Dark Web Profile: NoName057(16)

By SOCRadar Research

[Update] July 11, 2023: NoName recently launched a cyber attack on Poland, targeting critical infrastructures such as the National Bank of Poland and the Polish Computer Security Incident Response Team (CSIRT GOV) website. Added the subheading: “Cyber Attack on National Bank of Poland.”

The Russia-Ukraine war continues to this day with huge consequences on the physical side. In parallel, the sides also wage cyber warfare against each other to have leverage against one another, such as using DDoS attacks against valuable infrastructures or conducting espionage activities that could harm the target country.

As this cyber warfare continues, many pro-Ukrainian and pro-Russian groups have emerged. There are lots of groups actively operating, such as GhostSec, Kelvin Security, and IT Army of Ukraine on the Ukraine side, while Killnet, Zarya, and Xaknet groups are operating against Ukraine.

On the left, one of the first posts by IT Army of Ukraine targeting Russia on its Telegram channel, and on the right, one of the first posts by Killnet targeting Ukraine.

Although the groups generally interact with each other, they usually have their Telegram and/or Twitter accounts where they share their activities.

Using social media, they continue seeking new volunteers to participate in this cyber warfare. One of the new groups running DDoS operations on a volunteer basis is NoName057(16).

Who is NoName057(16)

NoName057(16) is a pro-Russian hacktivist group first observed in March 2022 and operating since that date.

first NoName057(16) telegram post was on March 11, 2022 (Translated from the Russian Language using the Machine translation service Google Translate) — First NoName057(16) Telegram post was on March 11, 2022 (Translated from the Russian Language using the Machine translation service Google Translate)

Even though the group has been operating since March 2022, it took until July 2022 for the group to publish its manifesto. According to the group’s manifesto, their actions are a response to those who have taken an openly hostile position toward Russia, and they have the strength and experience to restore justice. The group also notes that they do not work for financial gain and are willing to cooperate with like-minded groups. The manifesto emphasizes the importance of truth as a source of strength.

The Manifesto of NoName057(16) was posted on their Telegram channel on July 26, 2022.

SOCRadar researchers observed that the group runs a total of 5 Telegram channels (and we did not observe that the group posted on any social media other than telegram):

NoName057(16) is used for announcing their claims (mostly screenshots of their DDoS attacks) in the Russian language.
NoName057(16) Eng has English translations of the same posts on their main Telegram channel.

Noname057(16)’s main Telegram channel and its English version.

NoName057(16) Chat is a chat channel members use to communicate.
NoName057(16)_reserve is the group’s backup channel, as they say, and it is observed that this group was established on January 6, 2023.

NoName057(16) chat and backup channel’s Telegram information chart.

And also, the group has a private Telegram channel called DDosia Project, the communication channel they created for the Dosia tool they use.

DDosia Project telegram group’s information chart — DDosia Project Telegram group’s information chart

In addition, the group has observed using NoName05716, 05716nnm, and Nnm05716 names.

According to statistics gathered from TGStat.ru, although the group lost some traction towards January, its engagement rate by reach (ERR) is rising again, indicating that people are interested in the group again.

NoName057(16) engagement rate by reach (ERR) graphic over time (Source: TGStat.com)

The group not only posts about its attacks but also informs its followers with posts about issues such as VPN, password security, etc.

A Telegram post where the group provides information about VPN and product recommendations.

DDoSia Evolves

The latest version of DDoSia has been equipped with an advanced protection method that effectively conceals the list of targets. This list is securely relayed from the command-and-control (C2) server to the users by leveraging AES-GCM encryption. This encryption method is complex, involving a key, an initialization vector (IV), and a tag, with the key being determined using a token value and the IV and tag derived from the encrypted text.

This sophisticated concealment through encryption poses challenges for cybersecurity experts in analyzing and mitigating the attacks.

From May 8 to June 26, 2023, the enhanced DDoSia tool was deployed in a series of attacks aimed at numerous countries, including Lithuania, Ukraine, Poland, Italy, the Czech Republic, Denmark, Latvia, France, the UK, and Switzerland. These attacks have left a profound mark on a total of 486 unique websites.

