Analysis of the Russian-Speaking Threat Actor NoName 057(16)

The report analyzes the threat actor NoName057(16). Yarix Cyber Threat Intelligence (YCTI) team has tracked the activities of this cyber-collective from its creation (early March 2022) until the month of September 2022. From the findings and the evidence collected, NoName057(16) is a Russian-speaking threat actor, whose actions are driven by ideological and political grounds, namely: Eurasianism, anti-Western ideas and the support to the Russian Federation in the ongoing conflict with Ukraine (started in February 2022). Since March 2022, NoName057(16) has conducted massive Distributed-Denial of Service (hereinafter: DDoS) attacks mainly against European governmental entities and critical infrastructures.

The threat actor has gained momentum since May 2022 in conducting DDoS campaigns against either Ukraine and European countries supporting the Ukrainian government, in particular against those countries belonging to the post-Soviet space such as Estonia, Latvia, Lithuania, Poland, Slovakia, as well as Norway and Finland. Moreover, it is worth mentioning that few attacks against other countries have been observed, namely against the United Kingdom and the United States.

NoName057(16) publicizes its campaigns in a Russian-speaking underground channel and in a mirror channel where all the contents are translated in English for non-Russian speaking members. The threat actor has also created a third group where some of its members communicate about technical aspects related to the DDoS campaigns and a fourth group where it provides instructions on how to use a custom tool, named “DDosia”, to conduct DDoS attacks.

It is also worth mentioning that the threat actor seems to cooperate with other pro-Russia cyber collectives such as Killnet and XakNet.

1. Overview of the Threat Actor NoName 057(16)
1.1. Creation of the cyber collective and ideological grounds

Since the beginning of the Russian-Ukrainian conflict in February 2022 several hacker groups on both sides have conducted cyber-attacks against the adversary’s governmental entities and critical infrastructures. Among these groups, Yarix Cyber Threat Intelligence (hereinafter: YCTI) Team has tracked and analyzed the operations of the threat actor NoName057(16) from March until September 2022. NoName057(16) is a cyber collective founded in March 2022 that conducts massive Distributed-Denial of Service (hereinafter: DDoS) attacks mainly against European countries’ governmental entities and critical infrastructures.

The threat actor has gained momentum since May 2022 in conducting DDoS campaigns against either Ukraine and European countries supporting the Ukrainian government, in particular against those countries belonging to the post-Soviet space such as Estonia, Latvia, Lithuania, Poland, Slovakia, as well as Norway and Finland. Moreover, it is worth mentioning that few attacks against other countries have been observed, namely against the United Kingdom and the United States. In addition, in September 2022 the threat actor has conducted a different kind of attack, namely a web-defacement against the Polish Railway Transport Office (in Polish: Urząd Transportu Kolejowego), whose objective was a call for protests against the Polish authorities, believed to be traitors of Poland given their support to Ukraine in the conflict with Russia and considered the Ukrainian collaboration with Nazi Germany that took place during the occupation of Poland in World War II.

NoName057(16) publicizes its campaigns in a Russian-speaking group, created in March 2022, and in a second channel, founded in August 2022, where all the contents are translated in English for non-Russian speaking members. The threat actor has also created a third group used by some of its members to communicate about technical aspects related to the DDoS campaigns and a fourth group where it provides the instructions on how to use a custom tool available on GitHub, named “DDosia”, to conduct DDoS attacks. Notwithstanding the political and ideological reasons behind the creation of the cyber collective, since September 2022 a financial reward mechanism has been established by NoName 057(16), through which members that successfully conduct DDoS attacks and whose rank figures among the top-ten list, will receive a financial reward.

As declared by the threat actor itself, the main grounds behind its attacks are purely political and ideological ones, namely the support to Russia in the conflict with Ukraine and the fight against the so-called “Russophobic countries” supporting Ukraine in the ongoing conflict and spreading the “Western propaganda” against the Russian Federation.

It is also worth mentioning that the threat actor seems to cooperate with other pro-Russia cyber collectives such as Killnet and XakNet. A close attention should be placed on the cooperation among the several pro-Russia self-declared hacktivist groups that emerged since the beginning of the conflict between Russia and Ukraine. These groups share either the same ideological grounds that drive their operations, as well as the targets of the attacks, and in some cases even the tools exploited. Moreover, as recently noted in the analysis conducted by Mandiant Intelligence, it seems that some of these pro-Russian groups (e.g., XakNet) are linked to the the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the foreign military intelligence agency of the Russian Federation. [1]

Considering the increasing number of DDoS attacks conducted in the last months, as well as the growing number of its members, NoName057(16) has been gaining attention from the cybersecurity community. Indeed, Avast has recently published a report examining techniques and characteristics of the threat actor.  [2]

