On Sunday, December 1, 2024, NoName057(16) claimed to have carried out 12 attacks.
Download now
Key Attack Insights:
- Over the past week, NoName057(16) claimed responsibility for more than 40 cyberattacks targeting Canadian organizations across telecom, transportation, government, and financial sectors.
- The attacks are largely driven by Canada’s support for Ukraine in its conflict with Russia.
- NoName057(16) specializes in disrupting the backend of online applications by targeting specific high-impact pages, such as search forms and public post forms.
- They conduct extensive pre-attack analysis to craft URLs that mimic legitimate traffic and bypass traditional defenses.
- Their attacks, typically in the hundreds of thousands of requests per second (RPS), deliver outsized impact by precisely targeting backend resources.
DDoS Attacks Targeting Canada
Over the past week, NoName057(16) has taken responsibility for conducting more than 40 cyberattacks against telecom, transportation, government, and financial organizations in Canada. On Sunday, December 1, 2024, the group claimed to have carried out 12 attacks.
Figure 1: NoName057(16) attack claims per day targeting Canadian organizations [source: Radware]
Figure 2: Attacks targeting Canada claimed by NoName057(16) on Sunday, December 1, 2024 [source: Telegram]
Figure 3: Industries targeted by NoName057(16) between November 22 and December 1, 2024 [source: Radware]
Attack Motivation
NoName057(16)'s cyberattacks on Canadian organizations appear to be motivated by both geopolitical grievances and a desire to exploit domestic vulnerabilities. The group criticizes Canada for its strong support of Ukraine in the ongoing conflict with Russia, particularly its alignment with U.S. policies, which they describe as "Russophobic." They cite Canada's financial and political backing of Ukraine, including Prime Minister Justin Trudeau's administration’s decisions, as key reasons for their campaign. These actions are framed as prioritizing foreign interests over domestic needs, further fueling the group's animosity.
In their rhetoric, NoName057(16) highlights Canada's internal challenges to justify their attacks and amplify their impact. They point to economic struggles, including high costs of basic goods, a shortage of affordable housing, and strained healthcare services. The group emphasizes long wait times for medical care and even accuses the Canadian government of promoting euthanasia as a means to address healthcare inefficiencies. Additionally, they criticize Canada's handling of migration issues, which they claim exacerbate these systemic problems. By referencing these issues, the group positions their actions as a response to a failing government that neglects its citizens.
NoName057(16) seeks to leverage these existing crises to further destabilize Canadian society. Their attacks are framed as symbolic retribution, intended to target both the government and the nation’s identity. The group uses inflammatory language and mockery, such as ridiculing Trudeau and highlighting a resurgence of scurvy, to delegitimize Canada’s leadership and foster public discontent. By combining geopolitical grievances with a focus on Canada’s domestic challenges, the group justifies their cyberattacks as both punishment and a means to exacerbate perceived failures in governance.
Figure 4: Attack motivations posted by NoName057(16) on November 28 and 29, 2024 [source: Telegram]
Who is NoName057(16)
NoName057(16) is a pro-Russian hacktivist group that surfaced shortly after the February 2022 invasion of Ukraine, emerging in direct response to the IT Army of Ukraine's call for volunteers to target Russian entities. This group aligns itself strongly with Russian geopolitical interests, especially regarding the ongoing Ukraine conflict. They manage the DDoSia project, a volunteer-driven and financially incentivized botnet used to launch DDoS attacks against government institutions, critical infrastructure, financial entities, and media outlets in NATO-affiliated nations or any country supporting Ukraine or opposing Russia. To sustain the effectiveness of these volunteer-led attacks, NoName057(16) frequently updates its command-and-control infrastructure. Since February 2022, the group has persistently executed daily DDoS attacks on numerous organizations, making it the most active pro-Russian hacktivist collective since the conflict's onset.
More information
Noname057(16) Tactics and Techniques
NoName057(16), like many contemporary threat actors, utilizes Layer 7 web DDoS attacks to disrupt their targets' online resources. They rely on a network of volunteers operating their financially incentivized DDosia bot to execute these attacks. What sets NoName057(16) apart is their focused strategy of targeting the backend components of online applications and services.
Before initiating an attack, NoName057(16) conducts thorough reconnaissance on the targeted website to pinpoint the webpages that most critically impact the backend infrastructure, such as search forms and public post forms. They craft specific URLs targeting these high-impact pages and randomize the request data in a way that closely mimics legitimate traffic, making it challenging to distinguish malicious requests from genuine ones.
