A Page Out Of State-Sponsored APT Playbook


The Swiss parliament website went offline for a few hours on 12 June. Shortly, a message popped up on the Telegram channel of pro-Russian cyber threat actor NoName057(16).

“Bandera member Zelensky thanked Switzerland, which this week joined the 10th package of EU anti-Russian sanctions,” the post said.

“We also ‘thanked’ the Swiss Russophobes and sent DDoS missiles to the website of the Swiss Parliament, after with the resource administrators closed access for foreign ip.”

What followed was a barrage of DDoS attacks on major government and public service websites in Switzerland. Some went offline for a few hours, some as long as two days.

Within a day, websites, including the Swiss Federal Department of Justice and Police, Swiss railway company Südostbahn, Federal Department of Home Affairs, and several other government departments became inactive..

Finally, on June 14, another Telegram post by NoName057(16) disclosed the real reason behind the intensified attacks.

“Tomorrow, Zelensky, a Bandewrist, plans to beg for money via a video chat in the Swiss parliament,” the post said.

The DDoS attacks continued for four more days.

NoName Attacks Switzerland

NoName attacks Switzerland

The Swiss finance ministry promptly acknowledged that several federal administration websites were unavailable. However, they refused to either acknowledge that it was a DDoS attack or attribute it to NoName.

Interestingly, the DDoS attacks followed an earlier incident on June 8, where a technology firm called Xplain, which provides government software for various Swiss departments, fell victim to a ransomware attack.

The stolen data was encrypted, and the attackers demanded a ransom.

Some of the compromised data was subsequently posted on the darknet. Xplain serves clients such as the Swiss army and the customs department, providing software for homeland security purposes. The attack was attributed to the Play ransomware group.

According to the claims made on its Telegram channel, there were a total of 60 targets, including national and regional administrations, government departments, and public utilities.

The Swiss administration managed to bring the affected services back and ensure the security and resilience of its systems.

Russia, Ukraine, and the Swiss Connection

Ukraine president Volodymyr Zelenskyy’s address to the Swiss parliament on June 15 called for the unblocking of weapon exports to Ukraine to help restore peace.

He expressed gratitude towards Switzerland for not remaining indifferent to the suffering caused by Russia’s aggression.

He acknowledged Switzerland’s support for the joint European sanctions against Russia, emphasizing the importance of solidarity in bringing an end to the aggression. The President urged for the intensification of sanctions as a means to achieve this goal.

The President acknowledged that Switzerland is currently discussing permits for the re-export of weapons to protect Ukraine.

He urged all participants in the discussion to consider the fact that Ukraine is seeking weapons to restore peace on its territory, in accordance with international law.

“I know that Switzerland is discussing the export of military equipment for the protection and defence of Ukraine. This would be pivotal. We need weapons so that we can restore peace in Ukraine,” the president emphasised.

He highlighted the importance of a rules-based international order that guarantees freedom for every nation, echoing the sentiments expressed by the Speaker at the beginning of the session.

Following President Zelenskyy’s address, Brigitte Häberli-Koller, Head of the Council of Cantons, the upper house of the parliament, reaffirmed Switzerland’s commitment to upholding international law, which recognizes the inherent right of every nation to self-defense.

Why NoName attacked Switzerland?

In this theatre, DDoS attacks seem to be a rather ineffective way to forward one’s cause, you may think. Security researchers say otherwise.

“Cybercriminals like to create confusion – and they sometimes turn to DDoS attacks to distract and misdirect resource-deprived organizations from their primary goal: to pillage sensitive data,” said a Trustwave report on the reasons behind DDoS attacks.

“DDoS attacks are optimal subterfuge because they create noise and chaos that will attract the brunt of attention from your IT staff, leaving wide open the opportunity for your foes to simultaneously infiltrate your network and mask data exfiltration.”

In certain cases, a DDoS attack serves as a digital pretext for a potential physical assault, the report pointed out.

Recently, Trustwave team uncovered a web-based vulnerability in a well-known printer brand, which could potentially lead to denial-of-service attacks.

“Our researchers theorized that attackers could launch the printer attack and show up at the target organization pretending to be the “technician” called to fix the problem,” said the report.

“This impersonation could net them direct physical access to IT resources that they might never have been able to access remotely.”

In this situation, entire Swiss population felt the pinch in some way or the other. Considering NoName’s activities since its inception in March 2022, the threat group is sort of an expert in that.

NoName057(16): An organized collective with a purpose

NoName057(16), commonly referred to as NoName, is a hacktivist group that emerged in March 2022 and has maintained its activity since then. With a pro-Russian stance, the group operates under various aliases, including NoName05716, 05716nnm, and Nnm05716.

According to threat intelligence service SOCRadar, NoName’s actions are driven by a manifesto that responds to those who have openly displayed hostility towards Russia.

The group claims to possess the strength and experience necessary to restore justice and emphasizes the value of truth as a source of power. Financial gain is not their motivation, and they express willingness to collaborate with like-minded groups.

