1. Overview
NoName057(16) is a politically motivated pro-Russian hacktivist group active since March 2022. It emerged shortly after the Russian invasion of Ukraine and has focused almost exclusively on conducting distributed denial-of-service (DDoS) attacks against European and NATO-aligned countries that support Ukraine. The group primarily uses its operations to disrupt public-facing websites of governments, media, transport, and financial institutions.
NoName057(16) conducts its campaigns under the guise of patriotism and resistance against what it perceives as anti-Russian states. Despite limited technical sophistication, the group is effective at generating disruption and publicity, especially through its use of social media and Telegram channels to promote its activities.
2. Origin and Evolution
NoName057(16) emerged in March 2022 as part of the broader Russian-aligned cyber response to Western opposition to the war in Ukraine. It is believed to be an ideologically driven collective of hacktivists, although some evidence suggests support or facilitation from Russian cyber units or nationalist influencers.
Since its formation, the group has claimed responsibility for dozens of DDoS campaigns targeting government portals, railway systems, election platforms, news websites, and payment infrastructure. The group rapidly gained followers via Telegram, where it posts regular updates on attack targets, results, and justifications.
Over time, NoName057(16) developed its own DDoS toolkit and launched a crowd-sourced DDoS platform named DDosia, encouraging volunteers to participate in attacks by running its software in exchange for crypto rewards.
3. Tactics, Techniques, and Procedures (TTPs)
NoName057(16) relies primarily on distributed denial-of-service (DDoS) attacks to disrupt the availability of websites and services. Its tactics include:
- DDoS attacks
The group uses HTTP flood, TCP flood, and UDP amplification attacks to overwhelm target servers (T1499). These are conducted using publicly available tools as well as its proprietary DDosia platform. - Crowd-sourced botnet
DDosia enables users to participate in attacks by downloading and running malware-like payloads that direct traffic toward chosen targets. Users are rewarded in cryptocurrency for uptime and attack participation. - Target selection and announcement
Targets are announced in advance via Telegram, usually aligned with current geopolitical events, sanctions, or military actions. Websites are often targeted during national holidays or political moments for maximum impact. - Defacement and disruption claims
While the group does not deploy malware, it often exaggerates the impact of its campaigns. Downtime as short as a few minutes is advertised as a “successful hack,” contributing to its propaganda objectives.
4. Targeting Profile
NoName057(16) targets organisations and infrastructure in countries viewed as hostile to Russian interests or as supporters of Ukraine. Typical targets include:
- Government ministries and parliaments
- Election portals and referenda websites
- Public transportation and airport systems
- Banking and payment infrastructure
- Media outlets and journalists critical of the Russian government
- Military-related agencies and defence contractors
Target countries have included Ukraine, Poland, Lithuania, Latvia, Estonia, Germany, France, the United Kingdom, the United States, and Nordic nations. In the UK, targets have included parliament portals, public transportation websites, and regional government services.
5. Notable Campaigns and Victims
Notable campaigns claimed by NoName057(16) include:
- Coordinated DDoS attacks on Polish and Lithuanian government websites in mid-2022
- Disruption of Ukrainian banking portals during periods of missile escalation
- Temporary takedown of public-facing websites in Estonia and Latvia
- Targeting of the UK Parliament website and regional transportation systems in late 2023
- Disruption of Finnish and Swedish government services during NATO accession talks
- Repeated attacks on election-related websites in Moldova and Slovakia
Although most attacks result in temporary outages, the frequency and coordination of the campaigns raise concerns over potential state support or integration with broader Russian information warfare efforts.
6. Technical Indicators
Because the group primarily uses DDoS and publicly available tools, technical indicators vary. Common traits include:
- Participation in Telegram channels linked to DDosia
- Use of command-line DDoS tools such as slowloris, HTTP flooders, and UDP/TCP scripts
- DDosia client hashes appearing in malware repositories
- IPs linked to residential proxy services and VPNs used to mask origin
- Short bursts of high-volume traffic targeting a single endpoint
The group’s tools do not typically deploy malware, but DDosia clients may exhibit malware-like behaviour and connect to suspicious command and control nodes.
7. Defensive Measures and Recommendations
To mitigate the impact of NoName057(16) campaigns:
- Deploy a scalable DDoS mitigation service such as Cloudflare, Akamai, or Radware
- Use web application firewalls and geo-fencing for publicly exposed endpoints
- Monitor for traffic spikes and unusual HTTP headers associated with DDoS toolkits
- Harden DNS infrastructure and use failover mechanisms for critical services
- Regularly update public-facing websites and infrastructure to absorb traffic surges
- Establish a crisis communication plan in the event of public-facing service disruption
Collaboration with national CSIRTs and DDoS mitigation providers is essential to defend against campaigns coordinated through Telegram and other public channels.
8. Attribution and Alliances
NoName057(16) identifies itself as a pro-Russian patriotic group. While it claims to be independent, the consistency of its targeting and its alignment with Russian geopolitical interests suggest tacit support or coordination with Russian state entities.
The group frequently amplifies narratives from Russian state media and works in parallel with other pro-Russian hacktivist collectives such as KillNet, XakNet Team, and Anonymous Russia. These groups may share infrastructure, targeting priorities, or tactical coordination, especially during major political events.
9. Conclusion
NoName057(16) represents a persistent and ideologically driven threat actor operating under the banner of cyber activism in support of Russia’s strategic objectives. While technically unsophisticated, the group’s ability to coordinate large-scale, high-volume DDoS campaigns has allowed it to temporarily disrupt services and amplify political messaging across Europe.
UK organisations involved in government, defence, transportation, or public service delivery should remain alert to campaigns by NoName057(16) and implement defensive measures accordingly. Timely detection and response are key to reducing the impact of their politically charged cyber disruptions.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