While their attack volumes typically range in the hundreds of thousands rather than the millions of requests per second (RPS), their precise targeting of backend resources results in a disproportionate impact compared to more generalized Web DDoS attacks. This strategic approach allows NoName057(16) to achieve significant disruption even with relatively moderate attack sizes.
Recommendations
Network-based DDoS protection solutions are ineffective at detecting and mitigating Layer 7 DDoS attacks due to their inability to decrypt attack traffic and inspect Layer 7 headers in detail. As a result, these attacks often bypass traditional network defenses. Similarly, while on-premises or cloud-based web application firewalls (WAFs) are effective against standard web-based threats, they fall short in defending against modern Web DDoS attacks for several reasons:
- Scale: The volume of Layer 7 attacks, measured in requests per second (RPS), has reached unprecedented levels. In the past year, multiple third-party reports disclosed attacks exceeding millions of RPS. The sheer scale of these attacks overwhelms the capacity of traditional on-premises solutions.
- Attack Sophistication: These attacks mimic legitimate traffic, constantly randomizing requests to evade detection. Without predefined signatures or rule-based mechanisms to identify malicious behavior, traditional defenses are ineffective. Detecting and mitigating such traffic requires behavioral-based algorithms with self-learning and auto-tuning capabilities.
- Morphing Attacks: Modern Layer 7 threats are dynamic, frequently evolving, and sustaining changes over extended periods. Standard WAF solutions lack the adaptability to respond in real time to these rapidly shifting attack patterns, leaving organizations vulnerable.
- Human Factor: The complexity of these attacks demands skilled security teams to maintain effective protection. Limited resources, personnel, and budgets often hinder self-managed teams from addressing 24/7 attack campaigns. Additionally, on-premises tools rely on manual rule definitions, which are insufficient for the pace and sophistication of these threats.
Radware Web DDoS Protection addresses these challenges with advanced behavioral-based algorithms capable of identifying and mitigating unknown malicious requests at scale in real-time. Unlike volumetric approaches that fail to distinguish legitimate traffic surges from malicious activity, Radware’s solution accurately identifies and blocks malicious traffic while ensuring legitimate users are not impacted.
The system provides comprehensive protection against a wide range of Layer 7 DDoS threats, including sophisticated, randomized attacks, newly developed tools, and high-scale Web DDoS campaigns. Radware’s adaptive technology continuously analyzes threats and their variants, dynamically responding to evolving attack patterns without generating false positives. By automating the detection and mitigation process, Radware ensures robust, real-time protection tailored to the complexity and scale of modern Layer 7 DDoS attacks.
EFFECTIVE DDOS PROTECTION ESSENTIALS
Intelligence on Active Threat Actors – High fidelity, correlated and analyzed data for
preemptive protection against currently active known attackers
Behavioral-Based Detection - Quickly and accurately identify and block anomalies while allowing
legitimate traffic through
Real-Time Signature Creation - Promptly protect against unknown threats and zero-day attacks
Cybersecurity Emergency Response Plan - A dedicated emergency team of experts who have
experience with Internet of Things security and handling IoT outbreaks
Hybrid DDoS Protection – Use on-premise and cloud DDoS
protection for real-time DDoS attack prevention that also addresses
high-volume attacks and protects from pipe saturation
For further network and application protection measures, Radware urges
companies to inspect and patch their network to defend against risks and threats.
EFFECTIVE WEB APPLICATION SECURITY ESSENTIALS
Low false positive rate - using negative and positive security models for maximum accuracy
Auto-policy generation - capabilities for the widest coverage with the lowest operational effort
Bot protection and device fingerprinting - capabilities to overcome dynamic IP attacks and
achieve improved bot detection and blocking
Full OWASP Top-10 – coverage against defacements, injections, etc.
Flexible deployment options – on-premises, out-of-path, virtual or cloud-based
Securing APIs - by filtering paths, understanding XML and JSON schemas for enforcement, and
using activity tracking mechanisms to trace bots and guard internal resources
LEARN MORE AT RADWARE’S SECURITY RESEARCH CENTER
To know more about today’s attack vector landscape, understand the business impact of cyberattacks, or learn more
about emerging attack types and tools, visit Radware’s Security Research Center.
Additionally, visit Radware’s Quarterly DDoS & Application Threat Analysis
Center for quarter-over-quarter analysis of DDoS and application attack activity based on data from Radware’s
cloud security services and threat intelligence.
Threat Alert
Download a copy of the ERT Threat Alert
Download now