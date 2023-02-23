Listen to the audio version of the article

They are definitely pro-Russian and Putin sympathizers. They have been active since the beginning of the war and make use of many volunteers, even paid ones. And they are moved by exclusively political motives, against the “enemies of Russia”, “Russophobes”, hitting banks, institutional sites and services connected to critical infrastructures; but hospitals don’t, those don’t affect them, because “it wouldn’t be ethical”. This is the sketch of the NoName057 group of activists who hit several Italian institutional sites yesterday for Ddos attacks, some making them inaccessible for a few hours (the Ministry of Foreign Affairs and the Carabinieri sites in particular).

I’m in good company. Since the beginning of the Russian-Ukrainian conflict in February 2022, different hacker groups from both sides have conducted cyber attacks against government entities and critical infrastructure of the adversary. Among these groups, precisely NoName057 and, the most famous among the Russians, Killnet.

The attacks

NoName057 has acted above all since last May against Ukraine and the European countries that support the Ukrainian government, in particular against the countries belonging to the post-Soviet space such as Estonia, Latvia, Lithuania, Poland, Slovakia; but also Norway and Finland. There have been a few attacks against other countries, including the UK, the US and now Italy. They usually do Ddos – mostly against banks, transport and government sites – but have also succeeded in a web-defacement against the Office of Polish rail transport. Among other things, with Ddos they prevented access to transport sites in Lithuania, Latvia and the United States (to mention the attacks with greater practical effect, as well as reputational damage). They tried to influence elections in the Czech Republic by targeting the site of an unwelcome presidential candidate.

How it works

NoName057 advertises its campaigns in a Russian-speaking Telegram channel, created in March 2022, and in a second channel, founded in August 2022, where all content is translated into English for non-Russian speaking members. The threat actor has also created a third channel that some of its members use to communicate on the technical aspects of DDoS campaigns, and a fourth where they provide instructions on how to use a custom tool available on GitHub called “DDosia” to conduct DDoS attacks. In September 2022 they also started a financial reward mechanism, benefiting users who make the most effective Ddos attacks. Rewards of up to around a thousand euros. As Yarix analysts report, there is evidence of cooperation with other pro-Russia cyber collectives, such as Killnet and XakNet. As recently noted in the analysis conducted by Mandiant Intelligence, it appears that some of these pro-Russian groups (e.g. XakNet) are linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the foreign military intelligence agency of the Russian Federation Russian. “There is no evidence that NoName057 is also connected to the Russian secret services,” says cyber expert Pierluigi Paganini. The group has often reiterated in its private channels/groups that targeting the healthcare sector is unethical. Therefore, users have been encouraged to conduct their trades only against those entities by targeting which financial or reputational damage may result.

The type of attack

In particular, the Ddos attack works like this: the server (site) is saturated with a target by flooding it with requests, similar to the legitimate ones. For this purpose the attackers usually use botnets, i.e. networks of computers infected with malware through which they can use them to launch these requests. The computers belong to unsuspecting users, in different countries. Historically, the most used Ddos attack is of the volumetric type, in which an attempt is made to saturate the victim’s bandwidth with traffic peaks. However, Ddos attacks of an application type have been gaining ground for a few months, as reported last May by the National Cybersecurity Agency. In that case Killnet had hit various Italian institutional sites. Whoever analyzed the logs of the attacks, Noname057, reports to Il Sole24Ore that also in this case they seem to be application Ddos attacks, judged to be more insidious than the old-fashioned volumetric ones. These techniques aim to saturate the resources of the systems that provide the services, including the web servers. In May as now it seems that the attackers specifically used a slow http technique (one of those of an application type). By sending numerous requests with very low transmission speed (hence the word “slow”), the attacker forces the destination web server to keep the connection open, thus saturating the resources dedicated by the server to communicating with external clients.