Russian DDoS: what’s the threat to businesses?

The UK National Cyber Security Centre (NCSC) has issued a warning that Russian-aligned hacktivist groups are targeting organizations. The alert describes how Russia-based adversaries including NoName057(16) have been attempting to disrupt operations, taking websites offline and disabling services.

The hacktivist groups are using distributed denial of service (DDoS) attacks – in which websites are flooded with traffic to take them offline – against governments as well as critical infrastructure firms across NATO member states and other European countries.

Why has this warning been issued and what can organizations do to boost their defenses in response?

Familiar name

NoName057(16) has been around since 2022, emerging shortly after Russia invaded Ukraine. Its self-declared mission is to counteract open hostility towards Russia, targeting NATO-aligned countries, says Darren Anstee, chief technology officer for security at NETSCOUT.

Renowned for widespread cyber operations and enabling like-minded individuals to disrupt online services on “an exceptionally large scale”, NoName057(16) has garnered notoriety for developing and distributing the DDoSia attack tool, Anstee tells ITPro.

Similar to many hacktivist collectives, NoName057(16) leverages a crowdsourced model, where it utilizes its DDoSia toolkit to mobilise thousands of volunteers via Telegram adds Jamie Collier, lead advisor, Europe at Google Threat Intelligence Group. This “fluid model” has led to challenges in disrupting its efforts, he says.

Indeed, the hacktivist collective shows no sign of slowing down, even after it was hunted by law enforcement. By consistently promoting its operations online, NoName057(16) has positioned itself as “one of the most visible and persistent hacktivist entities” – despite law enforcement action against the group, says Daniel dos Santos, senior, director, and head of research at Forescout.

He describes how Forescout analyzed a dataset of hacktivist attacks from 2024: “This single group was responsible for 90% of the activity we observed”.

Unlike other hacktivist groups that exhibit selective targeting strategies, NoName057(16) has adopted a “broad and high-frequency attack approach”, often carrying out multiple attacks a day across different industries and countries, says dos Santos. “Some attacks targeted the same organizations repeatedly, either due to their strategic value, or to demonstrate the group’s continued ability to inflict damage.”

The threat to organizations is “significant” because the group is “very successful with DDoS attacks”, says dos Santos. “These attacks often take websites offline for some time, disrupting businesses and affecting their customers.”

Inexperienced and technically unskilled

The threat from hacktivist groups such as NoName057(16) is quite different to that from other adversaries. The use of DDoS – especially as a primary operation – has historically been a key indicator that a group is inexperienced or technically unskilled, says Marley Smith, principal intelligence specialist at the World Ethical Data Foundation. “Even though they are targeting critical infrastructure, the organizations on the receiving end of these attacks are usually those with exposed assets, or those whose employees have poor security practices in place.”

However, “unskilled” in this context does not mean “unthreatening” or even “un-resourced”, says Smith. “It means the lead actors are not developing and refining their own bespoke malware. Instead, they are more likely to use a simpler, more user-friendly threat apparatus designed for a maximum impact-to-effort ratio.”

Taking this into account, the goal of these groups is to “drum up as much fear as possible”, or “cause a public outcry” in the hope that the bad press will “coerce governments to turn a blind eye to Russia’s crimes in the future”, Smith explains.

NoName057(16) is just one example of a pro-Russian hacktivist group. Others include Dienet, Overflame, Red Wolf Cyber and Server Killers, says Anstee. “These hacktivists operate not for financial gain, but to advance ideological goals, aiming to generate media coverage of successful attacks to raise the profile of their points of view.”

Mitigating Russian DDoS attacks

The threat is real and growing, especially for nations targeted by Russian hacktivist groups. The NCSC advises UK organizations and businesses to understand the services they run online and the potential weak points that might expose them to risk from DDoS style attacks. “It advises them to discuss risks and mitigations with their own upstream internet service providers or hosts and to ensure that services can be rapidly scaled to deal with sudden spikes in requests, or data received that can be indicative of an attack,” says Cian Heasley, principal consultant, Acumen Cyber.

Along with these mitigations and preparations, the NCSC recommends having an incident response plan in place covering business continuity in a DDoS attack scenario.

This is in addition to removing operational technology (OT) connections to the public internet; identifying public-facing assets and removing unintentional exposures. Meanwhile, firms should use strong passwords, apply principles of least privilege for remote access networks, segment IT and OT and maintain manual backups for systems, the NCSC advises.

It’s “an old adage”, but you can’t secure what you can’t see, says Anstee. “Comprehensive, consistent visibility across the network and application layers – for all infrastructures, whether on premises or in the cloud – allows cybersecurity teams to know what ‘normality’ looks like, so when there is an attack, they can more quickly identify where there’s an impact, and work out what should be done to ensure service continuity.”

In addition, Smith advises “avidly reading the news”. “Keep up-to-date on attacks in your country and industry, and on the vulnerabilities discovered in the applications you use. Actively engage with your employees and their habits to close the human-sized gap in your defenses.”

At the same time, organizations can obtain lists of known “bad internet addresses” associated with denial of service attacks online, or from their security providers, as well as lists of open proxy services that adversaries use to disguise where attacks are coming from, says Heasley. “These can be blocked at the firewall level or through access control lists so traffic never reaches servers that can be overwhelmed.”

In cases where attacks cannot be easily mitigated, geoblocking can be put in place, Heasley advises. “This would mean UK organizations only accept incoming connections from internet addresses that can be resolved to the UK itself, limiting potential malicious traffic while still allowing some national connectivity.”