NoName057(16), also known as 05716nnm or NoName05716, has emerged as a significant threat targeting NATO member states and European organizations.
The group, which originated as a covert project within Russia’s Centre for the Study and Network Monitoring of the Youth Environment, has been actively conducting distributed denial-of-service attacks since March 2022.
Operating with support from leadership within CISM and drawing direction from Russian government interests, the organization has positioned itself as a major cyber threat to Western institutions opposing Russian geopolitical goals.
The group’s primary offensive capability relies on the DDoSia Project, a crowdsourced botnet that recruits volunteers through Telegram channels.
The volunteers are equipped with easy-to-use Go-based attack tools and rewarded with cryptocurrency for their participation. This volunteer-based model has proven remarkably effective in scaling attacks against diverse targets.
What sets DDoSia apart from traditional botnets is its simplicity, enabling individuals with minimal technical expertise to participate in coordinated attacks.
By 2024, NoName057 (16) expanded its influence through partnerships with other pro-Russia hacktivist groups, notably the Cyber Army of Russia Reborn, which eventually contributed to the formation of Z-Pentest in September 2024.
Picus Security analysts identified a sophisticated two-stage communication protocol that underpins DDoSia’s attack infrastructure.
Technical Mechanism
The system begins with client authentication via an HTTP POST to the command-and-control server’s /client/login endpoint, where the client transmits encrypted system information, including operating system details, kernel version, and CPU specifications.
Following successful authentication, as indicated by a 200 OK response containing a UNIX timestamp, the client proceeds to stage two by requesting target configurations via a GET request to /client/get_targets.
The operational infrastructure employs a resilient, multi-tiered architecture designed to evade detection and mitigation. Tier 1 comprises public-facing command-and-control servers that communicate directly with DDoSia clients, with an average lifespan of approximately nine days, though many rotate daily.
Tier 2 backend servers maintain core logic and target lists, with access strictly controlled through access control lists permitting connections only from authorized Tier 1 servers.
This compartmentalization ensures that even when Tier 1 nodes are identified and blocked, the core infrastructure remains operational.
Analysis reveals a high operational tempo, with an average of 50 unique targets attacked daily, and activity patterns strongly correlating with standard Russian working hours.
Ukraine represents the largest share of attacks at 29.47%, followed by France at 6.09%, Italy at 5.39%, Sweden at 5.29%, and Germany at 4.60%. Government sectors account for 41.09% of targets, with transportation and telecommunications also heavily impacted.
Attacks predominantly use TCP floods and application-layer techniques, with ports 443 and 80 accounting for 66% of traffic.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
