NetSecurity Threat Report: NoName057(16) Pro-Russian Hacktivist Group

NoName057(16) Threat Group Motivation

NoName057 is a pro-Russian threat actor group that has been making headlines recently. The group is believed to be associated with the Russian government, and has been linked to numerous cyberattacks, including targeting government networks, military systems, and corporate networks. This is a politically motivated group and follows the pro-Russian agenda and targets pro-Ukrainian companies and institutions in Ukraine and NATO countries in response to evolving political conditions. This group gained significance after the Russian-Ukrainian war. The primary goal of NoName057(16) is to disrupt websites that are important to nations that have been critical of Russia’s invasion of Ukraine.

Targets of NoName057(16) Group

NoName057 was first spotted in March 2022, and since then, their activities have become more frequent and their targets have become more sophisticated. NoName057(16) exclusively attacks websites with DDoS attacks. In early June, the group targeted Ukrainian news servers. After that, they targeted Ukrainian government, utility, armament, transportation, and postal websites. Attacks began to become more political in mid-June. In Denmark, NoName057(16) disrupted services across the financial sector. Additionally, businesses and organizations in Poland and Lithuania have been attacked by this group. It was observed in January 2023 that NoName057(16) began to target the websites of 2023 Czech presidential candidates. Recently, this group has launched DDoS attacks on the targets across US and Canada.

Attack Methodology: Tactics, Techniques and Procedures

DDoS attacks are the most common method leveraged by this group for achieving disruptions. Though the volumes of DDoS attacks reported have been significantly low compared to other pro-Russian hacktivist groups like KillNet, the NoName057(16) creates a headline by attacking multiple pro-Ukraine entities at the same time. The NoName057(16) group leverages Bobik, a Botnet-as-a-Service, CobaltStrike trojan, and Redline Stealer initial access broker (IAB) service for creating a botnet that will eventually be used for performing the DDoS attacks on the selected targets. The group is also tending to operate and perform cyber attacks active during Russian time zone. In addition, the group also performs the DDOS attacks using a github based DDOSIA tool. The group is observed to leverage Neterra, a Bulgarian telecommunications organization for C2 activities in addition to the No-IP Dynamic DNS services.

Telegram Channel For Public Disclosure of Their Attacks

Founded in March, 2022, their Telegram channel has over 14K followers. The group boasts about the success of their DDoS attacks on the Telegram channel with an average of around 6 posts per day. Group members only report successful DDoS attacks. The actors behind NoName057(16) have managed to remain anonymous, making it even harder to track them down.

How to Prevent NoName057(16) Cyber Attacks

NoName057 is a serious threat to organizations across the globe. It is important to stay vigilant and ensure that your networks are secured. Prevention of NoName057(16) attacks can be achieved in two main ways. One is by implementing DDoS prevention tools that can instantly detect and scrub active DDoS attacks and the other is by deploying effective and sophesticated threat detection and prevention solution like ThreatResponder. ThreatResponder® Platform is an all-in-one cloud-native endpoint threat detection, prevention, response, analytics, intelligence, investigation, and hunting product. Once lightweight agents (“Rovers”) are deployed, you gain situational awareness and immediate threat visibility into hundreds and thousands of endpoints, respond to nation-state and insider threats, and neutralize cyber attacks quickly. ThreatResponder® allows investigators to conduct incident response and computer forensics investigation on a remote endpoint. In addition to these features, ThreatResponder also provides advanced analytics capabilities that help organizations quickly identify and respond to potential threats. The solution is designed to be easy to use, allowing organizations to quickly implement and start using it to prevent cyber attacks.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Indicators of Compromise:

• 94d7653ff2f4348ff38ff80098682242ece6c407
• e786c3a60e591dec8f4c15571dbb536a44f861c5
• c86ae9efcd838d7e0e6d5845908f7d09aa2c09f5
• e78ac830ddc7105290af4c1610482a41771d753f
• 09a3b689a5077bd89331acd157ebe621c8714a89
• 8f0b4a8c8829a9a944b8417e1609812b2a0ebbbd
• 717a034becc125e88dbc85de13e8d650bee907ea
• ef7b0c626f55e0b13fb1dcf8f6601068b75dc205
• b63ce73842e7662f3d48c5b6f60a47e7e2437a11
• 5880d25a8fbe14fe7e20d2751c2b963c85c7d8aa
• 78248539792bfad732c57c4eec814531642e72a0
• 1dfc6f6c35e76239a35bfaf0b5a9ec65f8f50522
• 2.57.122.82
• 2.57.122.243
• 109.107.181.130
• 77.91.122.69
• 31.13.195.87
• tom56gaz6poh13f28[.]myftp.org
• zig35m48zur14nel40[.]myftp.org
• 05716nnm@proton[.]me
• hxxps://t[.]me/noname05716
• hxxps://t[.]me/nn05716chat
• hxxps://github[.]com/dddosia
• dddosia[.]github.io
• hxxps://github[.]com/kintechi341

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).