Campaign Analysis: NoName057 Hacker in a Hoody
January 2024 by NETSCOUT
Shortly after the Russo-Ukrainian conflict began, a new threat actor announced their formation on Telegram along with their manifesto. Their self-declared mission statement was to counter-act open hostility towards Russia, targeting NATO-aligned countries. Additionally, they stated an openness to collaborate and would not target innocent people, though the latter part of that statement has not held true.
Renowned for its widespread cyber operations, NoName057(16) garnered notoriety for developing and distributing custom malware, notably the DDoSia attack tool, the successor to the Bobik DDoS botnet. The group strategically concentrates its efforts on targeting European nations. NoName057(16)’s motives are geopolitical, aligning closely with pro-Kremlin interests.
The threat actor NoName057(16) has likely conducted over 1,500 DDoS attacks since March 2022. It states its mission is countering anti-Russia hostility by targeting NATO-aligned nations, strategically concentrating on Western countries in likely alignment with pro-Kremlin interests.
NoName057(16)heavily utilizes free or low-cost public cloud and web services as a launchpad for DDoS botnets that flood target web servers.
The attacks are almost exclusively HTTP/HTTPS floods meant to consume targets’ bandwidth and resources.
NoName057(16) gamifies DDoS by offering digital currency payments via a service called Project DDoSia to crowd-sourced participants who conduct attacks and rack up "points" as incentivized top performers.
The Czech Republic, Poland, and Spain endured the highest volume of attacks, while the main industries impacted were Transportation & Logistics, Government Administration, and Financial Services.
DDoSia Attack Software
Developed in Golang (originally in Python), DDoSia operates as a heavily multi-threaded application, executing DDoS attacks by overwhelming target sites with many concurrent junk HTTPS requests. Noteworthy is its cross-platform functionality, compatible with Windows, Linux, and macOS systems, reflecting an evident effort to broaden its user base. The tool’s distribution is facilitated through a streamlined onboarding process on Telegram, where individuals register for the initiative and are rewarded with cryptocurrency payments in exchange for supplied attack traffic. Late in November of 2023, the NoName057(16) group took this a step further, and created their own cryptocurrency token, dCoin, which can be converted into TON, the cryptocurrency that was the backbone of their prior system. The DDosia botnet population increased from 400 to almost 10000 participants in less than a year and is commonly observed to be deployed on cloud infrastructure known for nuisance activities.
Recent NoName057(16) DDoS Attacks
NETSCOUT continuously tracks active DDoS attack campaigns , analyzing the attacks, attack tools, techniques, and target selection criteria. Based on the group’s Telegram activity, we identified the countries, industries, and more than 400 specific websites attacked by the group.
On average, NoName057(16) takes credit for 8 attacks per day. For the last months of 2023, we identified the most-targeted countries (Figure 2) and found that the attacks focused on Eastern Europe and more recently Western Europe.
Within these countries, the most targeted industry is that of critical public infrastructure (Figure 3), namely governmental administration sites.
The Macroscopic View of NoName057(16)
NoName057(16) relies heavily on HTTPS application-layer DDoS attacks, with many attacks repeatedly sourced from the same attack harness, networks, and targeting similar countries and industries.
Observed DDoS Attack Vectors
We analyzed NoName057(16) attack traffic both as observed on-path and as received by the targets. While analysis of NoName057(16)’s DdoSia botnet revealed HTTP and HTTPS flooding capabilities, it is possible that the botnet developers may add additional capabilities in future.
Capitalizing on NETSCOUT’s global vantage point, we analyzed numerous DDoS attacks by NoName057(16), unveiling patterns in their tactics. Over 50% of the 669 attacks observed during our analysis period fell within our purview. We then delved deeper into a focused subset where granular patterns emerged. Our investigation confirmed HTTPS application-layer attacks as the group’s primary weapon. While successful attacks trigger persistent client traffic as users attempt to reconnect, indicating their effectiveness, most are brief bursts lasting 10 minutes. Notably, we observed at least one prolonged attack spanning an entire day. The direct-path nature and lack of spoofed source IPs point to the attack methods and infrastructure employed.
