NoName057(16) since June 1, 2022 The group's attacks respond to current political situations, targeting companies and institutions in Ukraine and organizations in neighboring countries such as Estonia, Lithuania, Norway and Poland
According to Avast's research, the group has a 40 percent success rate with its DDoS attacks. Companies with a sufficiently well-protected infrastructure were able to resist the attack attempts. Avast researchers also found that 20 percent of the successes claimed by the group relate to attacks that did not originate from NoName057(16) .
The goals of NoName057(16)
NoName057(16) only performs DDoS attacks. In early June, the group targeted Ukrainian news servers. They then focused on websites of cities, local governments, utilities, weapons manufacturers, transportation companies and post offices in Ukraine. The following points show, in the respective political context, how the attacks spread to other countries:
- In mid-June, the attacks in other pro-Ukrainian states also became increasingly politically motivated. The Baltic states (Lithuania, Latvia and Estonia) are particularly affected.
- Following EU sanctions on the movement of goods through the Russian Baltic Sea enclave of Kaliningrad, the hacker group targeted Lithuanian transport companies as well as local rail and bus companies.
- intended for miners at the Russian state-owned coal mining company Arktikugol The group then attacked Norwegian transport companies ( Kystverket, Helitrans, Boreal ), the Norwegian postal service ( Posten ) and financial institutions ( Sbanken, Gjensidige ).
- In early August, after Finland announced its intention to join NATO, NoName057(16) attacks on Finnish government institutions such as the Finnish Parliament (Eduskunta), the State Council and the Finnish police.
Success rate 40 percent
NoName057(16) actively brags about her successful DDoS attacks to her 14,000+ followers on Telegram. The channel was created on March 11, 2022. The group only reports here on successful DDoS attacks that are allegedly attributable to them.
“Although the number of successful attacks reported by the group appears high, statistical information suggests the opposite,” explains Martin Chlumecky, malware researcher at Avast. NoName057(16) ’s success rate is 40 percent. We compared the list of goals that the C&C server sends to the Bobik bots with the alleged successes that the group posts on its Telegram channel. Websites hosted on well-secured servers can resist the attacks. About 20 percent of the attacks the group claims to be responsible for did not match the targets listed in their configuration files.”
Bobik bots act like soldiers
The hacking group controls unprotected PCs around the world that are infected with the Bobik and act as bots. Bobik first appeared in 2020 and has been used as a remote access tool in the past. The malware is distributed by a dropper called Redline Stealer , a botnet-as-a-service that cybercriminals pay to distribute the malware of their choice Avast has protected hundreds of PCs from Bobik . However, Avast researcher Martin Chlumecky estimates that there are several thousand Bobik bots in circulation, given the effectiveness and frequency of the attacks.
Specifically, the group sends commands to its bots via a C&C server in Romania. The group previously had two other servers in Romania and Russia, but these are no longer active. The bots receive lists of DDoS targets in the form of XML configuration files that are updated three times per day. The attackers attempt to overload login pages, password recovery sites, and on-site searches.
Effects of the attacks
The group's most successful attacks ultimately result in websites being unavailable for several hours to a few days. To deal with these types of attacks, smaller and local website operators often resort to blocking requests from abroad. In extreme cases, some of the website operators targeted by the group had their domains deregistered.
“However, the actual strength of the DDoS attacks carried out NoName057(16) Judging by the configuration history, they can attack about thirteen URL addresses at once, including subdomains,” continues Martin Chlumecky. “Furthermore, an XML configuration often contains a defined domain as a series of subdomains, so the Bobik effectively attacks five different domains within one configuration. This means that the attackers cannot concentrate on more domains for reasons of capacity and efficiency.”
The DDoS attacks carried out may be more difficult to handle for some website operators of prominent and critical domains, such as banks, governments and international companies. Avast researchers found that after successful attacks, larger companies implemented enterprise solutions such as Cloudflare or BitNinja , which can filter incoming traffic and detect DDoS attacks in most cases.
On the other hand, most large, international companies expect increased traffic and run their web servers in the cloud with anti-DDoS solutions, making them more resilient to attacks. For example, the group failed to breach the websites of the Danish bank Danske Bank (attacks on June 19-21, 2022) and the Lithuanian bank SEB (attacks on July 12-13, 2022 and July 20-21, 2022 ) to paralyze.
The more successful attacks by NoName057(16 ) affected companies with simply structured, informative websites that, for example, only contained an “About Us”, a “Mission/Vision” and a Contact page as subpages. The servers of such websites are usually not designed to withstand high loads and often do not have anti-DDoS techniques, making them an easy target.
How companies and consumers can protect themselves
Companies can protect their websites from DDoS attacks with specialized software and cloud protection. Businesses and consumers can prevent their devices from being used as part of a botnet by using reliable antivirus software that detects and blocks Bobik Other measures that can be taken to protect devices include ensuring that users do not click on suspicious links or attachments in emails, as well as regular software updates to close security gaps. In general, it is not easy to detect whether a device is being used for a DDoS attack. However, a clue could be high network traffic going to an unknown destination. For more information about the activities of NoName057(16 Bobik malware , and the DDoS attacks, see the Avast Decoded Blog .
Sources:
Avast
Bleeping Computer
Also read: This is how Ukrainian hackers trick Russian soldiers with photos of women
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

