizing HTTP/HTTP2 requests, potentially showing randomized User-Agents, originating from diverse global sources (bots).
## Response Actions
- **Containment measures:** Standard DDoS mitigation techniques for high-volume HTTP/HTTP2 traffic (e.g., rate limiting, traffic scrubbing, utilizing cloud-based DDoS protection services).
- **Eradication steps:** N/A (No internal persistence to eradicate).
- **Recovery actions:** Restoring affected services and reinforcing bandwidth/DDoS protection capacity.
## Lessons Learned
- **Key Takeaways:** Geopolitically motivated hacktivist groups leverage crowdsourced, automated tools (like DDoSia) that rely on social media platforms (Telegram) for real-time command and control updates and target dissemination. This shifts the threat model towards high-volume, politically-driven, distributed denial-of-service campaigns.
- **What could have been done better:** Proactive geo-blocking based on known high-risk source regions for known hacktivist activity, and implementation of more robust WAF/DDoS protection capable of fingerprinting bot traffic patterns (even with randomized User-Agents).
## Recommendations
- **Prevention measures for similar incidents:**
1. **Enhance DDoS Resilience:** Ensure edge defenses are configured to handle high-volume Layer 7 (HTTP/HTTP2) attacks, including sophisticated behavioral analysis to detect legitimate-looking but overwhelming traffic patterns.
2. **Monitor Social Media Intelligence:** Establish feeds to monitor Telegram channels and social media associated with NoName057(16) and similar groups for early warning regarding upcoming targets.
3. **Review Policy Transparency:** Audit public communications from high-ranking officials around sensitive geopolitical topics, anticipating potential retaliatory cyber activity.
4. **Investigate Cryptocurrency Rewards:** Monitor for any direct link between the threat actor's infrastructure and known cryptocurrency reward mechanisms, as this incentivizes participation.