Distributed But Consolidated Attack Sources
Since anyone can join the DDoSia project and participate in NoName057(16) directed attacks (which is a criminal offense in most jurisdictions worldwide), we investigated how dispersed the bot population is that actively supports the attacks. To this end, we scrutinized the IP source addresses present in the attack traffic. Because DDoSia is a direct-path attack tool, designed to be run in a non-privileged context, these IP addresses are unlikely to be spoofed. Furthermore, DDoSia’s reporting system tracks not only outgoing but also incoming traffic to assess how successful the participants infrastructure is for paying our rewards. If the attacks were spoofed, this would no longer be possible.
Analysis of source networks appearing repeatedly across NoName057(16) attacks, as well as hosting large numbers of DDosia bot nodes, reveals the primary origins of NoName057(16)’s DDoS attack traffic. Figure 4 depicts all source networks that participated in at least one-third of attacks we deemed high-confidence, harbor at least 10 attack hosts, or both (top right area). Interestingly, we find that although the sources are distributed across 448 unique /24 prefixes, most of these sources consolidate to CDNs and cloud providers primarily serving the general public.
Nuisance CDNs (e.g. bulletproof hosters) are included in this list, but the top two source networks in terms of DDoSia bots are the well-known hosting and CDN providers. Although sources from nuisance networks are more stable, recurrent over a longer period, we also detect sources from CDN 1 that have been abused during a time window of up to 10 days and find that they reach the highest observed DDoS throughput rates during the study period.
In summary, NoName057(16) attack traffic is predominantly sourced from legitimate CDN and cloud networks which are commonly utilized by legitimate organizations and users. A broad CIDR-based filtering approach to mitigating these attacks is counterproductive in many contexts, as it could potentially result in overblocking of legitimate hosts on those networks. It should also be noted that there is a relatively high degree of dynamism in DDosia host populations located on these networks due to dynamic addressing or CND providers identifying shutting down the accounts or blocking the malicious activity.
Identifying Unclaimed NoName057(16) Attacks
By starting with a relatively small sample set of known NoName057(16) attacks and looking for other inbound traffic with multiple matching addresses, we were able to discover hundreds of attacks, all matching NoName057(16)’s distinct attack modus operandi. Though these attacks have not been directly claimed by any threat actors, the high degree of correlation in attack patterns, tools, and techniques employed by NoName057(16) strongly imply their involvement.
The Microscopic View of NoName057(16)
Confirmed Attack on A NETSCOUT Customer
We now provide a microscopic view of a confirmed NoName057(16) attack. This attack spreads across multiple waves during a single day. Based on snapshots of 5000 packets each, including all network information, we analyzed the attack sources as well as the impact.
The CDN 1 network significantly contributed to the attack in terms of numbers of distinct attack sources (Figure 5). Since its hosts exhibit the highest observed packet rates (on average 500 pps/host, with a maximum of 2600 pps/host), this cloud provider is responsible for most of the observed attack traffic (Figure 6). After the first wave, almost no new CDN 1 hosts are utilized by the attackers (Figure 7). This implies that CDN 1 requires a minimum of 4 hours to detect and mitigate the exploitation of a host by the DDoSia botnet.
Attack Validation from Deutsche Telekom AG (DTAG)
NoName057(16) often targets organizations based in Germany. Accordingly, the experts working for the country’s largest network provider deal with these actors on a regular basis. Together with Deutsche Telekom, we analyzed the top 5 attack source networks in terms of attack traffic throughput for three confirmed attacks on German targets (Figure 8). We found that CDN 1 is the top source of attack traffic, with DDoSia nodes generating attack volumes that are up to an order of magnitude larger than the next-highest contributing network.
NoName057(16) are a prolific, ideologically motivated DDoS threat actor which makes use of well-known DDoS attack vectors, coupled with an innovative gamified attack participant recruiting methodology. By encouraging ideologically-motivated volunteers to deliberately provision cloud computing and VPS nodes with their bespoke multi-platform DDoS-capable botnet, NoName057(16) have essentially outsourced the growth and maintenance of their attack infrastructure, while at the same time seeking to make it more challenging for defenders to successfully mitigate attacks due to the presence of these botnet nodes on the networks of popular, well-known shared computing, content, and networking services.
Organizations which implement industry best current practices (BCPs) in conjunction with NETSCOUT’s Sightline/TMS and AED DDoS defense solutions can successfully mitigate DDoS attacks initiated by NoName057(16) and other DDoS threat actors, including Minute-Zero DDoS attack vectors which have not previously been observed.