Executive Summary
In the first half of 2024, the global cybersecurity landscape has faced an unprecedented surge in threats, particularly from state-sponsored entities. Among these, the phenomenon of Russian hacktivism has emerged, distinctly evolving from traditional hacktivism into a sophisticated tool of strategic disruption.
Unlike conventional hacktivism, which is often driven by principled activism, Russian hacktivism has become a smokescreen for state-backed operations aimed at destabilizing Western democracies. These actors have orchestrated persistent Distributed Denial of Service (DDoS) attacks, significantly disrupting digital infrastructure and sowing chaos.
However, the threat posed by Russian hacktivism extends far beyond mere digital disruptions. It is now strategically employed as an instrument of hybrid warfare, designed to provoke, destabilize, and exert influence in geopolitical conflicts. The institutionalization of these hacktivist activities within Russia has become evident, with military entities actively coordinating attacks and incentivizing participation through a system of rewards.
This comprehensive analysis delves into the tactics and threats posed by Russian hacktivist groups, such as CyberArmyofRussia and NoName057(16) for the first half of year. These groups, often operating under the guise of hacktivism, are in reality extensions of state power, systematically targeting critical infrastructure and democratic institutions in the West.
CyberArmyofRussia Activity
The CyberArmyofRussia, emerging amid escalating geopolitical tensions, has rapidly solidified its position as a formidable force in the hacktivism landscape. Initially perceived as a grassroots movement, this hacktivist group has demonstrated a keen focus on conducting DDoS attacks, particularly targeting Ukrainian and Western organizations. Central to their operations is the use of Telegram, a platform that has gained significant popularity among various audiences. By leveraging Telegram, the CyberArmyofRussia saturates the information space with narratives that align with their objectives, effectively shaping public opinion and advancing their geopolitical goals.
An in-depth analysis of the group’s activities reveals troubling trends. The rapid subscriber growth on their Telegram channel raises suspicions of artificial inflation through paid services, likely aimed at creating the illusion of widespread support. This tactic not only bolsters their perceived influence but also enhances their credibility in the eyes of both supporters and adversaries.
Notably, the inception of their Telegram channel on April 1, 2022, closely coincides with the onset of the war. On several occasions, the CyberArmyofRussia has posted information regarding breaches that are linked to GRU-associated APT groups. This alignment of activities suggests that the GRU may be utilizing the CyberArmyofRussia as a proxy to claim responsibility for cyber attacks and disseminate stolen documents, all while maintaining the guise of a hacktivist entity.
One of the group’s most distinctive tools is the "Killweb," a sophisticated tool developed to enable coordinated DDoS attacks. By distributing this tool among its subscribers, the CyberArmyofRussia ensures that attacks can be executed in a highly synchronized manner, demonstrating a level of sophistication.
Figure.1 Title of CyberArmyofRussia manual.
Targets
In the first half of 2024, the CyberArmyofRussia has relentlessly pursued its agenda through nearly 500 DDoS attacks, primarily targeting organizations in Ukraine and the European Union.
To assess the operational capabilities of CyberArmyofRussia’s attacks, we can take a look at one their attacks against Ukraine’s major energy company, EnergoAtom. Then the group mobilized about 7.25 million bot users, simulating hundreds of millions of views on EnergoAtom’s main page within just three hours.
The selection of targets by the CyberArmyofRussia suggests a clear geopolitical agenda. Ukrainian organizations, especially those critical to national infrastructure like EnergoAtom, remain at the forefront of their offensive operations. These attacks align with the ongoing regional tensions, particularly in the context of the broader conflict between Russia and Ukraine.
In addition to their focused efforts on Ukrainian targets, the CyberArmyofRussia also launches attacks against entities within the European Union. These attacks appear to be designed to create a ripple effect, extending the impact of their operations beyond Ukrainian borders and into the broader European landscape.
Figure.2 Countries attacked by CyberArmyofRussia in H1 2024.
Figure.3 Attacks chronology of CyberArmyofRussia in H1 2024.
Tools
The CyberArmyofRussia has tailored tools explicitly designed for executing DDoS attacks, showcasing a level of sophistication in their cyber arsenal. These tools are disseminated among their followers to amplify their impact and expand the reach of their campaigns.
One of their featured tools called Killweb is written in Kotlin, a modern programming language. Executed from the terminal with precise commands, this tool uses Ktor, an asynchronous platform tailored for microservices and web applications.
Figure.4 Killweb's command line.
