The pro-Russia hacktivist group known as NoName057(16) has recently started new attacks against organizations and businesses across Poland, Lithuania and other countries. Most recently, the group began targeting the websites of the Czech presidential election candidates.
According to SentinelOne, who discovered the new campaigns, the group conducted these campaigns by using public Telegram channels, a distributed denial of service (DDoS) payment program driven by volunteers, a multi-OS supported toolkit and GitHub.
“The group has also made use of GitHub to host a variety of illicit activity,” wrote Tom Hegel, a senior threat researcher at SentinelOne.
“This includes using GitHub Pages for freely hosting their DDoS tool website [...] and the associated GitHub repositories for hosting the latest version of their tools as advertised in the Telegram channel.”
In this regard, SentinelOne said it reported the abuse to the GitHub Trust & Safety team, who took action and removed the malicious accounts.
In terms of motivations behind the NoName057(16) group, the security researchers determined the hackers are primarily focused on disrupting websites of nations critical to Russia’s invasion of Ukraine.
“Initial attacks focused on Ukrainian news websites, while later shifting to NATO-associated targets,” Hegel explained.
“For example, the first disruption the group claimed responsibility for were the March 2022 DDoS attacks on Ukraine news and media websites Zaxid, Fakty UA, and others. Overall the motivations center around silencing what the group deems to be anti-Russian.”
Hegel also clarified that, from a technical standpoint, NoName057(16) is not particularly sophisticated. Still, the group can have an impact on service availability, even if often short-lived.
“What this group represents is an increased interest in volunteer-fueled attacks while now adding in payments to its most impactful contributors,” added the security expert. “We expect such groups to continue to thrive in today’s highly contentious political climate.”
A list of Indicators of Compromise (IoC) regarding NoName057(16) is available in the SentinelOne advisory.
Its publication comes days after security firm Lupovis revealed that separate groups of Russian hackers are using their presence inside the networks of organizations in several countries to launch attacks against Ukraine.