Period:
2025-07-01 till 2025-07-31

NoName057(16) is a pro-Russian threat group known for launching defacement and DDoS attacks against Ukraine and those that directly or indirectly support Ukraine. The hacktivist group formed in March of 2022 on Telegram and became a notable threat group. While less mediatized compared to Killnet, it is considered one of the most active groups. The group operates in solitary and explicitly noted that they don't want to be associated with their fellow pro-Russian hacktivist group Killnet and its affiliates.

In July 2022, the group quietly launched a crowdsourced botnet project named DDOSIA. The project, similar to the pro-Ukrainian Liberator by disBalancer and the fully automated DDoS bot project by the IT ARMY of Ukraine, leverages politically-driven hacktivists willing to download and install a bot on their computers to launch denial-of-service attacks. Project DDOSIA, however, raises the stakes by providing financial incentives for the top contributors to successful denial-of-service attacks.

The Ddosia project allows the group to continuously attack government and private organization websites, mostly targeting western nations that support Ukraine during the ongoing invasion of Russia.

With well over a year of activity, pro-Russian hacktivists are getting more experienced and their tools are growing more sophisticated. NoName057(16) is arguably one of the more sophisticated attackers. They do recon on the website to identify website pages that submit information and will impact server resources the most before staging attack vectors in their botnet feed.

Once the attack vectors are staged in their botnet feed, bots that are run by volunteers will start attacking the website with the predefined GET and POST requests while randomizing specific variables for each request. The attack vectors randomize information but leverage legitimate argument and parameters recognized by the website. Differentiating legitimate requests from illegitimate is much harder compared to detecting attack vectors with random arguments appended, typically used by attackers to cut through CDNs.

While the attack vectors are sophisticated, the bots are not (yet) and as such NoName057(16) is not leveraging per-request proxies or SOCKS services. This means that the bot IP will not change on every request and the attacks would all come from a limited number of unique IPs. Admins of the botnet do recommend their volunteers to run the bots over anonymizing VPN tunnels, but those tunnel IPs are not dynamically changing all the time.

The website will face many POST and GET requests with legitimate looking data filled with randomized content. However, a single IP will do 100s of POSTS/GETS per minute and will always hit the same, limited list, of pages.

After the attack, the organization will potentially face an issue with thousands of fake information requests from random form fills that will have to be inspected, either manually or automatically.

NoName057(16) has evolved from its origins as a relatively unknown entity to a prominent hacking collective through a vast number of cyberattacks. Their operations have grown in scale and sophistication over time, marking them a significant player in the global landscape of hacking collectives.

THIS REPORT CONTAINS ONLY PUBLICLY AVAILABLE INFORMATION, WHICH IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. ALL INFORMATION IS PROVIDED “AS IS” WITHOUT ANY REPRESENATION OR WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES THAT THIS REPORT IS ERROR-FREE OR ANY IMPLIED WARRANTIES REGARDING THE ACCURACY, VALIDITY, ADEQUACY, RELIABILITY, AVAILBILITY, COMPLETENESS, FITNESS FOR ANY PARTICULAR PURPOSE OR NON-INFRINGEMENT. USE OF THIS REPORT, IN WHOLE OR IN PART, IS AT USER’S SOLE RISK. RADWARE AND/OR ANYONE ON ITS BEHALF SPECIFICALLY DISCLAIMS ANY LIABILITY IN RELATION TO THIS REPORT, INCLUDING WITHOUT LIMITATION, FOR ANY DIRECT, SPECIAL, INDIREC, INCIDENTAL, CONSEQUENTIAL, OR EXAMPLARY DAMAGES, LOSSES AND EXPENSES ARISING FROM OR IN ANY WAY RELATED TO THIS REPORT, HOWEVER CAUSED, AND WHETHER BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHER THEORY OF LIABILITY, EVEN IF IT WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, LOSSES OR EXPENSES. CHARTS USED OR REPRODUCED SHOULD BE CREDITED TO RADWARE.

© 2025 Radware Ltd. All rights reserved. The Radware products and solutions mentioned in this document are protected by trademarks, patents and pending patent applications of Radware in the U.S. and other countries. For more details please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.