In addition to their Kotlin-based tool, the CyberArmyofRussia promotes another formidable DDoS tool written entirely in Python called CA_DDoS. This versatile tool is designed to initiate attacks by first scrutinizing sources for a proxy list. Once a proxy is selected at random, the tool proceeds to unleash a range of methods for conducting both Layer 7 and Layer 4-based DDoS attacks.
A commonality between these tools is their reliance on proxies. The initial step involves meticulously checking proxy sources and opting for a random selection. This strategic use of proxies serves as a cloak for their operations, adding an extra layer of anonymity to their attacks.
List of proxy sources |
Both tools are equipped to carry out a variety of DDoS methods. This includes attacks targeting Layer 7 (application layer) and Layer 4 (transport layer), demonstrating the CyberArmyofRussia's adaptability in tailoring their tactics to the specific vulnerabilities of their targets.
Attack method | Description |
Layer 7 | |
cfb | Обход CF |
pxcfb | Обход CF с прокси |
cfreq | Обход CF UAM, CAPTCHA, BFM (request) |
cfsoc | Обход CF UAM, CAPTCHA, BFM (socket) |
pxsky | Обход Google Project Shield, Vshield |
sky | Sky метод без прокси |
http2 | HTTP 2.0 Request атака |
pxhttp2 | HTTP 2.0 Request атака с прокси |
get | Get Request атака |
post | Post Request атака |
head | Head Request атака |
pps | Только GET / HTTP/1.1 |
spoof | HTTP Spoof Socket атака |
pxspoof | HTTP Spoof Socket атака с прокси |
soc | Socket атака |
pxraw | Request атака с прокси |
pxsoc | Socket атака с прокси |
pxslow | Slow атака с прокси |
Layer 4 | |
udp | UDP атака |
tcp | TCP атака |
NoName057(16) Activity
NoName057(16) stands out in the hacktivist landscape for its military-like discipline and unwavering focus on strategic objectives, which it consistently prioritizes over the entertainment value that drives many other groups. Since its inception on March 11, 2022,, NoName057(16) is distinct in its commitment to executing a significant volume of impactful DDoS attacks. This precision and purpose highlight the group’s dedication to achieving specific goals rather than merely participating in disruptive cyber activities.
Several indicators point toward a potential connection between NoName057(16) and Russian military intelligence, GRU. Notably, some IP addresses associated with NoName057(16) have been traced back to the infrastructure of the Sandworm APT group, a known arm of the GRU. This link gains further credibility considering NoName057(16)’s actions during Prigozhin's coup, where the group uniquely claimed responsibility for DDoS attacks against Wagner web-services. At a time when other political entities and hacktivist groups in Russia remained silent, NoName057(16) took decisive action that aligned with Russian military structures, further suggesting its alignment with the GRU’s interests.
In addition to its strategic targeting, NoName057(16) empowers its followers with the DDoSia tool, a specialized weapon designed for executing DDoS attacks. The widespread distribution of this tool not only amplifies the group's operational capabilities but also underscores its commitment to expanding influence and impact within the cyber domain. Through these actions, NoName057(16) continues to solidify its position as a key player in the broader landscape of state-aligned hacktivism.
Figure.5 One of NoName057(16) first posts.
Targets
NoName057(16) operates with a clear alignment to the political interests of the Russian government, meticulously selecting its targets based on unfolding geopolitical events to ensure maximum impact. Unlike more indiscriminate hacktivist groups, NoName057(16) adopts a calculated approach in identifying the most influential and valuable web resources and services within the countries it targets. This strategic targeting is evident in the way the group initiates DDoS campaigns with specific objectives, often maintaining pressure on chosen targets over several days. That is why they have 3 times bigger amount of conducted DDoS attacks for the same period of time than CyberArmyofRussia.
An analysis of NoName057(16)’s activities during the first half of 2024 reveals a notable shift in focus. While Ukraine has been a common target for Russian-aligned cyber operations in the past, NoName057(16) has not prioritized Ukraine during this period. Instead, the group has strategically shifted its efforts toward other European countries, choosing targets that align with specific geopolitical events. One country that has seen a significant amount of attention from NoName057(16) is Moldova.
Figure.6 Countries attacked by NoName057(16) in H1 2024.
Figure.7 Attacks chronology of NoName057(16) in H1 2024.
Tools
NoName057(16) has developed a specialized project known as DDoSia, which serves as the central hub for distributing DDoS tools and coordinating its followers in executing cyber attacks. The DDoSia project boasts a robust infrastructure hosted on Telegram, encompassing a network of chats and channels dedicated to providing instructions, guides, support, and training materials for participants. This extensive setup ensures that users, regardless of their technical proficiency, can efficiently contribute to the group's cyber campaigns.
