Pro-Russian hackers upgrade DDoSia bot used to attack Ukraine, NATO countries

The DDoSia project by pro-Russian hackers has seen significant growth this year as attackers continue to use the technology against countries critical of Russia's invasion of Ukraine.

DDoSia is a distributed denial-of-service attack toolkit developed and used by the pro-Russia hacktivist group NoName057(16).

The group and its followers are actively deploying the tool against government agencies, media, and private companies in Lithuania, Ukraine, Poland, Italy, and other European countries, according to a report released by cybersecurity company Sekoia this week.

“This likely stems from the fact that those countries are the most vocal in public declarations against Russia and pro-Ukraine, as well as providing military support and capabilities,” the researchers said.

Sekoia detected a total of 486 different websites impacted by DDoSia attacks. Among them are incidents involving Latvia’s parliament and Poland’s tax service.

NoName057(16) also targeted education-related websites during the exam period in Ukraine in May and June, allegedly to maximize the media coverage of their DDoS operation, Sekoia said.

The group typically targets 15 different victims per day. Sekoia only observed one incident when the group attacked a single victim — Russia's Wagner private mercenary army during its attempted military coup in June. DDoS attacks are designed to overwhelm network resources with traffic to effectively take them offline.

Telegram communications

The DDoSia project was launched in early 2022, reaching 10,000 followers on its Telegram channel. The administrators of the group, as well as community members, are very active, according to Sekoia. The group regularly posts messages about successful attacks.

NoName057(16) also communicates about the project through its own Telegram channels, including one in Russian with over 45,000 subscribers, and a separate channel in English.

Volunteers who choose to participate in hacking campaigns are paid in cryptocurrency based on their contribution to DDoS attacks. Before launching the attack, the new members receive a .zip archive that contains the attack toolkit.

According to Sekoia, the NoName057(16) group continues to update the DDoSia project. For example, they want to make their malware compatible with multiple operating systems to reach more targets.

“It is highly likely we will observe further developments in the short term,” the researchers said.