Image: Kevin Horvat via Unsplash
Image: Kevin Horvat via Unsplash

What's in a NoName? Researchers see a lone-wolf DDoS group

Every morning at roughly the same time, a Russian hacker group known as NoName057(16) carries out distributed denial-of-service (DDoS) attacks on European financial institutions, government websites or transportation services.

Last week, the group claimed responsibility for disrupting the websites of several banks and financial institutions in the Czech Republic and Poland, which it considers hostile to the Russian state because of its support to Ukraine.

Like other pro-Kremlin hacktivist gangs, including Killnet or the Cyber Army of Russia, NoName057(16) orchestrates relatively simple and short-lived DDoS incidents with the help of hundreds of volunteers. The goal is to disrupt daily life, even for a few minutes.

But there are some things that set this group apart, researchers say.

In the Russian cybercrime landscape, NoName057(16) is a "lone wolf," according to Pascal Geenens, the director of cyberthreat intelligence at the cybersecurity firm Radware. The group doesn't make any alliances with other hackers and mostly relies on the custom-made DDoSia toolkit to carry out its attacks.

NoName057(16) is less emotional and erratic compared to some other groups. According to Geenens, it has maintained a military-like discipline in its operations for over a year.

The group picks five to 15 targets per day and studies their websites to find the most important parts to hit for a bigger impact. Other hacktivist groups typically don't conduct reconnaissance before staging their attacks, Geenens said.

To celebrate its successes, NoName057(16) publishes a report on the Check Host website, which evaluates the availability and performance of website servers in different countries. Other pro-Kremlin groups are less rigorous, and they frequently claim DDoS attacks that have been carried out by other gangs, including NoName057(16), according to Geenens.

Western targets

DDoS incidents involve flooding a website with bogus requests until it essentially stops processing legitimate traffic. Since the beginning of this year, NoName057(16) has claimed more than 170 attacks targeting Poland, Czechia, Lithuania, Ukraine and Italy, according to Radware. The group's initial attacks focused on Ukrainian news websites, but later shifted to NATO-associated targets, according to a report by SentinelLabs.

The group attacked the tax service website of Poland in March, and it also targeted the websites of candidates in the Czech presidential election in January. Then, in August, it launched a fresh wave of attacks on the financial institutions of these countries.

One possible reason for NoName057's (16) choice of Western targets is to avoid interfering with government-controlled hackers who specifically target Ukrainian infrastructure, according to Geenens.

There’s also a possibility that pro-Russian hacktivists try to stay within a specific sphere of influence, with NoName057(16) primarily targeting Ukrainian allies while other groups like the Cyber Army of Russia focus on Ukrainian organizations, according to Yevheniya Nakonechna, head of the Ukrainian computer emergency response team (CERT-UA).

Automated tools

For its operations, NoName057(16) mostly uses a DDoS attack toolkit called DDoSia with an individual configuration file given to each person willing to join an attack, according to Nakonechna.

Tools like DDoSia make DDoS attacks more accessible to individuals who aren't professional hackers but want to make money or get involved in cyberwarfare from the comfort of their own homes.

On its Telegram channel with over 52,000 subscribers, NoName057(16) aims to educate its followers by explaining basic industry jargon and attack concepts.

Volunteers who choose to participate in hacking campaigns are paid in cryptocurrency based on their contribution to DDoS attacks.

The DDoSia project's Telegram channel currently has 12,000 subscribers. According to a report from cybersecurity company Sekoia, the group is focused on improving its software security and expanding its capabilities.

It's not entirely clear how NoName057(16) funds these initiatives. According to Geenens, there's no evidence that the Russian government sponsors the group.

In fact, very little is known about the founder or core team of the group, as well as the origin of its name. This sets NoName057(16) apart from Killnet, which has an enigmatic and media-savvy leader, Killmilk.

But just like many other hacktivist groups, Killnet appears to grow weary of its DDoS attacks and shifts its focus to side projects.

“There are threat actors who come and go or take a break, but not NoName057(16),” Geenens said.

While not technically sophisticated or destructive, NoName057(16) attacks are annoying and frustrating for people who want to use the services impacted by the attack, researchers say.

NoName057(16) wants to create chaos and make people notice their hacks, according to Geenens. And they will likely continue to ramp up their efforts to ensure they are not forgotten, he added.

“We don't plan on just sitting around in the face of the hostile and openly anti-Russian actions coming from the West. We'll respond in kind. We can't let Russophobia become the new normal!” the group said last July in a manifesto.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.