Pro-Russian hacker group hits Ukraine and supporters with DDoS attacks

The Avast research team has been tracking the activity of NoName057(16), a hacking group known to exclusively carry out distributed denial of service (DDoS) since 1 June 2022. Researchers found the group targeted Ukrainian news servers and then focused on websites within Ukraine, belonging to cities, local governments, utility companies, armament manufacturers, transportation companies, and postal offices.

By mid-June, the attacks became more politically motivated, with the group performing attacks on critical infrastructure websites. The Baltic states (Lithuania, Latvia, and Estonia) have been significantly targeted by NoName057(16).

Following a ban on the transit of goods subject to European Union sanctions through their territory to Kaliningrad, NoName057(16) took aim at Lithuanian transportation companies, local railway, and bus transportation companies.

On 1 July 2022, the transportation of goods destined to reach miners employed by the Russian government-owned coal mining company Arktikugol was stopped by Norwegian authorities. In response, the Avast research team has found NoName057(16) retaliated by attacking Norwegian transportation companies (Kystverket, Helitrans, Boreal), the Norwegian postal service (Posten), and Norwegian financial institutions (Sbanken, Gjensidige). In early August, after Finland announced their intention of joining NATO, NoName057(16) went after Finnish government institutions, like the Parliament of Finland (Eduskunta), State Council, and Finish police.

NoName057(16) actively boast about their successful DDoS attacks to over 14,000 Telegram followers. Their channel was created on 11 March 2022 and the group only reports successful DDoS attack campaigns.

Martin Chlumecky, a malware researcher at Avast, explains that although the group’s reported number of successful attacks seems large, statistical information indicates the contrary despite the group's alleged success rate of 40 per cent.

"We compared the list of targets the C&C server sends to the Bobik bots to what the group posts to their Telegram channel.

VIEW ALL

"Websites hosted on well-secured servers can withstand the attacks.

"Around 20 per cent of the attacks the group claims to be responsible for did not match the targets listed in their configuration files," Chlumecky said.

Bobik bots act as soldiers

The group controls unprotected PCs around the world infected with malware called Bobik, which act as bots. Bobik first emerged in 2020 and was used as a remote access tool in the past. The malware is distributed by a dropper called Redline Stealer, which botnet-as-a-service cyber criminals pay for to spread their malware of choice.

Avast has protected a few hundred PCs from Bobik but Chlumecky, however, estimates there are several thousand Bobik bots in the wild, considering the effectiveness and frequency of attacks.

The group sends commands to its bots via a C&C server located in Romania. Formerly, the group had two additional servers in Romania and Russia, but these are no longer active. The bots receive lists of targets to DDoS, in the form of XML configuration files, which are updated three times a day. They attempt to overload login pages, password recovery sites, and site searches. The attacks last a few hours to a few days.

Impact of the attacks

The group's most successful attacks leave sites down for several hours to a few days. To handle the attacks, smaller and local site operators often resort to blocking queries from outside their country. In extreme cases, some site owners targeted by the group unregistered their domains.

According to Chlumecky, the power of the DDoS attacks performed by NoName057(16) is debatable, to say the least.

"At one time, they can effectively strike about 13 URL addresses at once, judging by configuration history, including subdomains.

"Furthermore, one XML configuration often includes a defined domain as a set of subdomains, so Bobik effectively attacks five different domains within one configuration.

"Consequently, they cannot focus on more domains for capacity and efficiency reasons," Chlumecky said.

The DDoS attacks carried out were more difficult to handle for some site operators of prominent and significant domains, such as banks, governments, and international companies.

After a successful attack, Avast researchers noticed larger companies implementing enterprise solutions, such as Cloudflare or BitNinja, which can filter incoming traffic and detect DDoS attacks in most cases. On the other hand, most large, international companies expect heavier traffic and run their web servers in the Cloud with anti-DDoS solutions, making them more resilient to attacks. For example, the group was unsuccessful in taking down sites belonging to Danish bank Danske Bank (attacked 19-21 June 2022) and Lithuanian bank SEB (attacked 12-13 July 2022 and 20-21 July 2022).

The Avast research further explained that NoName057(16)’s more successful attacks affected companies with simple, informational sites, including about us, mission, and contact pages, for example. The servers of sites like these are not typically designed to be heavily loaded and often do not implement anti-DDoS techniques, making them an easy target.

How businesses and consumers can protect themselves

The Avast researchers suggest businesses can protect their sites from DDoS attacks with specialised software and cloud protection.

Consumers can prevent their devices from being used as part of a botnet by using reliable antivirus software. Further steps consumers can take to protect their devices include avoiding clicking on suspicious links or attachments in emails and updating software on a regular basis to patch vulnerabilities.

It is very difficult to recognise if a device is being used to facilitate a DDoS attack, but an indication could be high network traffic going to an unknown destination.

[Related: Clare O’Neil's push for cyber security migration visas]