How Russia’s NoName057(16) could be a new model for hacking groups

Now, NoName057(16) targets any country that expresses support for Ukraine, focusing primarily on government websites, banks, and energy providers. Whereas other groups have come and gone, NoName057(16) has been consistent in its activities for the past 18 months, conducting at least one DDoS attack per day. The group rarely diverts from its systematic attack procedure, which is commonly linked with the news cycle, but when they do it is reactive. For example, on December 15, 2022, the group carried out a DDoS attack on the Polish Parliament website after Poland recognized Russia as a state sponsor of terrorism.

The group’s modus operandi seems to encompass three components: disinformation, intimidation, and chaos creation. The disinformation component is evidenced by the continuous attacks against numerous Ukrainian media sources. The intimidation component consists of repeated attacks against the same target. As NoName057(16) puts it: “repetition is the mother of learning.” Lastly, chaos creation is evidenced by the 70-plus DDoS attacks against Spain during the weeks prior and immediately after the country’s general election in July 2023. Similar events took place leading up to the Czech presidential election in January and the Polish parliamentary elections in October.

NoName057(16) has no enigmatic leader and there is no evidence for who financially sponsors the group, or if they have government linkages. It is characterized by its military-like discipline and the calculated, repetitive nature of its attacks. The group is far more rigorous in its target reconnaissance than any other pro-Russian hacktivist group. It also publishes evidence of the global unavailability of the targeted websites on the CheckHost website, most likely to boost their own ego.

What is also unique about the group is its technical targeting process that is completely reliant on volunteers to carry out its DDoS operations. A target list is updated daily and is distributed by the group administrators via encrypted C2 servers. The execution of the attacks, therefore, relies on a group of Russian sympathizers who volunteer their private devices and who are paid in cryptocurrency for their participation. Many questions remain regarding who is responsible for choosing the targets and uploading the list, but there is a strong possibility a core group of individuals make these executive decisions. Also peculiar is that unlike any other hacking group in the Russo-Ukrainian conflict, NoName057(16) does not restrict its user base and is willing to mix ideology with financial incentives to recruit individuals to join their efforts.

How NoName057(16) brands itself

NoName057(16) launched its crowdsourced botnet, DDoSia, in July 2022. To make the attack toolkit more accessible, it also has a Telegram channel both in Russian and English for instructions and support. Its toolkit was also hosted on GitHub until recently, but it has since been taken down, which is curious given the volume of illicit content that continues to be made available on the website.

A parallel can be drawn between the cyber operations of NoName057(16) and the IT Army of Ukraine, which also has a fully automated DDoS bot that targets Russian organizations. What sets NoName057(16) apart is its integrated payment platform, which is hard to track since the group uses the open-source cryptocurrency TON for payouts. Experts from Radware, a cybersecurity provider, claim it is “basically untraceable.”