A key component of the DDoSia project is the DDoSia bot, a sophisticated tool that handles the registration, instruction, and coordination of followers who wish to participate in DDoS attacks. The process is streamlined to lower the barrier to entry for potential attackers. First, users must register with the bot and obtain a unique client ID. Once registered, they are instructed to download the necessary DDoSia executable files, which are available for different platforms. By placing the client ID into the same directory as the executable files, the user configures their system to communicate directly with the DDoSia infrastructure. Upon execution, the tool logs in using the client ID and retrieves a list of designated targets from the server, which the user can then attack.
Figure.8 DDoSia_Bot sharing client_id.txt with followers.
"Financial ideology"
What sets NoName057(16) apart from other hacktivist groups is its shift from ideological appeals to financial motivation. Rather than rallying followers based on shared beliefs or political goals, NoName057(16) incentivizes participation by offering monetary rewards for executing successful DDoS attacks. Payments are automatically credited to participants' Telegram account balances in the form of a cryptocurrency token called dCoin. This token, specifically developed by NoName057(16), functions as a secure and anonymous method of payment, with 1 dCoin equating to 1 Russian ruble. For each successful DDoS attack, users can earn 50 dCoins, which can then be traded on cryptocurrency exchange platforms.
The use of cryptocurrency adds a layer of anonymity and security to the transactions, making it challenging for law enforcement and cybersecurity experts to trace the flow of funds and link them to specific individuals. This financial incentive model not only expands the group’s operational capacity by attracting a broader base of participants but also underscores NoName057(16)’s sophisticated approach to sustaining its cyber warfare activities.
Figure.9 DDoSia executable files.
Mitigations
To protect themselves from Russian hacktivist DDoS attacks, companies can implement the following mitigated actions:
Cloud-Based DDoS Protection: Utilize cloud-based DDoS protection services like Cloudflare, Akamai, or AWS Shield to absorb and mitigate large-scale DDoS attacks before they reach your network.
On-Premise DDoS Mitigation: Deploy on-premise DDoS mitigation appliances or software to detect and block malicious traffic at the network edge.
Advanced Traffic Analytics: Implement advanced traffic analytics tools to monitor network traffic in real-time and detect unusual patterns indicative of a DDoS attack.
Overprovision Bandwidth: Ensure your network has sufficient bandwidth to handle traffic spikes, which can help absorb the initial impact of attack.
Redundant Infrastructure: Distribute web servers across multiple data centers or use content delivery networks (CDNs) to ensure redundancy and minimize the risk of a single point of failure.
Rate Limiting: Configure rate limiting on servers to restrict the number of requests from individual IP addresses, reducing the effectiveness of DDoS attacks that overwhelm your infrastructure.
Reconfigure default threshold values: In the case of fragmented packets, change the bandwidth value to limit the number of fragments collected in the buffer before an IP packet is reassembled. Otherwise, the memory allocated for the buffer may be overflowing with incomplete fragments.
Threat Intelligence Sharing: Participate in threat intelligence sharing networks to stay informed about emerging threats and the latest tactics used by hacktivist groups.
Deploy a WAF: A Web Application Firewall (WAF) can filter and block malicious traffic targeting web applications, especially against application layer (Layer 7) DDoS attacks.
Develop a DDoS Response Plan: Create a detailed incident response plan tailored to DDoS attacks, outlining steps to take during an attack, including communication protocols, traffic rerouting strategies, and mitigation actions.
Simulated DDoS Drills: Regularly conduct simulated DDoS attack drills to test the effectiveness of your response plan and train your IT and security teams to handle real-world incidents.
Outlook
The rise of Russian hacktivism represents a significant and growing threat to Western democracies, increasingly serving as a cover for Russia's aggressive activities. State-backed actors have organized and executed nearly 2,000 DDoS attacks across Europe in just six months, leveraging strategically crafted tools like DDoSia and Killweb and a well-coordinated network of followers.
These attacks are not only driven by ideology but are now also financially incentivized, with participants receiving cryptocurrency payments for their efforts. This shift from ideological to financial motivation underscores the systemic and institutionalized nature of these cyber operations.
One of the goals of these activities can be the creation of uncertainty and instability within the targeted countries, weakening the sense of security and exerting influence in geopolitical conflicts. As these tactics continue to evolve, the need for robust and coordinated defense strategies has never been more critical.
Comentarios