Since the start of the war in Ukraine, the cyber threat landscape has been reshaped by the emergence of pro-Russian hacktivist groups. Among the most active and organised is NoName057(16), a collective that is widely known for it’s disruptive actions. The recent CISA and NCSC advisories caution US and UK firms on disruption.
Who is NoName057(16)?
NoName057(16) is a pro-Russian hacktivist group that emerged in March 2022, shortly after the Russian invasion of Ukraine. While the group positions itself as a volunteer-based collective. Intelligence assessments suggest it likely originated as a covert project of the Centre for the Study and Network Monitoring of the Youth Environment (CISM), an organisation established by Russian President Vladimir Putin in 2018 and operating on behalf of Russia.
Evolution
NoName057(16) is no longer operating alone. It has forged close partnerships that amplify its reach and capabilities, moving beyond simple website disruption:
Cyber Army of Russia Reborn (CARR): A close partner with shared leadership personnel. CARR acts as a front for the Russian GRU unit Sandworm (APT44) and focuses on Industrial Control Systems (ICS) and Operational Technology (OT) to cause physical disruption in sectors like water and energy.
Z-Pentest: A "hybrid" special operations unit formed by administrators from both NoName057(16) and CARR. This group specialises in OT intrusions, "hack-and-leak" operations, and defacements, avoiding the group’s signature DDoS attacks.
Sector16: Operating in close collaboration with Z-Pentest, this newer group specifically targets U.S. energy infrastructure by exploiting accessible Virtual Network Computing (VNC) devices.
Wider Collaborations: NoName057(16) has expanded its sphere by working with groups like the pro-Palestinian Mr. Hamza (part of the Holy League) and AzzaSec, an Italian-based group whose aims include deploying ransomware.
Attack Vectors and Targets
The group's targeting is strictly geopolitical, focusing on nations supportive of Ukraine and deemed hostile to Russian interests, primarily NATO members (US, UK, Poland, France, Germany, etc.).
Their attacks fall into two primary categories:
Distributed Denial of Service (DDoS): This remains the group's signature tactic, largely executed through their proprietary DDoSia project to take websites offline and disrupt public services.
Operational Technology (OT) Intrusions: This escalating threat involves scanning the internet for exposed VNC interfaces (remote access tools) with weak credentials. Once inside, they access Human-Machine Interfaces (HMIs) to change device parameters, modify setpoints, disable alarms, and attempt to shut down critical devices—moving from digital disruption to potential physical impact.
In late October 2024, the threat was felt directly in the UK, where waves of attacks against at least 13 local authorities successfully disrupted services. The US threat has also escalated into attempts to compromise OT/ICS systems.Essential Defenses: Shoring Up Your Perimeter.
Last week saw a significant surge in DDoS attacks targeting UK councils, Rail and the water sector, intensifying the ongoing assault on UK infrastructure.
Some of the targetted entities
Recommendations
The National Cyber Security Centre (NCSC) and Cybersecurity and Infrastructure Security Agency (CISA) recommend a multi-layered approach to defense.
Strengthening Upstream Defenses (DDoS)
Utilise a Content Delivery Network (CDN) for web-based services.
Employ third-party DDoS mitigation services (e.g., Cloudflare).
Understand and leverage the DDoS mitigations already in place with your Internet Service Provider (ISP).
Utilise multiple service providers for redundancy.
Build services to scale rapidly using cloud-native scaling to handle traffic spikes.
Define a robust response plan to operate effectively, even in a degraded state, during an attack.
Continuously test and monitor your defenses to understand attack volume resilience.
Protecting Operational Technology (OT)
The most critical defenses focus on reducing the attack surface for OT/ICS:
Reduce Internet Exposure: The single most important step is to limit the exposure of OT assets to the public-facing internet.
Implement Robust Authentication:
Enforce Multi-Factor Authentication (MFA) for all remote access.
Change default credentials and enforce strong, unique passwords.
Limit remotely accessible accounts to "view-only" privileges where possible.
Network Segmentation: Implement clear segmentation between your IT (information technology) and OT (operational technology) networks.
Asset Management: Adopt mature processes to map data flows and keep remote access services (like VNC) updated with the latest patches.
Disaster Recovery: Develop business recovery plans that include scenarios for safely switching to manual operations during a cyber incident.
As the hacktivist threat grows in complexity and capability, preparation and proactive defense are no longer optional, they are essential for maintaining continuity and safety of the organisations in the face of escalating geopolitical cyber warfare.