Date: 11/03/2022
Event: NoName057(16)  “Manifesto”.
Translation:
Greetings, comrades!
The hacker group NoName057(16) goes out on the warpath with Ukrainian sub-hackers and their corrupt servants! These admirers of the neo-fascists, who have seized power in Ukraine, are trying to attack the Internet resources of our country and intimidate our compatriots with their attacks orchestrated through the social networks and other communication channels. In response to their pathetic efforts, we are conducting massive attacks on Ukropropaganda resources that brazenly lie to people about Russia’s special operation in Ukraine, as well as on the websites of Ukrainian grief-hackers who try to support the neo-Nazi regime of Zelensky and a handful of drug addicts and Nazis from his mob! We have already conducted several successful attacks on Ukrainian resources, which have paralyzed users’ access to them. And this is just the beginning. To our enemies, we want to remind the words of the famous Russian commander Alexander Nevsky: “Whoever comes to us with a sword will perish by the sword! Here we will talk about our cases and conducted attacks.
Source: NoName057(16)

1.2. Targets

In the present analysis the YCTI Team has tracked the attacks conducted by the threat actor NoName057(16) from March until September 2022. As follows the main findings:

• the total number of DDoS attacks conducted in the time-span analyzed is equal to 449;
• the trend recorded is that one of an increasing number of DDoS attacks registered since May 2022;
• from March until April 2022 the threat actor targeted only Ukrainian entities;
• since May 2022 the threat actor has begun to target other European countries (mostly Poland and the Baltic Republics);
• the threat actor targets mainly digital services of critical infrastructures, particularly in the Government-Administration, Transport-Logistic, and Banking-Finance domains;
• the most targeted countries are Lithuania, Poland, and Ukraine. These countries are attacked by NoName057(16) in the context of the Russian-Ukrainian conflict, because of their political stance in support of Ukraine and their affiliation to the Western block led by the North Atlantic Treaty Organization (NATO) and European powers.

Date: 28/06/2022
Event: NoName057(16) claims responsibility for cyberattacks conducted against  the Lithuanian port of Klaipeda.
Translation:  You were probably wondering, how are things at the Klaipeda port of Lithuania?It’s really, really bad at it. After all, we made it inaccessible almost from anywhere! https://check-host.net/check-report/abb57b4k665  So the most important and largest transport center of the Republic of Lithuania, thanks to us, was left without its official website. We are waiting for the reaction of dissatisfied port employees and those who build their business on its work addressed towards the Lithuanian authorities.

Date: 25/08/2022
Event: NoName057(16) claims responsibility for cyberattacks conducted against Latvian Ministry of Interior.
Translation: We dropped another Latvian website – the Information Centre of the Ministry of Interior.
Source: Telegram NoName057(16)

1.2.1. Countries

At the beginning of its activities, the threat actor attacks were mainly focused on Ukraine. Indeed, the group was founded in March 2022 as a reaction to the conflict between Russia and Ukraine, that begun in February 2022. However, it has been observed that from May 2022 the threat actor has also conducted cyber-attacks against other countries.

As for the time-span analyzed (March-September 2022) the countries targeted by the cyber-attacks are the following listed in the table below:

As for the evidence collected the countries mostly targeted by the attacks are the following:

• Lithuania – 30%;
• Poland – 26%;
• Ukraine – 25%;
• Latvia – 8%.

Below a graph showing the trend of the attacks and the countries targeted in the time-span considered (March-September 2022):

Date: 26/07/2022
Event: NoName057(16) claims responsibility for cyberattacks conducted against Bydgoszcz Airport in Poland.
Translation: We continue our fascinating journey through Poland and we put down another website of a Polish airport (Bydgoszcz Airport).
Source: Telegram NoName057(16)

1.2.2 Sectors

As for the time-span analyzed (March-September 2022) the main sectors targeted by the DDoS campaigns are the following:

• Administration, Government, Justice, Legal – 18%;
• Transport – 17%;
• Bank, Finance, Insurance, Payment Services, Trade – 12%.

Below a table where the evidence collected in the time-span analyzed is reported.

Below a graph where the number of attacks per sector are represented.

Moreover, it is worth mentioning that the threat actor has also conducted diverse DDoS campaigns in different months (time span: July/August 2022) against the same companies (for example Dagsa, a transport services company based in Lithuania).

Furthermore, the group has often reiterated in its private channels/groups that targeting the health sector is unethical. Therefore, users have been encouraged to conduct their operations only against those entities through which a financial or reputational damage could be achieved.

Translation:
Mykor – “Here’s a question I’ve wanted to ask for a long time – why isn’t anyone strangling the health care sector? Let’s say you look at where are directed the arrivals in Ukraine, you start strangling emergency care, intensive care, surgery, blood transfusion stations. Or is that unethical?”

