As Ukraine and its allies find themselves in the crosshairs of Russian hacking groups, the cyber realm has become a virtual battlefield of strategic warfare. Among them, a series of politically motivated distributed denial-of-service (DDoS) attacks by the pro-Russian hacktivist group NoName057(16) has resulted in a wave of public coverage detailing the group’s operations. While cyber threat analysts have paid much attention to the technical components, and media reports have covered much of the political outfall of the DDoS attacks, little has been said about the group’s persona.
As of this writing, NoName057(16) is the most active pro-Russian DDoS group hitting Western websites. With 1174 attacks against targets in 32 Western countries, the group was responsible for 31% of all pro-Russian DDoS campaigns in the first half of 2023. Yet, what is rather unusual about NoName057(16) is its continuous effort to build an online community of comrades and the strategies they employ to do so.
NoName057(16) has come a long way since May 2022, when Western media referred to it as a “little-known hacker group.” In the past year, the group has gone from a seemingly harmless rogue operation to an organized collective of volunteer cyber partisans. With nearly 60,000 subscribers to its Telegram channel and over 15,000 subscribers to its Telegram bot, NoName057(16) appears to have been successful in building an online community. This can in part be attributed to the group’s distinct technical targeting process, that uses volunteers to download and install a bot on their devices to carry out its DDoS attacks.
Unlike other groups, NoName057(16) provides financial incentives to motivate individuals to join its crowdsourced botnet project, DDoSia, which was launched on Telegram in July 2022. Has NoName057(16) created a new niche in the hacking community? Let’s have a look.
Who does NoName057(16) target?
NoName057(16) first appeared on Telegram on March 11, 2022. By June 22, 2022, the group had amassed 10,000 subscribers. In its first post, the group boasted about its successful DDoS attacks against Ukrainian websites. NoName057(16) also provided insight into its goals and strategy, which was centered on targeting any Ukrainian media resources that “engage in pernicious Russophobic propaganda.” Six months later, the group also created a Telegram channel in English, likely to extend its audience base. In the beginning, NoName057(16) was focused on targeting Ukrainian newspaper and TV channel websites, as well as individual journalists. In June 2022, the group shifted its targeting. NoName057(16)’s attacks became more news-driven, evidenced by the increased targeting of government websites in Estonia, Lithuania, and Poland.
The group stated, “…our team has expanded the geography of DDoS attacks. Now NoName057(16) conducts raids on the websites of all countries unfriendly to Russia.” This message was subsequently reinforced in the group’s manifesto, published on July 26, 2023, which attributed “Russophobia” as a justification for its actions.
Now, NoName057(16) targets any country that expresses support for Ukraine, focusing primarily on government websites, banks, and energy providers. Whereas other groups have come and gone, NoName057(16) has been consistent in its activities for the past 18 months, conducting at least one DDoS attack per day. The group rarely diverts from its systematic attack procedure, which is commonly linked with the news cycle, but when they do it is reactive. For example, on December 15, 2022, the group carried out a DDoS attack on the Polish Parliament website after Poland recognized Russia as a state sponsor of terrorism.
The group’s modus operandi seems to encompass three components: disinformation, intimidation, and chaos creation. The disinformation component is evidenced by the continuous attacks against numerous Ukrainian media sources. The intimidation component consists of repeated attacks against the same target. As NoName057(16) puts it: “repetition is the mother of learning.” Lastly, chaos creation is evidenced by the 70-plus DDoS attacks against Spain during the weeks prior and immediately after the country’s general election in July 2023. Similar events took place leading up to the Czech presidential election in January and the Polish parliamentary elections in October.
NoName057(16) has no enigmatic leader and there is no evidence for who financially sponsors the group, or if they have government linkages. It is characterized by its military-like discipline and the calculated, repetitive nature of its attacks. The group is far more rigorous in its target reconnaissance than any other pro-Russian hacktivist group. It also publishes evidence of the global unavailability of the targeted websites on the CheckHost website, most likely to boost their own ego.
What is also unique about the group is its technical targeting process that is completely reliant on volunteers to carry out its DDoS operations. A target list is updated daily and is distributed by the group administrators via encrypted C2 servers. The execution of the attacks, therefore, relies on a group of Russian sympathizers who volunteer their private devices and who are paid in cryptocurrency for their participation. Many questions remain regarding who is responsible for choosing the targets and uploading the list, but there is a strong possibility a core group of individuals make these executive decisions. Also peculiar is that unlike any other hacking group in the Russo-Ukrainian conflict, NoName057(16) does not restrict its user base and is willing to mix ideology with financial incentives to recruit individuals to join their efforts.
How NoName057(16) brands itself
NoName057(16) launched its crowdsourced botnet, DDoSia, in July 2022. To make the attack toolkit more accessible, it also has a Telegram channel both in Russian and English for instructions and support. Its toolkit was also hosted on GitHub until recently, but it has since been taken down, which is curious given the volume of illicit content that continues to be made available on the website.
