Cyble researchers report that the Russian hacktivist groups People’s Cyber Army and HackNeT launched trial DDoS attacks against French websites ahead of the Paris Olympics, calling the operation a training exercise. The activity is linked to APT44 (Sandworm) and signals potential larger-scale attacks during the Games. #PeoplesCyberArmy #HackNeT #APT44 #Sandworm #ParisOlympics #FestivalLaRochelleCinéma #GrandPalais #check-host.net
Keypoints
- The attack timeline centers on June 23, 2024, when the groups announced DDoS actions against French targets ahead of the Paris Olympics, described as a training event.
- People’s Cyber Army is linked to APT44 (Sandworm, FROZENBARENTS, Seashell Blizzard) and has a history of pro-Russian political motivation.
- HackNeT joined the campaign shortly after, amplifying claims of DDoS against targets such as Grand Palais (Paris) and Festival La Rochelle Cinéma (Fema).
- Evidence includes Telegram posts, screenshots, and a check-host.net link used to support DDoS claims.
- The group developed and promoted a DDoS tool based on Python, capable of Layer 4/7 attacks with multithreading/multiprocessing and proxy support to hide IPs.
- Relations and collaborations exist with NoName057(16), CyberDragon, and UserSec Collective, indicating coordinated pro-Russian activity.
- IOCs include multiple file hashes for Windows and Linux binaries (ddos.exe, ddos_free) linked to the campaign.
MITRE Techniques
- [T1499] Denial of Service – Used to overwhelm targets with DDoS activity. ‘DDoS attacks on several French websites’ ahead of the Olympics.
- [T1090] Proxy – Obfuscated operations by routing traffic through proxies to hide attacker IPs. ‘proxy support to hide the attacker’s IP address, making it harder to track the attack.’
- [T1059.006] Command and Scripting Interpreter: Python – The DDoS tool is described as being coded in Python. ‘The DDoS tool created, promoted by the hacking group, and suspected in this incident is coded in Python.’
- [T1071.001] Web Protocols – Telegram-based communications used to announce and coordinate attacks. ‘In the posts on their Telegram channel on June 23, 2024, hacktivist groups People’s Cyber Army and HackNeT…’
Indicators of Compromise
- [Hash] MD5/SHA-1/SHA-256 – Windows Executable – ddos.exe – 214436a0c7623e84e8078a3b141b7d9c, 82c4739158099fe156aa1b23409c9bf5f96eb9d5, 35c75ba64f1658bd9442afa255b671e3fe9cb93ffb4821270074a85fca966c3f
- [Hash] MD5/SHA-1/SHA-256 – Linux Binary – ddos_free – 4711b96b395c7ced1e0c2f2d0b1786c6, dc203816c0bb91614d270a129ac968ee45f1b7d2, bbbd97e1c525f811fbd16e2a48989cfa3e3164aa3b21824108dd3f8f5394bd7
- [File Name] – ddos.exe (Windows), ddos_free (Linux) – used as the DDoS utilities tied to the campaign
- [Domain/URL] – check-host.net – referenced in Telegram posts to corroborate downtime claims