'DDoSia', a crowd-sourced DDoS (distributed denial of service) project that features over ten thousand people to help conduct offensive attacks on Western organizations, has seen massive 2,400% growth in less than a year with more than 10,000 people contributing to the project.
There is a pro-Russian hacktivist group called "NoName057(16)" that launched the campaign last summer. It has quickly reached 400 active members and 13,000 users on its Telegram channel since it was launched.
There are now 10,000 active users on the platform, up from 400 people when the platform was introduced to 10,000 now. It also has 45,000 subscribers on its primary Telegram channel, which is much more than the 13,000 subscribers it had last summer.
With the growth of Western organizations, more and more individuals are involved in acts of terror against them. There are also better tools for deploying these attacks. For example, binaries are available for all major OS platforms, which makes deployment easier.
As attackers continue to use DDoSia technology against countries that are critical of Russia's invasion of Ukraine, the DDoSia project by pro-Russian hackers has grown significantly this year.
As a result of data collected by Sekoia, analysts determined that so far this year, three ethnicities have been the principal targets of these DDoS attacks. These ethnicities are Lithuanian, Ukrainian, and Polish (39%), between May 8 and June 26.
These countries are most likely to behave this way because, during the Russia-Ukraine war, they made public declarations that they do not accept Russian rule. In the period covered by this report, the hacktivist group targeted 486 websites, including Ukrainian education institutions, the Ukrainian government, and French banks.
Many improvised denial-of-service attack tools have been developed, but the most well-known are those developed and used by the pro-Russian hacktivist group NoName057(16).
It is noteworthy that the group, as well as its followers, are actively deploying the tool in Lithuania, Ukraine, Poland, Italy, and other European countries. This is to target government agencies, the media, and private companies. Sekoia is a cybersecurity firm that released a report this week, stating exactly what was mentioned above.
There were 486 websites impacted by DDoS attacks detected by Sekoia. As part of these incidents, the Latvian parliament was involved along with the tax authority of Poland was involved.
Sekoia added that NoName057(16) also targeted education-related websites in Ukraine during the rescheduling period in May and June. This was alleged to maximize the amount of media exposure they would receive for their DDoS operation, as well.
There are usually 15 different victims targeted by the group each day, which is a very high number. The only incident Sekoia witnessed when the group attacked a single victim was during the attempted military coup in June by Wagner's private mercenary army. Sekoia observed a single incident. As a result of a DDoS attack, networks are bombarded with traffic so they are taken offline due to overload.
Besides the growth in the size of the DDoSia community, which has led to the development of more disruptive attacks, there have also been improvements to DDoSia's toolset and the introduction of binaries for the majority of the major OS platforms to help increase the reach of the community in general.
With the help of a Telegram bot, new users are registered on the platform automatically and it only supports Russian at the moment, but it is expected to expand to other languages soon.
Members first need to provide a TON (Telegram Open Network) wallet address to receive cryptocurrency from the bot. This is followed by a help text file and their unique client ID which demonstrates how to use the bot.
If the client ID text file is to be used to execute the payloads, it must be placed in the same folder as the payloads. This is to prevent the payloads from being executed by third parties such as security analysts or other "intruders."
In addition to the DDoSia client, the project's C2 server also includes a command-line prompt that allows members to contribute to the generation of garbage requests directed at the targets fetched by the C2 server.
As a result of reverse-engineering the Windows 64-bit executable, Sekoia discovered it was no longer a 32-bit binary, but a Go binary, which uses AES-GCM encryption algorithms for communication with the C2. A DDoSia client gets the target ID, the host IP address, request type, port, and other attack parameters sent by the C2 in encrypted form. These parameters are then decrypted locally on the local machine.
According to Sekoia, data gathered by the security firm Sekoia between May 8 and June 26, 2023, on some targets sent by the DDoSia C2 group shows that the majority of the targets were Lithuanians, Ukrainians, and Poles, accounting for 39% of the total activities of the project. In general, NoName057(16) appears to target NATO countries in general as well as the Ukrainian Republic as its target since these countries have made public declarations against Russia. Nevertheless, this may be a special case.
A cyberattack by noName057(16) showed up this May and early June, in a bid to disrupt ongoing exams at educational platforms.
Moreover, it is worth noting that DDoSia also targeted two Wagner sites on June 24, 2023, the day on which the private paramilitary group specifically targeted the Russian government as part of the attack on the government.
Even though DDoSia usually targets an average of 15 targets per day, it decided to target the Wagner website for the first time on June 24. It considered the situation urgent.
Therefore, it can be concluded that the DDoSia project is growing and is now on such an enormous scale that it can significantly affect its targets.