In a Black Hat exclusive interview with Cybernews, two Radware threat researchers turned 'undercover hacktivists' pose as pro-Russian sympathizers, revealing new insights into the inner workings of the cyberterrorist gang NoName057(16).
“The importance of NoName for us, if you look at the number of attacks that their doing, it's much bigger than, for example, Anonymous Sudan or even Killnet,” said the Radware researchers, who asked to remain anonymous for security reasons.
Calling Killnet media savvy, the researchers pointed out that “Killnet makes it a lot into the news, but actually, in terms of attacks and targeting, they don't do that much anymore.”
Anonymous Sudan and Killnet, whose self-proclaimed leader is known as Killmilk, are just two of the well-known pro-Russian hacktivist groups that have been actively targeting Ukraine and the West since the Russian invasion last spring – but more on that later.
The two unnamed insiders sat down with me to tell their tale on the last day of the Black Hat USA convention, settling in at a random table on the floor of the swag-filled Business Hall, away from the commotion.
Cybernews readers will get to see the visuals accompanying their research – For Intel and Profit: Exploring the Russian Hacktivist Community – here for the first time.
From insights into the ever-evolving Russian hacktivist landscape to documenting NoName’s steady stream of persistent attacks, these security gurus have proven firsthand that the gang’s crowdsourced "DDoSia" platform is providing a steady stream of crypto payouts to otherwise ordinary citizens whose only commonality is that they despise Ukraine and any of its Western supporters.
Furthermore, according to the duo, it's not going to stop anytime soon.
Who is NoName057(16)?
Before we dive right into the gang’s newly discovered operations, let’s briefly profile this steadfast group of attackers and find out what they’ve been up to since they first entered the scene back in March of 2022, and more recently.
To begin with, Radware’s research shows that NoName dominated the pro-Russian hacktivist landscape in the first half of 2023, carrying out a whopping 1174 attacks, in 32 Western nations, in just 176 days.
“Since the beginning of the year, and even underneath last year, since October, non-stop, they were attacking five to 20 different targets every day, continuously,” one researcher said.
Out of the 15 hacktivist groups identified below, NoName is responsible for more than 31% of all attacks.
NoName’s signature distributed denial-of-service or DDoS attacks – where a website or network is flooded with traffic to disrupt its normal operations – are often considered among security professionals more of an inconvenience than a severe threat affecting business operations.
Yet, the Radware team says the level of attacks have changed along with the group’s tactics, which in the past, have also included the defacement of targeted websites.
“I see them moving away from the inconvenience attacks to more services. They are picking the services better,” the researchers said.
NoName has begun to zero in on more critical infrastructure such as the transportation and financial sectors, as well as government entities.
Even while writing this report, the gang claimed France’s General Directorate of Public Finance as its latest DDoS victim on its encrypted Telegram channel.
NoName057(16) – the group's official name – boasts more than 55k followers between its Russian and English version channels, yet both Anonymous Sudan and Killnet have more than, or nearly double that amount at the time of this post.
The threat actor primarily announces all its attacks on Telegram, almost simultaneously as they are happening, and without warning.
This is opposed to other hacktivist groups, like Anonymous Sudan, who tend to enjoy the lead-up to an attack almost as much as the attack itself.
Instead of taunting its victims and making a big show on social media about who it plans to target and exactly when the deed will take place, NoName takes its game seriously and is seemingly all business.
And, unlike other pro-Russian threat groups, like Killnet, which regularly posts memes and Kremlin propaganda videos on its Telegram channel to rile up its base of followers, NoName sticks solely to posting its signature logo – the Russian brown bear and its claw stamp.
In the past few weeks, NoName has successfully targeted Italy’s banking system, knocking at least six major banks offline, and disrupted the infrastructure of nearly a dozen Ukrainian banking websites in an alternate four-day attack campaign.
Other attacks have targeted critical infrastructure in Poland, Denmark, Lithuania, and the French parliament, as well as nearly a dozen attacks on Switzerland’s financial and aviation sectors this summer.
Some of the largest European ports in Italy, Germany, Spain and Bulgaria were also hacked by NoName in June.
The Radware experts said the hacktivist gang has also begun to "do a lot of research” before carrying out their individual attacks.
The researchers discovered one of NoName’s tactics includes examining a target website to determine which common variables the site would expect to be input into its HTML forms by users.
Variables can include personal information such as names, phone numbers, email addresses, or other text.
“Whatever the website is expecting, they [NoName} will put randomized data in, but within the confines of what the website expects," researchers explained. Once the input is made, "a web application firewall is going to check what the request looks like" to make sure it matches "all the parameters."
Normally, the application firewall will "take out the ones that are bad because you can’t put in a very long number as a phone number trying to do an exploit, right? You don't want that,” they said.
“They [NoName} are smart enough to put the right variable in the right place, so it's impossible to detect them, then they run that attack from multiple clients, and that makes them successful,” the experts said.
In its latest attack on Ukranian banks, the group not only knocked several of the bank websites and mobile service entirely offline, but it also selectively went after individual subdomains such as authorization services, login portals, customer service systems, and loan processing services at other banks, presumably to cause an even more significant impact on financial operations.
Politically driven "drinking money"
What makes NoName unique – besides the fact that they are not affiliated with any other pro-Russian collective – is that they are supported by a stable of volunteers recruited from the dark web.