A parallel can be drawn between the cyber operations of NoName057(16) and the IT Army of Ukraine, which also has a fully automated DDoS bot that targets Russian organizations. What sets NoName057(16) apart is its integrated payment platform, which is hard to track since the group uses the open-source cryptocurrency TON for payouts. Experts from Radware, a cybersecurity provider, claim it is “basically untraceable.”
NoName057(16) therefore engages individuals in a gamification challenge that consists of downloading and installing the DDoSia bot on their devices, which allows the group to generate higher DDoS traffic. On September 20, 2023, the group teased the idea of releasing its own cryptocurrency for the DDoSia project. This has now become a reality. On November 24, 2023, NoName057(16) announced dCoin, an electronic currency equal to one Russian ruble, which can be withdrawn and converted into TON that volunteers can then send to their crypto wallet. The group further explained that volunteers will be compensated based on their contribution to the attacks or “combat merit,” as well as their rank. The introduction of dCoin makes the group’s payout platform even more elusive and demonstrates the extent to which NoName057(16) is willing to go to create a unique brand for itself.
Moreover, the group thrives on media attention and regularly reposts screenshots of news articles they are mentioned in, as demonstrated in a recent post captioned “they write about us,” followed by a winky face emoji. Such actions also reiterate the working pattern of the group. It appears that the structure is horizontal, given that targets are chosen by an unknown group of administrators, but it is also vertical, because the group relishes on success reporting reinforced by lexicon such as “we” and “friends”, coupled with frequent posts detailing the successes of other pro-Russian hacking groups. These efforts are further reinforced by NoName057(16)’s posts about IT sector news, as well as educational content followed by the hashtag #InfoWithout or #Info-freesuch as, for example, informative posts about Public Key Infrastructure.
Ironically, this series of posts also includes information on how to combat new cybersecurity threats and how to protect yourself from cyber extortion. In 2022, the group even conducted polls to ask its followers questions such as, “Are we continuing to torment Lithuania?” Finally, perhaps the most innovative branding attempt by NoName057(16) is the development of Telegram emoticon-stickers with its signature bear and bear claw, and increasing user engagement via sticker pack competitions for the group’s Telegram subscribers.
How NoName057(16) trolls the West
Besides the group’s clearer objective to disrupt and create inconveniences for its victims, a persistent trend has been its online trolling of Westerners. For example, on October 9, 2023, NoName057(16) posted a meme poking fun at Microsoft for spying on its users, with Google, Apple, and Linux appearing relatively inferior in their espionage tactics. The use of stickers themselves is a form of trolling, wherein usually the Russian bear is dominating its Western counterpart.
GIFs of Western leaders holding the Russian flag is another attempt at provocation. The group also made fun of the antivirus company Avast with an image captioned “the most useless things,” showing a deformed spoon, fork, and key, along with the Avast logo. Another interesting element of the group is its ambiguous relationship with the Killnet group. NoName057(16) has gone from posting about how Killnet is doing “everything right” to threatening a journalist for suggesting a potential affiliation between the two groups to more recently declaring a joint attack with a multitude of groups, including Killnet.
The objective behind this attitude is most likely to humiliate Western threat intelligence companies who have labeled NoName057(16) as a “lone wolf DDoS group.” After all, the name NoName057(16) can be considered a form of trolling, as the group has not explained the origins of its name.
What is the future of NoName057 and its influence on other hacking groups?
What comes next for NoName057(16)? It appears the group is here to stay as it updates and ameliorates its capabilities, and as its DDoS attacks become more sophisticated. Over the past 18 months, the group has evolved from a small initiative to a thriving pro-Russian hacking community. NoName057(16) has been able to recruit thousands of “cyber militia” who actively support the Russian regime, which has progressively allowed them to carry out DDoS attacks on a larger scale.
Does the group pose a severe security threat to the West? On the one hand, NoName057(16) has become better at choosing which services to target, with a growing focus on websites belonging to critical infrastructure companies. On the other hand, the group mostly stuck to the same targeting strategy, which has become repetitive and low impact. Despite the group’s illusions of grandeur, NoName057(16) is not a top-tier threat actor and thus far it has only been observed carrying out short-lived DDoS attacks.
What stands out about NoName057(16) is how it has created a new niche in the hacking community: a platform that remunerates volunteers for their participation that other hacking groups are likely to replicate. The group’s development of a vertically integrated business model that leverages crypto rewards to attract individuals has proven highly efficient.
So far, the consequences of this new form of gamification remain unknown, leaving many open questions about the future of the group. Will the NoName057(16) community continue to grow? Or will a plethora of copycats emerge and take its place? Does the group have a future beyond the Russo-Ukraine war? If so, what will its targeting procedure be?