Pro-Russian Group Targets Organizations in Ukraine and NATO Countries with DDoS Attacks
NoName057(16) Is Staying Active and Busy.
Last updated on January 16, 2023
Pro-Russian group NoName057(16) continues to wreak havoc. Cybersecurity experts discovered that the group is behind a wave of DDoS attacks against organizations based in Ukraine and NATO countries.
The attacks started in March 2022 and since then, governmental and critical infrastructure organizations have been targeted.
The Activity of the Group
According to SecurityAffairs, in Denmark’s financial sector this week, the gang interrupted services. Previous attacks of the group targeted businesses and organizations in Poland, Lithuania, and other countries.
Poland’s security service issued a warning at the beginning of this month about pro-Russian hackers who have been regularly targeting the nation since the commencement of the invasion of Ukraine. The security agency brought up the incident involving the attack on the Polish parliament in November that was blamed on the pro-Russian organization NoName057 (16).
Cybersecurity researchers observed the group targeting the 2023 Czech presidential election candidates’ websites. The group’s operations and way of working were identified on Telegram channels by researchers, who also identified a volunteer-fueled DDoS payment program and a multi-OS supported toolkit.
How Does The Organization Operate?
The organization uses GitHub for its operations, including hosting the DDoS tool website dddosia.github[.]io (DDOSIA), as well as the corresponding GitHub repositories for hosting the most recent versions of their tools, which are promoted in the Telegram channel. Two GitHub profiles, dddosia, and kintechi341 were discovered by the experts. Early contributions to the DDoS config repository were done under the username “Рoман Омельченко”. After getting reports from cybersecurity experts, GitHub deleted the accounts.
The bulk of the group’s C2 infrastructure was hosted on the network of the Neterra telecom provider in Bulgaria. Threat actors have been seen by experts to use No-IP Dynamic DNS services. The current C2 server is still operational and is located at 184.108.40.206 as zig35m48zur14nel40[.]myftp.org.
Security researchers warn that while not “technically sophisticated”, the actions of the pro-Russian group can “have an impact on service availability – even when generally short-lived”. The group represents an increased interest in volunteer-fueled attacks.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.