Avast researchers have been tracking a pro-Russian hacker group called NoName057(16) since June 1, 2022. The group — which exclusively carries out DDoS attacks — has evolved throughout the Ukraine war, first targeting Ukrainian news servers and then government-owned websites including utility companies, armament manufacturers, transportation companies, and postal offices. They also have targeted pro-Ukrainian companies and institutions in neighboring countries, including Estonia, Lithuania, Norway, and Poland, with the aim of taking down infrastructure.

By mid-June, the attacks became more politically motivated. Baltic states (Lithuania, Latvia, and Estonia) were significantly targeted. Following a ban on the transit of goods subject to EU sanctions through their territory to Kaliningrad, the group targeted Lithuanian transportation companies, local railway, and bus transportation companies. 

On July 1, 2022, the transportation of goods destined to reach miners employed by the Russian government-owned coal mining company, Arktikugol, was stopped by Norwegian authorities. In response, the group retaliated by attacking Norwegian transportation companies (Kystverket, Helitrans, Boreal), the Norwegian postal service (Posten), and Norwegian financial institutions (Sbanken, Gjensidige). 

In early August, after Finland announced their intention of joining NATO, NoName057(16) went after Finnish government institutions, like the Parliament of Finland (Eduskunta), State Council, and Finnish police.

All sound, little fury: DDoS attacks with negligible impact

NoName057(16) actively boasts about their successful DDoS attacks to their more than 14K followers on Telegram. Their channel was created on March 11, 2022. The group only reports successful DDoS attacks.  

Further reading: Russian disinformation spreading across the globe

“Although the group’s reported number of successful attacks seems large, statistical information indicates the contrary,” explains Martin Chlumecky, malware researcher at Avast. “The group’s success rate is 40%. Websites hosted on well-secured servers can withstand the attacks. Around 20% of the attacks the group claims to be responsible for did not match the targets listed in their configuration files.”

The group controls unprotected PCs around the world infected with malware called Bobik, which act as bots. Bobik first emerged in 2020 and was used as a remote access tool in the past. The malware is distributed by a dropper called Redline Stealer, which is a botnet-as-a-service cybercriminals pay for to spread their malware of choice.

The group sends commands to its bots via a C&C server located in Romania. Formerly, the group had two additional servers in Romania and Russia, but these are no longer active. The bots receive lists of targets to DDoS, in the form of XML configuration files, which are updated three times a day. They attempt to overload login pages, password recovery sites, and site searches. The attacks last a few hours to a few days. 

The group's most successful attacks leave sites down for several hours to a few days. To handle the attacks, smaller and local site operators often resort to blocking queries coming from outside of their country. In extreme cases, some site owners targeted by the group unregistered their domains.

“The power of the DDoS attacks performed by NoName057(16) is debatable, to say the least. At one time, they can effectively strike about thirteen URL addresses at once, judging by configuration history, including subdomains,” continues Martin Chlumecky. “Furthermore, one XML configuration often includes a defined domain as a set of subdomains, so Bobik effectively attacks five different domains within one configuration. Consequently, they cannot focus on more domains for capacity and efficiency reasons.” 

NoName057(16)’s more successful attacks affected companies with simple, informational sites, including just an about, mission, and a contact page, for example. The servers of sites like these are not typically designed to be heavily loaded and often do not implement anti-DDoS techniques, making them an easy target.

How businesses and consumers can protect themselves

Businesses can protect their sites from DDoS attacks with specialized software and cloud protection.  

Consumers can prevent their devices from being used as part of a botnet by using reliable antivirus software, like Avast Free Antivirus, which detects and blocks malware like Bobik. Further steps consumers can take to protect their devices include avoiding clicking on suspicious links or attachments in emails and updating software on a regular basis to patch vulnerabilities. 

It is very difficult to recognize if a device is being used to facilitate a DDoS attack, but an indication could be high network traffic going to an unknown destination.

More information about the group, Bobik malware, and the DDoS attacks can be found on the Avast Decoded blog.