Juan Perez – “It’s not about ethics. The point is that these organizations provide assistance to ordinary citizens as well. Imagine a pregnant woman in labor and you hacked the dispatcher.”

Translation:
DDosia Project – “We only cover facilities that cause financial and/or reputational damage. Something related to risking the lives of ordinary people (not a private plastic clinic in Courchevel) is already dreadful, it’s not allowed.”

Translation:
More – “It should be understood that medicine and the police, no matter how we feel about them, must work as usual, because the former saves lives and the latter does the same. We must remember that people are a valuable resource.”

Source: DDosia Project group

1.3.  Cooperation with other pro-Russian hacker groups

From the tracking of the threat actor it emerged that NoName057(16) considers the following cyber-collectives as partners: Killnet, Legion, NetKillnet, Beregini, NemeZida, XakNet.

In particular, NoName057(16) has declared to have conducted a DDoS campaign on 21 June 2022 responding to the call for collaboration made by Killent. The attack targeted the digital infrastructures of Lithuanian airports and transportation services, specifically:

• “Ferry Bookings”, which provides services related to ferry crossings;
• Palanga Airport;
• Vilnus Airport;
• Kaunas Airport.

Date: 21/06/2022
Event: Collaboration with Killnet hacker group. NoName057(16) claims responsibility for cyberattacks conducted against the digital infrastructures of Lithuanian airports and transportation services.
Translation:  Welcome, comrades! We are happy to support the colleagues from Killnet with a lead on Lithuanian websites for the fact that the authorities of this Russophobic country have banned the transit of goods from the Kaliningrad region to Russia. We started warming up and put down the Internet resource of the Lithuanian company CJSC Ferry Bookings, which provides services related to ferry crossings. Now this site is inaccessible to anyone, except for some users with Lithuanian IPs https://check-host.net/check-report/a999eb5k3dd , but we will finish it! Lithuania will suffer until it lifts the ban on the transit of Russian goods! Today will be hot. Join us!

Date: 20/06/2022
Event: Killnet calls for collaboration with other pro-Russian hacker groups to conduct attacks against Lithuania.
Translation: We call on RaHDIt, XakNet, BEREGINI, Legion, Zarya, Russians Ransomware Group and our other friends to help destroy Lithuania’s network infrastructure.

Date: 21/06/2022
Event: Collaboration with Killnet hacker group. NoName057(16) claims responsibility for cyberattacks conducted against the digital infrastructures of Lithuanian airports and transportation services.
Translation: On June 21, our colleagues from the Killnet group called on the Russian hacker community to attack Lithuania’s Internet infrastructure. The authorities of this country imposed a ban on the transit of Russian goods, which grossly violated international law. We did not stand aside and actively joined the attacks against Lithuanian targets. As a result, Killnet has successfully put down the following sites today:

• Police Department under the Ministry of Internal Affairs of Lithuania;
• The largest Lithuanian mobile provider Telia;
• Authorization system of LPB, a widespread Lithuanian payment system.

We, for our part, slammed these Lithuanian Internet resources:

• Vilnius Airport;
• Kaunas Airport;
• Palanga Airport;
• Ferry Bookings Company (ferry services).

The NoName057(16) team will continue the attacks against Lithuanian websites and encourages all hacker groups in our country to do the same! Together – we are strong!
Source: NoName057(16)

Moreover, on 17 June 2022, NoName057(16) launched a DDoS campaign against a Ukrainian target attacked the same day by another hacker group, XakNet. The target of the attacks conducted by the two cyber collectives was the website of the Ukrainian Postal Service or Ukrposhta (Ukrainian: Укрпошта), the national postal service of Ukraine, a public company with 100% state ownership due to its strategic importance.

Date: 17/06/2022
Event: NoName057(16) reports a DDoS attack conducted against the Ukrainian Postal Service or Ukrposhta (Ukrainian: Укрпошта).
Translation: Without a prior agreement with colleagues from the XakNet Team, yesterday we unanimously attacked the Ukrposhta website. The XakNet Team stood out for having turned off the server and drained documents and databases. For our part, we included a number of subdomains of this Russophobic resource, among which the users’ personal accounts.
Source: NoName057(16)

Date: 17/06/2022
Event: XakNet Team reports an attack conducted against the Ukrainian Postal Service or Ukrposhta (Ukrainian: Укрпошта).
Translation: Yesterday we flew to the light to Ukrposhta. In the best traditions of our team, the attackers did not rub, encrypt, or extort anything. They just kindly turned off the server, draining documents and databases.
Source: XakNet Team

2. DDosia Project
 2.1 Overview

“DDosia Project” is a group, created on 18 March 2022 and linked to the threat actor NoName057(16), where the members organize themselves to conduct DDoS attacks against specific targets. The group is named after the DDosia tool created ad-hoc to undertake the DDos attacks. The tool is offered previous registration through a bot which registers the nickname linked to the user and includes a functionality that allows the user to keep track of the attacks conducted with the tool. The access to the DDosia tool is available through an invitation link circulated in the NoName057(16) chat.

