NoName057(16)'s Hackers Attacked 3,700 Unique Devices Over Last Thirteen Months
Summary:
NoName057(16) is a pro-Russian hacktivist group that emerged back in March 2022, right around the time the Russia-Ukraine conflict initiated. Since then, NoName057 has been actively launching DDoS attacks against targets of interest not only in Ukraine but also entities in European nations opposing Russia’s invasion, such as France and Sweden. Between June 2024 and July 2025, Recorded future observed the group launching attacks against an average of 50 unique hosts per day, with a total of 3776 distinct hosts being targeted in total over the period. The government and public sectors were the most targeted, compromising of 41.09% attacks, followed by transportation and logistics, technology, media and communications sectors.
As a hacktivist group, NoName057(16) activities align with the interests of Russia. This has been reiterated by NoName057(16)’s public communications on telegram, where the group has framed its attacks as a revenge for actions taken by Russian’s adversaries. In the past, the group launched attacks on Lithuanian infrastructure as "revenge for Kaliningrad" after the European Union imposed sanctions. The group was also observed targeting Danish financial institutions in light of Denmark's support of Ukraine, highlighting a pattern of NoName057(16) disrupting entities acting in against Russia and its geopolitical objectives.
Security Officer Comments:
According to Recorded feature, NoName057(16) employs a custom DDoS tool dubbed “DDoSia,” a successor of an earlier botnet called Bobik. The go-based tool is designed to facilitate application-layer DDoS attacks by sending target websites a high volume of junk requests. The DDoSia client employs a user friendly interface and operates on a volunteer-driven model where individuals can opt in to use the tool to launch DDoS attacks. Essentially, “operators” or developers behind the DDoSia project will create a list of targets for NoName057(16), which is retrieved by reaching out to the C2 server, while “volunteers” are responsible for launching the attacks, in exchange for rewards like cryptocurrency. Overall, this model has proven to be effective, contributing to the large influx of DDoS attacks in recent months.
Suggested Corrections:
There are several methods to counter DDoS attacks:
Sinkholing: In this strategy, all incoming traffic is redirected to a "sinkhole" where it's discarded. However, this approach has a drawback as it eliminates both legitimate and malicious traffic, resulting in a loss of actual customers for the business.
Routers and Firewalls: Routers can help by filtering out nonessential protocols and invalid IP addresses, but they become less effective when a botnet employs spoofed IP addresses. Firewalls face similar challenges when dealing with IP address spoofing.
Intrusion-Detection Systems (IDS): These solutions employ machine learning to identify patterns and automatically block traffic through a firewall. While powerful, they may require manual adjustments to avoid false positives.
DDoS Suggested Corrections Appliances: Various vendors offer devices designed to sanitize traffic through techniques like load balancing and firewall blocking. However, their effectiveness varies, as they may block legitimate traffic and allow some malicious traffic to pass through.
Over-provisioning: Some organizations opt for extra bandwidth to manage sudden traffic spikes during DDoS attacks. Often, this additional bandwidth is outsourced to a service provider who can scale up during an attack. However, as attacks grow in scale, this mitigation approach may become less cost-effective.
These methods represent different strategies organizations employ to defend against DDoS attacks, each with its advantages and limitations.
Link(s):
https://www.recordedfuture.com/research/anatomy-of-ddosia
NoName057(16) is a pro-Russian hacktivist group that emerged back in March 2022, right around the time the Russia-Ukraine conflict initiated. Since then, NoName057 has been actively launching DDoS attacks against targets of interest not only in Ukraine but also entities in European nations opposing Russia’s invasion, such as France and Sweden. Between June 2024 and July 2025, Recorded future observed the group launching attacks against an average of 50 unique hosts per day, with a total of 3776 distinct hosts being targeted in total over the period. The government and public sectors were the most targeted, compromising of 41.09% attacks, followed by transportation and logistics, technology, media and communications sectors.
As a hacktivist group, NoName057(16) activities align with the interests of Russia. This has been reiterated by NoName057(16)’s public communications on telegram, where the group has framed its attacks as a revenge for actions taken by Russian’s adversaries. In the past, the group launched attacks on Lithuanian infrastructure as "revenge for Kaliningrad" after the European Union imposed sanctions. The group was also observed targeting Danish financial institutions in light of Denmark's support of Ukraine, highlighting a pattern of NoName057(16) disrupting entities acting in against Russia and its geopolitical objectives.
Security Officer Comments:
According to Recorded feature, NoName057(16) employs a custom DDoS tool dubbed “DDoSia,” a successor of an earlier botnet called Bobik. The go-based tool is designed to facilitate application-layer DDoS attacks by sending target websites a high volume of junk requests. The DDoSia client employs a user friendly interface and operates on a volunteer-driven model where individuals can opt in to use the tool to launch DDoS attacks. Essentially, “operators” or developers behind the DDoSia project will create a list of targets for NoName057(16), which is retrieved by reaching out to the C2 server, while “volunteers” are responsible for launching the attacks, in exchange for rewards like cryptocurrency. Overall, this model has proven to be effective, contributing to the large influx of DDoS attacks in recent months.
Suggested Corrections:
There are several methods to counter DDoS attacks:
Sinkholing: In this strategy, all incoming traffic is redirected to a "sinkhole" where it's discarded. However, this approach has a drawback as it eliminates both legitimate and malicious traffic, resulting in a loss of actual customers for the business.
Routers and Firewalls: Routers can help by filtering out nonessential protocols and invalid IP addresses, but they become less effective when a botnet employs spoofed IP addresses. Firewalls face similar challenges when dealing with IP address spoofing.
Intrusion-Detection Systems (IDS): These solutions employ machine learning to identify patterns and automatically block traffic through a firewall. While powerful, they may require manual adjustments to avoid false positives.
DDoS Suggested Corrections Appliances: Various vendors offer devices designed to sanitize traffic through techniques like load balancing and firewall blocking. However, their effectiveness varies, as they may block legitimate traffic and allow some malicious traffic to pass through.
Over-provisioning: Some organizations opt for extra bandwidth to manage sudden traffic spikes during DDoS attacks. Often, this additional bandwidth is outsourced to a service provider who can scale up during an attack. However, as attacks grow in scale, this mitigation approach may become less cost-effective.
These methods represent different strategies organizations employ to defend against DDoS attacks, each with its advantages and limitations.
Link(s):
https://www.recordedfuture.com/research/anatomy-of-ddosia