A group of pro-Russian hackers is using Telegram and GitHub to launch distributed denial-of-service attacks against Ukraine and several NATO countries.
Researchers at SentinelOne said that as recently as this week they found the group – called NoName057(16) – targeting the websites of candidates in the 2023 Czech presidential election as well as businesses and organizations across Poland and Lithuania. The group is also responsible for disrupting services this week across Denmark’s financial sector.
“The most interesting part was a combination of the long term persistence of the group, and the DDoS collaborator payment program,” Tom Hegel, senior threat researcher at SentinelOne, told The Record. Through that model, people are paid in exchange for launching DDoS attacks.
“This combination clearly attracts more people to join the attacks, not only for political reasons, but rather the potential financial gain.”
While other pro-Russian hacking groups like Killnet have gotten extensive coverage by international news outlets, NoName057(16) has quietly launched dozens of attacks against European countries and Ukraine.
The group started out attacking Ukrainian news websites like Zaxid and Fakty after Russia began its invasion in February.
SentinelOne said the group mostly operates through Telegram, taking responsibility for attacks and threatening others in messages to followers.
“Peak viewership of their posts occurred in July 2022, when they reached approximately 14,000 readers with nearly 100% engagement rate. Today, daily average reach is roughly 2-3,000 and engagement in the range of 10-20%, signifying that the group is becoming less relevant to their followers and to Telegram users as a whole,” the researchers said, noting that the group makes about six posts each day.
“This may be explained in part by the fact that many similar hacktivist groups exist, have gained more attention, and are often more impactful in their objectives.”
While the group typically touts its attacks and notoriety, SentinelOne found that its DDoS incidents cause “short-lived disruption with little to no wider consequence.”
The researchers explained that the group has also used GitHub to host their DDoS tool website dddosia.github[.]io for free and other repositories for “hosting the latest version of their tools as advertised in the Telegram channel.”
Two profiles on the site – dddosia and kintechi341 – were reported by the researchers to GitHub’s Trust & Safety team.
A spokesperson for GitHub said they disabled the accounts “in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or uses GitHub as a means to deliver malicious executables.”
The researchers reported the Telegram accounts and channels but did not say whether they have been removed.
The group picks its targets based on political events, according to SentinelOne. NoName057(16) attacked Poland after they officially recognized Russia as a state sponsor of terrorism, and this month has targeted cargo and shipping organizations in Lithuania due to the country’s ongoing dispute with Russia over train and port usage.
The group has most recently gone after the 2023 Czech presidential elections, which will be held on Friday and Saturday. They targeted the websites of candidates Pavel Fischer, Marek Hilšer, Jaroslav Bašta, General Petr Pavel, and Danuše Nerudová, as well as the Ministry of Foreign Affairs.
Tactics and tools
The researchers said the group uses an application called DDOSIA to repeatedly send network requests, overwhelming systems. The tool is easy to use, allowing hackers to simply choose a target and launch attacks.
It is constantly updated and even tracks statistics on operational success, counting “the total and the number of successful network requests sent to each target site.”
#NoName057, the Pro-Russia #hacking group, claims to have launched #DDoS attacks against several Czech Republic government websites, including two Ministry of Foreign Affairs (@CzechMFA) subdomains… pic.twitter.com/xA6S65Z1Rc— BetterCyber (@_bettercyber_) January 12, 2023
“This is likely associated with how the group makes use of a volunteer profit program. They distribute cryptocurrency to the top DDoS contributors, encouraging people to contribute more technical resources for a more powerful attack,” the researchers said.
“Versions of the tool for macOS and Linux have also been developed. Android versions of the tool can also be found; however, the primary distribution of the group has not officially supported mobile.”
SentinelOne warned that the group is yet another hacktivist organization emblematic of the “increased interest in volunteer-fueled attacks” — with the added bonus that the most successful attackers now get paid.