Disruption of NoName057(16): A Major Blow to Pro-Russian Cyber Crime

A multinational cyber enforcement operation, spearheaded by the European Union’s Europol and Eurojust agencies, has successfully disrupted the NoName057(16) pro-Russian hacktivist cyber crime network. This group has been responsible for a series of high-profile distributed denial of service (DDoS) attacks, primarily targeting Ukraine but expanding its focus to other European nations, particularly NATO members, following the outbreak of war in 2022.

The Scope of the Threat

Europol has reported that the NoName057(16) network has been linked to numerous cyber attacks across Europe. In 2023 and 2024, the group targeted Swedish authorities and bank websites, while Germany experienced 14 separate waves of attacks affecting over 250 companies and institutions. Notably, Switzerland faced multiple attacks during significant events, including a Ukrainian video message to the Joint Parliament and the Peace Summit for Ukraine in June 2024. Most recently, Dutch authorities confirmed an attack during the latest NATO summit, although all attacks were mitigated without substantial interruptions.

Operation Eastwood: A Coordinated Response

The operation, dubbed “Operation Eastwood,” has led to the takedown of 100 servers and a significant portion of NoName’s operational infrastructure. Authorities in France and Spain made two arrests, while 24 property searches were conducted across Europe. Europol reported that 13 individuals were questioned, and over 1,000 supporters of the NoName network, including 15 administrators, were notified of their potential legal liabilities. Many of these individuals are believed to be Russian-speaking hacktivists.

German authorities have issued six arrest warrants for Russian nationals, including prominent figures such as Andrej Stanislavovich Avrosimov and Mihail Evgeyevich Burlakov, who are suspected of being ringleaders within the group. Burlakov is accused of developing and optimizing the software used for attacks, while Olga Evstratova is believed to have played a crucial role in creating the DDoSia malware.

Understanding the NoName Network

Unlike state-sponsored cyber actors like Fancy Bear, the NoName057(16) network operates more like a cyber criminal ransomware gang. While lacking direct support from Russian authorities, the group operates under an unspoken understanding that Moscow will not interfere with their activities. At its peak, NoName057(16) boasted around 4,000 supporters and built a botnet comprising several hundred servers to launch DDoS attacks.

The group utilized pro-Russian channels, web forums, and niche chat groups on social media to recruit volunteers, often targeting individuals from gaming and hacking communities. New recruits were given access to platforms like DDoSia, which simplified the attack process, allowing them to launch cyber assaults with minimal technical skills. Volunteers were incentivized with cryptocurrency payments, fostering sustained commitment and attracting opportunists.

Culturally, NoName057(16) adopted elements from gaming, including leaderboards and earned badges, to instill a sense of status among its members. This gamification strategy emotionally reinforced their narrative of defending their country, often invoking historical memories of World War II to rally support.

The Future of NoName057(16)

Despite the recent crackdown, experts caution that the disruption of NoName057(16) may not signify the end of their activities. Rafa López, a security engineer at Check Point, noted that while the group’s DDoS capabilities have been diminished, they are likely to pivot towards more sophisticated methods, such as system intrusions and data exfiltration. The group remains active, with a vast network of affiliates and thousands of volunteers across various platforms.

To combat evolving threats from groups like NoName057(16), organizations are advised to implement multi-layered security strategies. This includes robust DDoS protection, intrusion detection systems, and regular security audits. Employee education about cyber attack risks and monitoring for unusual activities on communication platforms are also essential for safeguarding against recruitment efforts.

International Collaboration

Operation Eastwood exemplifies the importance of international collaboration in combating cyber crime. Authorities from multiple countries, including Czechia, Finland, France, Germany, Italy, Lithuania, the Netherlands, Poland, Spain, Sweden, and the US, worked together, with additional support from agencies in Belgium, Canada, Denmark, Estonia, Latvia, Romania, and Ukraine. Private sector organizations like ShadowServer and abuse.ch also provided crucial technical support.

As the landscape of cyber crime continues to evolve, the efforts of law enforcement agencies and international cooperation will be vital in addressing the challenges posed by hacktivist groups like NoName057(16). The fight against cyber crime is far from over, and vigilance remains key in protecting national and organizational security.