NoName057(16) Hackers Target 3,700 Unique Devices Over the Last 13 Months

The pro-Russian hacktivist collective NoName057(16) has been documented executing distributed denial-of-service (DDoS) attacks against over 3,700 unique hosts, predominantly targeting government and public-sector entities in European nations aligned against Russia’s invasion of Ukraine.

Emerging in March 2022 amid the full-scale conflict, NoName057(16) leverages its volunteer-driven DDoSia platform to orchestrate large-scale application-layer DDoS campaigns, inundating targets with junk HTTP requests to disrupt availability.

Sustained DDoS Onslaught

The group’s operational cadence remains exceptionally high, averaging 50 distinct targets per day and spiking to 91 during peaks tied to geopolitical escalations, such as military developments in Ukraine.

Utilizing Recorded Future Network Intelligence, researchers uncovered a sophisticated multi-tiered command-and-control (C2) architecture featuring rapidly cycled Tier 1 C2 servers with an average nine-day lifespan, exclusively whitelisted to connect to Tier 2 servers fortified by access control lists (ACLs) for upstream restriction and resilient C2 persistence.

Pattern-of-life telemetry further indicates operations align with Russian time zones, evidenced by target additions in dual weekday waves peaking at 05:00-07:00 UTC and 11:00 UTC, suggestive of a standard Moscow work schedule.

Geospatial and sectoral targeting reveals a deliberate focus: Ukrainian entities comprised 29.47% of attacks, followed by France (6.09%), Italy (5.39%), and Sweden (5.29%), while the U.S. saw minimal activity despite its Ukraine support.

Government and public sectors bore the brunt at 41.09%, with transportation/logistics (12.44%) and technology/media/communications (10.19%) trailing.

NoName057(16), motivated by Russian nationalism rather than financial gain, recruits volunteers via Telegram, equipping them with the Go-based DDoSia client a successor to the Bobik botnet that employs AES-GCM encryption for C2 communications.

Volunteers authenticate using unique User Hashes and Client IDs, submitting system metadata in JSON payloads to fetch encrypted target lists, which include HTTP/2 attack parameters, ports, and randomized data appendages to evade filters.

Technical Breakdown of DDoSia Infrastructure

The DDoSia communication protocol unfolds in two stages: an initial HTTP POST to /client/login for registration, transmitting encrypted device fingerprints like OS kernel versions and CPU cores, followed by a GET to /client/get_targets yielding AES-encrypted JSON arrays of targets and randomization rules, such as 11-digit numeric strings for URL variability.

This setup, mimicking legitimate browser traffic with randomized User-Agents, underscores the group’s efforts to thwart reverse engineering and maintain volunteer anonymity.

In retaliation to such threats, Operation Eastwood a multinational law enforcement initiative from July 14-17, 2025 resulted in arrests in France and Spain, seven warrants, and 24 searches across Europe, though NoName057(16) dismissed it on Telegram, vowing persistence in Russia’s “information war.”

To mitigate these risks, organizations should implement layered defenses including DDoS mitigation services, content delivery networks (CDNs), web application firewalls (WAFs), IP blocking, and rate limiting, alongside robust incident response frameworks encompassing business continuity and escalation protocols.

According to the Report, Enhanced situational awareness monitoring threat actor Telegram channels, peer incidents, and geopolitical indicators is crucial for preempting campaigns.

In the broader landscape of hybrid conflict, NoName057(16) exemplifies state-encouraged hacktivism, blending DDoS with disinformation and sabotage below warfare thresholds, necessitating ongoing threat landscape vigilance as states increasingly proxy non-state actors for strategic gains.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!