Amidst the ongoing Russo-Ukrainian war, nations, institutions, and individuals providing aid to Ukraine have faced relentless cyberattacks by pro-Russian hackers. NoName057(16), a pro-Russian hacking entity, made its presence known in March 2022 and has often been at the forefront of several such cyber attacks, claiming responsibility for targeting an array of governmental agencies, media outlets, and private corporations. These attacks, which have spanned Ukrainian, American, and European targets, have escalated tensions within the current cybersecurity landscape, prompting cybersecurity experts to delve deeper into the workings of NoName057(16).
In an effort to gain insight into the operations of the NoName hacktivist group, researchers at Radware went undercover as hacktivists to infiltrate the group. They closely monitored the activities of NoName057(16) and discovered some intriguing information about the organization. The group operates with the help of thousands of volunteers, as well as a small group of core members who handle the cyber attacks. The decision-making process within the group appears to be decentralized, with no declared leader stepping forward. Instead, the core members are responsible for various tasks, such as operating the Telegram channel, coding the DDoSia bot, maintaining the DDoSia infrastructure, conducting osint research to find new targets, and supporting the community of volunteers.
NoName057(16) operates several communication channels to facilitate its activities. The group primarily communicates in Russian through its main Telegram channel. In August 2022, they created a second channel that provides an English translation of the messages from the main channel, presumably to attract attention from the media, researchers, and potential victims. They also own a Telegram group called ‘DDoSia Project’ that provides instructions and support for the Russian- and English-speaking volunteers running their bot. Additionally, they have a Telegram bot called ‘DDosiabot’ that provides a registration service and leaderboards for the volunteers.
Despite having a community of over 10,000 members, the core group that makes up NoName057(16) is relatively small. Most of the members are volunteers who provide resources for the DDoSia botnet, while the members of the main channel contribute to NoName057(16)’s visibility and influence.
The primary motivations driving NoName057(16) operations are purely patriotic and politically driven. They are aligned with Russia but do not want to be associated with the pro-Russian hacktivist group Killnet. They have never officially joined a Killnet campaign or used the Killnet badge. Their targets are primarily Western governments and pro-Ukrainian organizations based on events covered in the media and any actions that might negatively impact Russia. They provide reasons for their attacks in their messaging.
The mechanics of the “DDoSia Project” involve leveraging crowdsourcing to create an effective DDoS botnet. NoName057(16) provides a malware binary that volunteers can download and run on their devices or cloud instances. These bots connect to a central command and control infrastructure to receive target lists and commands, which are managed and operated by NoName057(16). The group supports its volunteers through email and their Telegram group. They also use the Telegram bot ‘DDosiabot’ for new volunteers to register and receive a unique ID, which authorizes their bots to download target lists and upload attack statistics. They provide financial incentives for their most active volunteers and pay them in TON coin through the use of the Cryptobot, a Telegram-based multicurrency wallet.
Overall, the activities and operations of NoName057(16) have been a cause for concern within the cybersecurity landscape. With their relentless cyber attacks and distinctive methods of recruitment and compensation, they continue to pose a threat to nations, institutions, and individuals providing aid to Ukraine. It is crucial for cybersecurity experts and organizations to remain vigilant and take proactive measures to protect against these cyber threats.