Bearing Down on Finance

In recent attacks, NoName057(16) has targeted the financial sector, mainly Ukrainian and Polish financial institutions.

Some of the NoName057(16) 's claim posts about Ukrainian financial organizations — Some of the NoName057(16) ‘s claim posts about Ukrainian financial organizations

Ukrainian financial institutions include

Joint Stock Company “Bank Credit Dnepr,”
State Savings Bank of Ukraine “Oshchadbank,”
Joint Stock Company TASCOMBANK,
Bank JSC “UNIVERSAL BANK,”
Pravex-Bank,
MTB Bank,
Piraeus Bank,
Bank JSB “CLEARING HOUSE,”
IndustrialBank,
Ukrsibbank BNP Paribas Group,
Credit Agricole Bank.

Some of the NoName057(16) 's claim posts about Polish financial organizations — Some of the NoName057(16) ‘s claim posts about Polish financial organizations

In Poland,

PKO Bank Polski,
Bank Pekao,
Plus Bank,
Raiffeisen Bank,
Polish Development Fund (PFR) Ventures, and another Polish Development Fund Group, PFR Towarzystwo Funduszy Inwestycyjnychhas been targeted by NoName057(16).

Cyber Attack on National Bank of Poland

NoName recently launched a cyber attack on Poland, targeting critical infrastructures such as the National Bank of Poland and the Polish Computer Security Incident Response Team (CSIRT GOV) website.

The bank was unable to defend against the Distributed Denial-of-Service (DDoS) attack. Several threat intelligence services confirmed that the bank’s website was inactive for a period of time but became active again later. This attack is the latest in a series of DDoS attacks conducted by NoName against various Polish organizations.

How Does NoName057(16) Group Attack?

Distributed Denial of Service (DDoS) is the group’s primary attack method. To carry out a DDoS attack, botnets are needed. The group has been using the Redline Stealer botnet Bobik, a Remote Access Trojan (RAT), to operate its DDoS attacks. Below is the attack pattern of the NoName057(16) group when the group was using Bobik:

Bobik’s deployment process used by NoName057(16) (Source: Avast)

In September, they released their DDoS service, Project DDoSia, and continue to spread the tool through Telegram groups. Most of their posts include an invitation to participate in Project DDoSia.

One of the DDosia telegram announcements made by NoName057(16)

DDoSia is a volunteer-fueled DDoS program that seems to be a system that can expand its impact with increased volunteers. The group invites volunteers to the DDoSia Project Telegram group, and according to research, successful operations are rewarded in the form of cryptocurrency, which seems to be a move to increase the number of volunteers.

A telegram post in NoName057(16) about DDosia’s rewards

As seen from the group’s Telegram post on January 2023, the 1st most active volunteer will be awarded 80000 rubles, 2nd 50000, 3rd 20000, and the rest of the volunteers will be rewarded according to the number of successful attacks they have made.

A Telegram post by NoName057(16) about why the group prefers DDoS attacks

In January 2023, as seen in the screenshot above, the group shared updates on its Telegram channel and explained why they were using DDosia. It can be seen from these posts that they are targeting Western countries.

When NoName057(16) makes a successful attack, it posts a screenshot of the attacked domain with the country’s flag in the background and a log of the time of attack gathered from check-host.net.

One of the group’s DDos claims by the and shared evidence via check-host.net

Without joining the group, we found a sample of DDoSia with hash “1dfc6f6c35e76239a35bfaf0b5a9ec65f8f50522,” and when we tried to use it, we got the error: “Не удалось прочитать client id, запросите у бота новый клиент.” This error told us it needed a new client to run. This could indicate that the group’s DDoS tool is constantly updated, and they are trying to keep communication within the group alive.

Error message printed when executing an outdated code of “Dosia” on the command line

Which Countries Did NoName057(16) Target?

