A Pro-Russian cybercrime group named NoName057(16) is actively launching distributed denial-of-service (DDoS) attacks against organizations in Ukraine and NATO countries.
Also known as NoName05716, 05716nnm or Nnm05716, the threat actor has been supporting Russia’s invasion of Ukraine since March 2022, launching disruptive attacks against government and critical infrastructure organizations.
To date, the group has launched DDoS attacks against government, military, telecommunications, and transportation organizations, as well as media agencies, suppliers, and financial institutions in Ukraine, Czech Republic, Denmark, Estonia, Lithuania, Norway, and Poland.
According to cybersecurity firm SentinelOne, the group focused on Ukrainian news websites at first, but later shifted attention to NATO-associated targets, aiming to silence what it deems to be anti-Russian.
NoName057(16) uses a Telegram channel to claim responsibility for disruptions, justify its actions, make threats, and mock targets. The group, SentinelOne says, “values the recognition their attacks achieve through being referenced online”.
The threat actor was also seen abusing GitHub to host tools advertised on their Telegram channel, including the DDoS tool DDOSIA, a multi-threaded application that has both Python and Golang implementations.
GitHub promptly removed the NoName057(16)-associated accounts and repositories after being informed about the nefarious activity.
Some of the most recent incidents attributed to the group include the targeting of the Polish government in December 2022, attacks on Lithuanian organizations (mainly cargo and shipping firms) in January 2023, and hits on Danish financial institutions.
This week, the group was seen attempting to disrupt the 2023 Czech presidential elections, taking place January 13-14.
“Specific targets include domains for candidates Pavel Fischer, Marek Hilšer, Jaroslav Bašta, General Petr Pavel, and Danuše Nerudová. Additionally, the Ministry of Foreign Affairs of the Czech Republic website was also targeted at the same time,” SentinelOne notes.
Throughout 2022, the group has been observed employing various tools for carrying out attacks, including Bobik-infected systems, which are ensnared in a botnet. According to SentinelOne, however, NoName057(16) “appears to primarily seek participation voluntarily through their DDOSIA tool”.
“NoName057(16) is yet another hacktivist group to emerge following the war in Ukraine. While not technically sophisticated, they can have an impact on service availability– even when generally short lived. What this group represents is an increased interest in volunteer-fueled attacks, while now adding in payments to its most impactful contributors,” SentinelOne concludes.
Related: Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine
Related: Ukraine’s Delta Military Intelligence Program Targeted by Hackers
Related: New ‘Prestige’ Ransomware Targets Transportation Industry in Ukraine, Poland
