The pro-Russian cybercrime group named NoName057(16) has recently been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, prompting a fresh government alert. This alert serves as a warning and highlights the disruptive activities of this threat actor, which has been actively supporting Russia’s invasion of Ukraine since March 2022.
Background on NoName057 (16)
Also referred to as NoName05716, 05716nnm, or Nnm05716, NoName057(16) has gained notoriety for its role in pro-Russian activities. They have been involved in various disruptive attacks targeting financial, government, military, media, supply, telecoms, and transportation organizations in Ukraine and NATO-associated targets. Their actions have had a significant impact on the targeted sectors, causing disruptions and chaos.
Canadian organizations at risk
The Canadian Cyber Centre has assessed the activities of Russian state-sponsored threat actors, including NoName057(16). In July 2022, the Cyber Centre determined that these threat actors would continue engaging in malicious activities to support Russia’s military objectives in Ukraine. This assessment highlights the grave risk faced by Canadian organizations as they potentially become targets of NoName057(16)’s disruptive attacks.
Tactics of NoName057 (16)
NoName057(16) employs a botnet to target the web servers of victim organizations. They exploit vulnerabilities and launch DDoS attacks, effectively overwhelming the servers with a massive influx of traffic. Most alarmingly, this cybercrime group is not shy about boasting about their malicious activities, further amplifying the impact of their attacks. Previous reports have revealed that NoName057(16) leverages systems infected with the Bobik malware to carry out these disruptive DDoS attacks.
Threat Assessment and Protection Measures
While some instances of nuisance activity can be managed by on-premises solutions, the scale and intensity of NoName057(16)’s attacks require consideration of third-party DDoS solutions. Canadian organizations are strongly advised to review their systems to spot potential DDoS activity and proactively implement DDoS protections. The Cyber Centre suggests referring to the United States Cybersecurity and Infrastructure Security Agency’s (CISA) guidance on mitigating DDoS attacks. Additionally, improving the monitoring and protection of internet gateways and isolating web-facing applications are crucial steps to mitigate the risk posed by NoName057(16).
Recent DDoS campaigns in Canada
Since September 13, 2023, the Cyber Centre has been actively responding to reports of multiple distributed denial-of-service (DDoS) campaigns targeting various levels within the Government of Canada, as well as the financial and transportation sectors. These targeted attacks have caused significant disruptions, leading to concerns about the vulnerability of critical infrastructure and government operations. The Cyber Centre’s swift response highlights the pressing need for increased awareness and enhanced protective measures.
The activities of NoName057(16) have raised alarm bells across the cybersecurity community. This pro-Russian cybercrime group has unabashedly launched disruptive DDoS attacks, targeting organizations in Ukraine and now expanding their campaign to Canadian entities. It is crucial for organizations to remain vigilant and take proactive measures to protect their systems and infrastructure. Raising awareness about NoName057(16)’s activities and utilizing the recommended protection measures provide a strong defense against this cyber threat. By working together and implementing robust cybersecurity practices, organizations can mitigate the risks posed by this pro-Russian cybercrime group and protect themselves and their stakeholders from potential disruptions.