NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO

MITRE Techniques

• [T1499] Network Denial of Service – NoName057(16) conducts DDoS attacks on target sites to disrupt Ukraine and NATO operations. [“NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and NATO organizations that began in the early days of the war in Ukraine. Targets have included government organizations and critical infrastructure.”]
• [T1071.001] Web Protocols – C2 communications and authentication over HTTP-based protocols; Golang DDOSIA implementations authenticate themselves to C2 servers by issuing an HTTP POST request to the /login_new URL path at the servers and terminate if the authentication fails. [“Golang DDOSIA implementations authenticate themselves to C2 servers by issuing an HTTP POST request to the /login_new URL path at the servers and terminate if the authentication fails.”]
• [T1041] Exfiltration Over C2 Channel – The malware transmits operational statistics to the C2 server at regular intervals to inform operators about progress. [“DDOSIA sends the statistics to the C2 server at regular time intervals.”]
• [T1053] Scheduled Task/Job – Configuration fields indicate capability to schedule network activity over date-time intervals (activate_by_schedule, started_at, finished_at). [“activate_by_schedule, started_at and finished_at indicate that a DDOSIA sample can be configured to schedule the sending of network requests over specific date-time intervals.”]
• [T1105] Ingress Tool Transfer – DDOSIA tooling is hosted and distributed via GitHub Pages and repositories (e.g., dddosia.github.io); attacker content is advertised on Telegram and hosted on GitHub. [“The group has also made use of GitHub to host a variety of illicit activity. This includes using GitHub Pages for freely hosting their DDoS tool website dddosia.github[.]io, and the associated GitHub repositories for hosting the latest version of their tools as advertised in the Telegram channel.”]