To facilitate their operations, NoName057(16) maintains a private Telegram channel known as the DDosia Project. This platform serves as their communication hub and supports their utilization of the Dosia tool.

Cybersecurity company Avast reported that NoName057(16) continues to engage in Distributed Denial of Service (DDoS) attacks through their DDosia project, primarily targeting the websites of European institutions and companies.

Their activities align with their support for Russia in the ongoing conflict with Ukraine, suggesting a sustained commitment to their actions throughout the war.

In an effort to incentivize participation, NoName057(16) openly offers cryptocurrency payments to individuals who install their DDosia tool and join the attacks.

Avast’s report indicates that the group is actively striving to enhance the efficiency of their DDoS attacks, with plans to transition to a more effective Go platform after encountering performance limitations with their initial Python-based pilot variant.

Usually, state-sponsored actors seldom claim credit for their actions and go to great lengths to conceal their identities, employing sophisticated techniques to impede attribution efforts. NoName057(16), on the other hand, has no qualms about their Russian affiliation.

NoName057(16)

NoName057(16) is the latest in the list of state-sponsored threat actors who have been openly launching cyber attack campaigns on their geopolitical rivals.

Among other benefits, cyber mercenaries offer a huge advantage for players: Lack of agency

NoName057(16) and the largest list of Nation State actors

A recent report by the New Yorker highlighted a curious feature of Indian hackers-for-hire: competing firms openly advertising their “ethical” or “white hat” hacking services, and individual hackers boasting about their spear phishing exploits on LinkedIn.

This behavior stands in contrast to cybercriminals in authoritarian nations like Russia, Iran, and North Korea, who prefer to operate discreetly withoutpublic exposure.

Nevertheless, Indian hackers appear to share a significant characteristic with their counterparts in authoritarian countries—an implicit alliance with their government.

According to the report, the top twelve hacking-for-hire firms in India consistently engage in some government-related projects while also undertaking private work.

This pattern has been observed by cybersecurity researchers in both government and private sectors.

Some Indian hacking-for-hire groups are known to transition into activities aligned with the interests of the Indian government, with India’s intense rivalries with China and Pakistan extending to the realm of cyber warfare.

The rise of nation state actors in the cyber landscape poses a significant challenge for governments, organizations, and cybersecurity experts. With their specialized skills, state-sponsored resources, and commitment to anonymity, they represent a formidable force in the evolving field of cyber warfare.

Nation State Actors often have close ties to the military, intelligence, or state control apparatuses of their nations, equipping them with a high degree of technical expertise.

Some are selected for specific language, social media, or cultural skills, enabling them to engage in espionage, propaganda, or disinformation campaigns. With extensive resources and the backing of their governments, they receive instructions from government employees or armed forces members.

Tasked by governments, these skilled individuals employ their expertise to disrupt or compromise target governments, organizations, and even individuals, with the aim of accessing valuable data or intelligence.

Enjoying the tacit support of their respective states, they operate with impunity, shielded from legal consequences in their home countries.

Motivated by nationalism, Nation State Actors harbor a singular objective: to acquire secrets from other nations or disrupt their operations through cyber means.

Their modus operandi involves targeted tasks, such as stealing industrial secrets, sabotaging critical national infrastructure, eavesdropping on policy discussions, dismantling companies that offend their leaders, or launching propaganda and disinformation campaigns within and beyond their nation’s borders.

Social engineering plays a pivotal role, with Nation State Actors employing carefully crafted spear-phishing emails to exploit vulnerabilities in high-profile individuals.

They may also compromise strategic websites to distribute malicious software, ensnaring unsuspecting visitors. Further social engineering tactics, such as creating fake profiles on social networks or infiltrating the supply chains of target organizations, are also utilized.

The formidable capabilities at the disposal of Nation State Actors enable them to execute complex attacks.

For instance, the Stuxnet malware specifically targeted Iran’s nuclear manufacturing facilities, demonstrating the extent of their operations.

Groups like Sofacy and Operation Cleaver have also demonstrated their ability to carry out coordinated attacks against governments and organizations.

The repercussions of their actions can extend to geopolitical consequences, as exemplified by the 2014 cyber attack on Sony Pictures, which prompted the United States to impose sanctions on North Korea.

In addition to their involvement in cyber warfare, Nation State Actors may be tasked with tracking, disrupting, and persecuting dissidents or activists.

Others specialize in propaganda and disinformation campaigns, utilizing armies of trolls to manipulate public opinion and enhance their employer’s reputation.

Industry bodies and think tanks have increasingly become targets of cyber attacks due to the trust they garner from participants in the business and government sectors.

These organizations provide indirect access to sensitive information, making them alluring targets for malicious actors.

Meanwhile, NoName has started targeting UK firms. Reason? Zelenskyy had a phone call with Rishi Sunak!





Source link