Full Report
Discover how NoName057(16) targeted 3,700+ hosts across Europe using its DDoSia platform. This in-depth report reveals multi-tiered C2 infrastructure, attack patterns, and strategic geopolitical motivations behind the hacktivist-led campaign.
Analysis Summary
# Threat Actor: NoName057(16)
## Attribution & Identity
* **Identification:** Pro-Russian hacktivist group.
* **Association:** Volunteer-driven, recruits via Telegram channels, and is politically motivated by Russian nationalism.
* **Origin:** Emerged in March 2022, immediately following Russia's full-scale invasion of Ukraine.
* **Operational Tempo:** Maintains a high, sustained operational tempo, averaging 50 unique targets daily, often correlating with geopolitical/military developments. Pattern-of-life analysis suggests operations are conducted from within a Russian time zone, with target additions peaking around 05:00-07:00 UTC and 11:00 UTC on weekdays.
## Activity Summary
NoName057(16) has waged a sustained, large-scale **Distributed Denial-of-Service (DDoS)** campaign over the last thirteen months (July 1, 2024, to July 14, 2025), targeting over 3,700 unique hosts. The activity peaked in June 2024 to July 2025, hitting 3,776 distinct hosts in total. The group utilizes its volunteer-based platform, "DDoSia," to execute these operations.
## Tactics, Techniques & Procedures
* **Primary Technique:** Distributed Denial-of-Service (DDoS) attacks, often specifically using 'http2' attack types based on configuration data.
* **Infrastructure Management:** Implements a multi-tiered C2 infrastructure designed for resilience and C2 reliability.
* **Tier 1 C2:** Rapidly refreshed servers (average lifespan of nine days) with restricted upstream access.
* **Tier 2 C2:** Secured by Access Control Lists (ACLs), restricting connections only to authorized Tier 1 servers.
* **Payload Delivery:** Retrieves attack configurations (including target hosts, ports, methods, and attack types) from C2 servers via encrypted (AES-GCM) JSON responses.
* **Traffic Evasion:** Utilizes randomized data generation parameters within the attack configuration to introduce variability into HTTP requests, likely to bypass simple filtering and caching mechanisms.
* **Operational Model:** Utilizes a volunteer model, providing necessary tools and infrastructure to participants and rewarding contributions.
## Targeting
* **Motivation/Objective:** Political agenda rooted in Russian nationalism; attacks are not financially motivated.
* **Sectors:**
1. Government and Public Sector (41.09%)
2. Transportation and Logistics (12.44%)
3. Technology, Media, and Communications (10.19%)
* **Geography:** Primarily European nations opposing the invasion of Ukraine.
1. Ukraine (29.47% of targets)
2. France (6.09%)
3. Italy (5.39%)
4. Sweden (5.29%)
* *Note: The US has not been a primary target.*
* **Victims:** Primarily government and public-sector entities in NATO-aligned European countries.
## Tools & Infrastructure
* **Malware Families Used:** DDoSia platform (mechanism for volunteer-driven attacks).
* **Infrastructure (C2, domains, IPs):**
* Multi-tiered C2 architecture (Tier 1 and Tier 2 servers).
* Tier 1 C2 servers are rapidly rotated.
* Tier 2 servers are protected by ACLs.
## Implications
NoName057(16) represents a persistent, state-encouraged form of hybrid warfare, deliberately calibrated to remain below the threshold of conventional conflict. Their high operational tempo suggests that organizations in NATO-aligned European countries must prepare for DDoS activity to be a long-term, persistent reality driven by geopolitical tensions. Law enforcement actions (like Operation Eastwood) may counter short-term spikes but the long-term effectiveness remains uncertain.
## Mitigations
* **DDoS Protection:** Deploy layered DDoS protection and leverage Content Delivery Networks (CDNs).
* **Network Controls:** Configure Web Application Firewalls (WAFs); enforce granular network controls such as IP blocking and rate limiting.
* **Preparedness:** Establish a tested incident response plan encompassing business continuity, communication, and escalation procedures.
* **Situational Awareness:** Invest in monitoring threat actor activity across forums and coordination channels, and track threats affecting peer organizations to anticipate emerging campaigns.