Russian hackers hit the Warsaw Stock Exchange and Polish banks for “Russophobia”. Who is the group NoName057(16)?

The Russian hacker group NoName057(16) boasted of attacks on its targets in Poland on Tuesday. Hackers carried out DDoS attacks (their goal is to overload and, as a result, cut off access to websites). The attack this time was not particularly harmful and all the attacked websites were operational after several dozen minutes from the first information about it. However, it was another hacker attack on the websites of Polish companies and institutions,

Who attacks the websites of Polish companies? Who is the group NoName057(16)?

The pro-Russian group NoName057(16) (also known as NoName05716, 05716nnm and Nnm05716) was established in March 2022, just after Russia’s full-scale military attack on Ukraine. Since then, it has been attacking its targets mainly in Central and Western Europe and the USA, and has been quite effective. In Poland, it made itself felt for the first time in August 2022, when it attacked Polish (and Finnish) government websites.

Renewed reports of NoName057(16) attacks appeared e.g. in December 2022 and March, July and August this year. In recent months, the group has Italian banks, and today – Wednesday, August 30 in the morning – informed about attacks on Czech companies and financial institutions. The websites of at least some of them are currently not working.

According to a cybersecurity researcher who is investigating the group, NoName057(16) is particularly fond of Distributed Denial of Service (DDoS) attacks, which consist of sending a huge number of requests to overload the servers and disable the attacked website. NoName057(16) mainly attacks the websites of large banks, institutions and organizations, military facilities and government agencies (e.g. in March, they managed to disable the Taxes.gov.pl portal in this way).

uRussian hackers hit the Warsaw Stock Exchange and Polish banks for ‘Russophobia’. Who is the group NoName057(16)? photo screenshots from Telegram

The Russians use their own set of tools and computing power of the group’s hacker computers in their attacks, but they also often use the computing power seized during other hacking attacks (e.g. infected bot computers). However, the vast majority of infrastructure for attacks – as detected by FalconFeeds.io – is to be provided by three hosting companies – MIRhosting, Stark Industries and Severastra-as.

They have carried out over 5,000 DDoS attacks. