Global security & privacy leader Avast has uncovered that Pro-Russia hacktivist group NoName057(16) is conducting a campaign of Distributed Denial of Service (DDoS) attacks on Ukraine and NATO organisations, which began in the early days of the war in Ukraine.
Targets have included government organisations and critical infrastructures, where the hacktivist group has started a project called “DDosia”, inviting volunteers to join their activities of driving DDoS attacks on targets that they find to be “anti-Russian”. Volunteers can earn up to 80,000 Rubles for a successful attack. The NoName057(16) group is primarily focused on disrupting websites important to nations critical of Russia’s invasion of Ukraine – DDoS attacks act as the method to conduct such disruption efforts.
NoName057(16) was responsible for disrupting services across the financial sector of Denmark last week, and other recent attacks include organisations and businesses across Poland, Lithuania and others with NoName057(16) beginning to target 2023 Czech presidential election candidates’ websites.
Avast, has broken down the latest findings in its Decoded Blog, which reveals key insights such as:
- The group continues targeting private and public businesses in Poland, Latvia, and Lithuania, followed by Ukraine
- Avast observed 1,400 DDoS attack attempts by DDosia project members, 190 of which were successful. The current success rate of the DDosia project is approximately 13%
- The success rate of attacks increased in November, likely due to attacks targeting multiple sub-domains belonging to the same primary domain
- Multiple sites belonging to the same domain often run on the same server. If that server is vulnerable to attacks, all the subdomains hosted on the server are also vulnerable
- Members are encouraged to use a VPN and connect through servers outside of Russia or Belarus, as traffic from the two countries is often blocked in the countries the group targets
- One DDosia can generate approximately 1,800 requests per minute using four cores and 20 threads (depending on an attacker’s internet connection quality). With about 1,000 members, the total count of requests to defined targets can be up to 900,000 requests per minute
Martin Chlumecky, Malware Researcher at Avast says; “Right from the beginning of the Ukraine war, we saw calls on social media for people to engage as hacktivists and download DDoS tools to take down Russian websites in order to support Ukraine. Today, we see different motivational aspects of people joining DDoS groups: All across Europe, we feel the financial impact of the Russian war.
For some people, it may be tempting to earn some extra money quickly. We saw that some users in countries like Canada and Germany wanted to join the NoName(057)16 hacker group by trying to download the DDosia executable file and thus carry out DDoS attacks. The file is only available to verified members of the corresponding Telegram group, and was actively pushed to our AV exception list by some Avast users.
In short, the malware is no longer marked as such and can be executed normally. Without great technical knowledge, members of the group can earn up to 80,000 Russian rubles (about 1,200 USD) in cryptocurrencies for successful DDoS attacks. Thus, the motivation moves from political to financial aspects. The hacker group NoName(057)16 uses this financial incentive to increase its success rate and thus make a name for itself in the hacker community – political motivation may play only a subordinate role for many, both at the level of the project heads and among the participating users. While it may be tempting for many people to join these cyber groups to boost their finances, it is still a cyber-attack with all the consequences – including legal consequences. That should be clear to everyone.”