The threat actors put out a call for these “hero” hacktivists in early January, offering financial incentives paid out in cryptocurrency reportedly worth hundreds, if not thousands of US dollars.
But until now, its not been proven that the group was actually making payments for help carrying out its daily targeted bot attacks.
According to the Radware team, Noname’s “Project DDoSia” is simply a crowdsourced botnet comprised of politically driven hacktivists who are more than willing to download and install a bot on their computers in hopes of bragging rights and some crypto coins.
So in the name of research, the two security experts created a fake profile, joined the over 11K other volunteers following the group’s DDoSia Telegram channel, and downloaded detailed instructions on how to participate in the experimental “gamification” challenge.
The instructions from the threat group, written back in February, asks its heroes to kindly download "special software" on their computers, which, when launched together, will "increase the power of influence on the targets chosen by the NoName57(16) team (sites of countries unfriendly to the Russian Federation)."
Essentially, creating a botnet of thousands of infected computers for NoName to carry out sophisticated DDoS attacks on its victims.
“Every volunteer can download it for their Mac, or for their desktop at home, they can put it on a mobile phone, and can run it from an Android mobile phone,” the researchers said.
The advanced payout formula? A set amount designed to be split among all daily users who participate in an attack and also rewards participants with more crypto depending on how successful the attack actually is, according to the scheme.
As an extra incentive for volunteers, NoName had promised to pay out the 'rewards' every X number of days in Bitcoin (the group eventually switched to an untraceable cryptocurrency called TON).
But the most interesting fact, the researchers said, was the discovery that the entire payout system could be easily manipulated by the volunteer hackers to get free crypto. The two advantageously used this piece of undisclosed information to help them stay under the radar throughout the entire investigation.
“We looked at the bot, it was written in Python, which was very easy to get access to the code, execute the print statement, and you printed out the code accurately,” they said.
“In the code, we saw that there was not only downloading of targets, but once the bot starts attacking every two minutes, it collects the statistics, uploads it to the server, and ties it to the client ID that you registered with your bot,” one researcher said.
That’s how they keep track of the attacks that you do, the two revealed.
"Of course, it's Python code; everybody can read Python code. You look in the Python code; how do you submit a number of attacks? Cause that you can fake. You can just submit any number of arbitrary attacks. And then, since they pay up, you can get money for it," they explained.
The duo said they realized they were not the only ones doing that. They saw others figuring it out, creating a simulation, and submitting fake attacks.
And it was obvious because the number of attacks reported, the researchers said. Some were sky high compared to the other volunteers, who then started calling out each other for unfair practices.
At first the researchers didn’t get paid out for their reported attacks. The two assumed NoName feared that if it paid the volunteers in Bitcoin, the crypto transaction could easily be traced back to the threat actors.
The two, using the fake profile “Enqjner,” also began to manipulate their simulated submissions to appear much more believable by reporting both high and lower numbers of attacks.
“We went up and down in the in the ranking,” they said.
The two did get paid a few times – calling it drinking money from Russia – once the hacktivist gang switched to the open source crypto TON for payout.
"Depending on the day, how much competition there is, because what they're doing, they're adding it all up and then kind of doing an average of the day. So on the twelfth, it's only three dollars, while April 16th is a good day. So, that's how those actors can make money,” they said
Ironically, TON stands for Telegram Open Network but is no longer run by the messaging service. The duo said it's basically untraceable. It just gets put in your account from Telegram, making it impossible to see where the money comes from.
The researchers were hoping to use the Bitcoin payments as a way to learn more about NoName’s operations by “tracing transactions coming in and coming out, find out who got paid the most, basically uncovering everything,” they said.
But eventually, NoName would hear rumors and change their mechanisms, write more advanced code, and add more security checks. As the threat group started closely monitoring who had real attacks or not, it became harder for the researchers to finesse the submission data.
Unfortunately, the two also said the ups and down of the crypto market didn’t work in their favor. One researcher said they “made like $630, which came out to only $300” in the end.
What does the future hold?
One detail the researchers were adamant about was that they did not know where the payout money was coming from.
“We’re assuming it's coming from, you know, the Kremlin, I mean, we assume that it's coming from the government,” they said.
Another point the two made was that de-escalation of these hacktivist groups in the future was unlikely and that more groups would presumably be used as proxies for nation-state actors worldwide.
The growth and evolution of the politically driven cyber attack as a result of the Russian-Ukraine war has become the norm.
“It's kind of nice as far as like a smokescreen, you don't know if they are hacktivists or are they state-sponsored? Plus the definition of state-sponsored, is it just money or is it intel?,” one researcher said.
"I don’t see it ending anytime soon. I see the war ending at some point, but these groups still staying around," the researcher said.
Part of the issue, they noted, is that governments on both sides are currently not enforcing any laws regarding DDoS attacks.
“Five years ago, [script] kids launching DDoS attacks would be arrested immediately, it almost seems like they’re not arresting anybody,” they said.
“We haven’t seen a social statement, it's mindblowing. There’s no US official asking these children not to download these tools and listen to the {Ukarinian] IT Army and attack Russia,” the researcher continued. “As long as you're in the United States, you're attacking Russia, it's fine. If you're in Russia attacking the West, it's fine.”
"There are clear lines being drawn inside the cyber domain," they added.
As for NoName itself, “I don’t ever see this group stopping, It's too big, there's too much money on table,” they both agreed.
Your email address will not be published. Required fields are markedmarked