The users of DDosia call themselves “cyber-army” and they work together to support the efforts and to give more resources to fulfill the goals of the NoName057(16) collective.

DDosia Project logo

The members of the group daily communicate about technical details on how to use the tool, best practices, as well as safeguard measures to implement such as VPNs settings, proxy services or indications of when launching the attacks in specific hours.

The DDosia Project is a work in progress/long term project. The aim of the group is to specialize the tool, the methodology as well as enhancing the technical skills of the DDosia users. After an initial testing period, the project has been refined and a reward mechanism has been announced by the administrator of the group. From September 2022, members of the cyber-collective started to receive financial benefits for the attacks conducted if they rank in the top 10 of the best DDoS attackers. The rewards are directly transferred to the users’ crypto wallet by the administrators of the project.

2.2 Characteristics and usage

The tool named DDosia (alias: Dosia, udc) is written in Go language. However, form the analysis conducted by the YCTI team, another version of the tool written in Python language has been discovered. The tool is described as easy to use and does not seem to require advanced technical skills. It has been developed for Windows, Linux and Apple Mac platforms. Recently, DDosia users have been working on an adaptation of the DDosia tool for mobile devices by using the Python version through Pydroid3 on Android.

As affirmed by the group owner, DDosia has been designed with the principle of launch and forget in mind. Therefore, the users can launch the script through a virtual machine and let the tool work in the background. It is also possible to launch more than one instance at the same time. The more instances launched, the more attacks can be conducted against the targets. Whenever launched, the tool automatically recovers the domains/IPs of the targets from a remote server. The targets have been previously set by the administrators and are routinely modified.

Sample of multiple DDosia.exe instances shared by a user

Samples related to the DDosia tool running on Android shared by a user

2.3 Members

The members of the DDosia group seem to match different profiles. The majority of the members do not participate in the group discussions and seem to be observers. Others do not participate or barely participate in the group exchanges, although they seem to make use of the tool. Other participants have a technical background and use it to give advice on the utilization of DDosia, as well as to discuss possible future targets and DDoS techniques with the group’s administrators. Many DDosia users do not have a technical background and they seem to be driven by a mix of ideological and financial purposes.

Date: 25/08/2022
Event: NoName057(16) claims responsibility for cyberattacks conducted against the Security Service of Ukraine (Ukrainian: Служба безпеки України, Romanized: Sluzhba bezpeky Ukrayiny) or SBU (Ukrainian: СБУ), the law enforcement authority and main intelligence and security agency of the Ukrainian government.
Translation: Fierce battles are going on for the truth. In the meantime, by joint efforts, our project is bearing fruit – we threw DDoS missiles towards the SBU and their website stopped responding, as you rightly noted subscribers: https://check-host.net/check-report/cb93ed5kfc0
Source: NoName057(16)

3. Conclusions

NoName057(16) has demonstrated the ability to conduct massive DDoS campaigns with a discrete degree of success. Given the ideological and political grounds behind the cyber-attacks conducted by the threat actor, there is a high probability that in the following months it will keep targeting governmental entities and critical infrastructures of European countries supporting Ukraine in the ongoing conflict with the Russian Federation. Moreover, considered the recent escalation of the conflict, the likelihood is that the attacks will even increase. Furthermore, from the tracking conducted, it emerged that NoName057(16) is growing either in terms of members and with regards to its reputation in the underground cyber arena. Indeed, the threat actor has been able to attract a lot of affiliates and it has also conducted joint-attacks with other major pro-Russian hacker groups such as Killnet and XakNet.

Taking into consideration the cyber-attacks conducted by self-declared pro-Russian hacker groups since February 2022, it is clear that the cyber-space is one of the battlefields where takes place the confrontation between pro-Russian and pro-Ukrainian forces, alongside with the economic, political and military domains. Therefore, a heightened attention should be placed on the protection of critical infrastructures and governmental entities which could be selected as targets of foreseeable DDoS campaigns led by NoName057(16) in the following months.

References

[1] Mandiant Intelligence, GRU: Rise of the (Telegram) MinIOns, September 23, 2022.  Available at: https://www.mandiant.com/resources/blog/gru-rise-telegram-minions

[2] Avast, NoName057(16) Pro-Russian Hacker Group Targeting Sites in Ukraine and Supporting Countries with DDoS Attacks, September 6, 2022. Available at: https://press.avast.com/noname05716-pro-russian-hacker-group-targeting-sites-in-ukraine-and-supporting-countries-with-ddos-attacks

Authors