The group is targeting Ukraine and the NATO countries. Also, we can predict that the group will target the countries which support Ukraine during the war between Ukraine and Russia.

Countries affected by NoName057(16) (Source: SOCRadar)

Percentage distribution of the group’s January attacks by targeted countries (Source: SOCRadar)

Looking at NoName057(16) ‘s claims in January, we can see that more than a quarter of the attacks targeted the Czech Republic. The group offers no reason for these attacks other than “Russophobia.”

Percentage distribution of the group's February attacks by targeted countries (Source: SOCRadar) — Percentage distribution of the group’s February attacks by targeted countries (Source: SOCRadar)

Looking at NoName057(16) ‘s claims in February, close to half (42.5%) of the group’s attacks target Ukraine and Sweden.

In addition, the group mostly targets a few sectors of their targeted countries, as listed below:

Public Administration
Transportation and Warehousing
Finance and Insurance
National Security and International Affairs
Telecommunications
Couriers and Express Delivery Services
Utilities
Commercial Banking

Latest Attacks of the NoName057(16)

According to the SOCRadar research team’s observations, the group makes approximately about 8 claims per day on its Telegram channels and attacks targeting 2 or 3 countries daily. In recent days, DDos attacks targeting Germany, Sweden, Poland, and Estonia have been the majority; however, Ukraine seems to be their main target because, in some of their attacks, they post messages about their current targeted country’s support for Ukraine as the reason for the attack.

Looking at the group’s attacks in recent days, it seems that the group targeted the domains of the Swedish postal and telecommunication services.

NoName057(16)'s recent claim posts about the DDoS attacks in Sweden and Estonia — NoName057(16)’s recent claim posts about the DDoS attacks in Sweden and Estonia

The following day of these activities, by choosing a completely different target, the group targeted German domains such as the Federal Ministry of Transport and Digital Infrastructure of Germany’s website, the German airport Weeze, etc.

NoName057(16)'s recent claim posts about the DDoS attacks in Germany — NoName057(16)’s recent claim posts about the DDoS attacks in Germany

This means the group can choose a different target daily and often post claims independent of past activities.

NoName057(16)’s recent claim posts about the DDoS attacks in Italy and France

In recent attacks, the group has also started targeting Italy and France, and it can be inferred that NoName057(16) is expanding its attack surface.

In May 2023, the group has been carrying out cyberattacks on Denmark. They seem to be retaliating against Denmark’s decision to send 80 Leopard 1 tanks to Ukraine along with Germany. The group has targeted a number of Danish government websites, including the website of the Danish parliament.

NoName057(16)'s recent cyberattacks targeting Denmark. — NoName057(16)’s recent cyberattacks targeting Denmark.

MITRE ATT&CK TTPs

Tactics	Technique	Technique ID
Discovery	System Network Connections Discovery	T1049
Discovery	System Network Connections Discovery	T1016
Command and Control	Application Layer Protocol	T1071
Impact	Network Denial of Service	T1498
Impact	Endpoint Denial of Service	T1499
Persistence	Boot or Logon Autostart Execution	T1547

Conclusion

NoName057(16) only conducts DDoS attacks and so far has not been observed using any other type of attack. However, as they state in their manifesto, they look for companies and organizations that support Ukraine or are “anti-Russian” as their new targets.

It would be an important precaution against this group for companies located in NATO members or countries supporting Ukraine and doing business in the sectors mentioned above to receive DDoS protection services.

Among the industries listed above, manufacturing, energy, finance, insurance industries, and government domains are heavily targeted.

In addition, the following actions can work as a precaution against DDoS:

Restrict the number of connections per IP address.
Set limits on connections per second or lower the threshold.
Control the number of downloads from a single IP address.
Block requests with non-standard User-Agent headers that could be made by automatized tools.
Implement captcha systems in public forms without authentication.
Monitor and detect heavy requests to the databases.

SOCRadar researchers continuously monitor threat actors and update new findings on the Threat Actor page on SOCRadar’s CTI platform. New IoCs found by NoName057(16) threat actors can be tracked on this page.