NoName057(16), a Russian-linked hacktivist group, is intensifying its cyberattacks against NATO member states and European organizations using a sophisticated crowdsourced botnet known as DDoSia. This threat actor, operating with apparent backing from Russian government interests, has been actively launching distributed denial-of-service (DDoS) attacks since March 2022, demonstrating a significant and evolving capability in the cyber warfare landscape.
The group’s operational methodology centers on the DDoSia Project, which leverages Telegram channels to recruit and mobilize volunteers for its attacks. Participants are provided with user-friendly attack tools and incentivized with cryptocurrency, enabling a broad base of individuals, even those with limited technical skills, to contribute to coordinated cyber assaults. This volunteer-driven model has been instrumental in the group’s ability to scale its operations and target a wide array of entities.
NoName057(16) and the DDoSia Project Expansion
NoName057(16) has strategically expanded its influence and operational reach. By 2024, the group forged partnerships with other pro-Russia hacktivist collectives. Notably, the Cyber Army of Russia Reborn later contributed to the formation of Z-Pentest in September 2024. This collaborative approach amplifies their collective impact and broadens their targeting capabilities.
The origins of NoName057(16) are traced to a covert initiative within Russia’s Centre for the Study and Network Monitoring of the Youth Environment (CISM). This connection suggests a degree of state-sponsored support, aligning the group’s activities with broader Russian geopolitical objectives. Their persistent targeting of Western institutions opposing these goals underscores their role as a significant cyber threat.
Technical Mechanism of DDoSia Attacks
Picus Security analysts have detailed a sophisticated two-stage communication protocol that forms the backbone of the DDoSia attack infrastructure. This intricate system is designed for resilience and evasion, making it challenging for defenders to disrupt.
Client Authentication and Target Acquisition
The process begins with client authentication. A DDoSia client initiates communication by sending encrypted system information, including details about the operating system, kernel version, and CPU specifications, to the command-and-control (C2) server via an HTTP POST request to the `/client/login` endpoint. A successful authentication is confirmed with a 200 OK response, which includes a UNIX timestamp confirming the client’s legitimacy.
Following authentication, the client proceeds to the second stage by requesting target configurations. This is accomplished through a GET request to the `/client/get_targets` endpoint. This structured communication allows for discreet and controlled dissemination of attack directives to the botnet.
Resilient Infrastructure Architecture
The operational infrastructure of DDoSia is an advanced, multi-tiered system built to withstand detection and mitigation efforts. Tier 1 consists of publicly accessible C2 servers that interact directly with DDoSia clients. These servers typically have a short lifespan, averaging approximately nine days, with many being rotated on a daily basis to evade discovery.
Tier 2 comprises backend servers that house the core logic and target lists for the botnet. Access to these backend servers is strictly controlled through access control lists (ACLs), ensuring that only authorized Tier 1 servers can establish connections. This compartmentalization is crucial, as it allows the core infrastructure to remain operational even if Tier 1 nodes are identified and blocked by security measures.
Targeting Patterns and Impact
Analysis of NoName057(16)’s activities reveals a high operational tempo, with an average of 50 unique targets being attacked each day. The timing of these attacks strongly correlates with standard Russian working hours, providing further indication of the group’s origins and operational support structure. The cybersecurity community is closely monitoring these patterns.
Ukraine remains the most frequently targeted nation, accounting for 29.47% of all attacks. Other significant targets include France (6.09%), Italy (5.39%), Sweden (5.29%), and Germany (4.60%). Government sectors bear the brunt of these assaults, representing 41.09% of all targeted entities. The transportation and telecommunications sectors also experience a substantial number of attacks.
The attacks predominantly employ TCP floods and application-layer techniques, with ports 443 (HTTPS) and 80 (HTTP) being the most frequently exploited, accounting for 66% of all attack traffic. This indicates a focus on disrupting web-based services and critical online infrastructure.
The continued activity of NoName057(16) and its reliance on the DDoSia platform highlight the growing trend of crowdsourced cyber warfare. As these groups evolve their tactics and infrastructure, continued vigilance and enhanced defensive capabilities will be paramount for NATO members and European organizations to protect against these persistent threats.