Pro-Russian hacktivist group NoName057(16) has been targeting Ukrainian and NATO organisations with distributed denial of service (DDoS) attacks and started soon after the invasion of Ukraine. The group has grown its botnet to more than 1,000 members by offering financial rewards for successful attacks. The group has been targeting government organisations and critical infrastructure, according to security researchers.
Analysts at security vendor Avast uncovered the co-ordinated cyberwarfare campaign, dubbed DDosia by the hacktivist group. NoName057(16) is said to have put out a call for volunteers to join their activities, including DDoS attacks on “anti-Russian” targets.
The volunteers were rewarded with payments of up to 80,000 Rubles, or about $1,200 paid via a cryptocurrency if their attack made an impact, with a special focus on websites linked to nations critical of the Russian invasion of Ukraine.
“Right from the beginning of the Ukraine war, we saw calls on social media for people to engage as hacktivists and download DDoS tools to take down Russian websites in order to support Ukraine,” said Martin Chlumecky, malware researcher at Avast. He said what we’re now seeing is people struggling financially taking the money in return for joining a DDoS attack.
“For some people, it may be tempting to earn some extra money quickly,” he added. “We saw that some users in countries like Canada and Germany wanted to join the NoName(057)16 hacker group by trying to download the DDosia executable file and thus carry out DDoS attacks.”
Avast found evidence of these users pushing the malware to the exception list in anti-malware software running on computers, which means it is no longer marked as malware and can be executed as normal. The users were then rewarded for their efforts, with the hacktivist group finding this significantly improved their success rate.
“While it may be tempting for many people to join these cyber groups to boost their finances, it is still a cyberattack with all the consequences – including legal consequences. That should be clear to everyone,” said Chlumecky.
NoName057: ‘heroes’ or hackers
Users seeking a financial reward, dubbed “heroes” by the group, accept the executable on their machine which is then linked to a unique ID. This ID can be paired to a crypto-wallet and if a member carries out enough attacks, they get paid.
One of the most recent attacks saw NoName057(16) hackers disrupt financial sector services in Denmark. Last week access to several Danish banking websites was hit by DDoS attacks including the central bank and seven private banks. A central bank spokesperson said the attack had no impact on other systems or operations beyond the website, which was restored quickly.
The pro-Russian group also claimed responsibility for DDoS attacks on organisations and businesses in Poland and Lithuania, as well as attempts to disrupt the websites of candidates running in the 2023 Czech presidential election.
Avast says it uncovered 1,400 DDoS attack attempts carried out as part of the DDosia project, 190 of which were successful – giving them a 13% success rate. The volunteers had more success in November than previous months as they started targeting multiple sub-domains linked to the same primary domain, rather than attacking multiple different primary domains. This increased the success rate as the domains were all likely on the same server, so if it was vulnerable to attack then all sub-domains on that device were also likely to be impacted.
It is estimated they have about 1,000 members, capable of generating 900,000 requests per minute against any single target, although that will vary depending on the quality of the internet connection or the speed of access through the VPN.
“Their DDoS attacks are basically unsophisticated, do not have large impacts, and do not aim to cause significant damage,” said Chlumecky. “They want to draw attention to themselves in the media, similar to the Killnet group. Nonetheless, NoName057(16) activities are still more of a nuisance than dangerous.”
Credit rating agency Moody’s said the activities of NoName057(16) “highlight the importance of strong cyber safety practices to guard against future attacks”. Adding that the cost resulting from the impact on operations, reputational risks and similar are particularly high for financial institutions, such as the ones hit in Denmark.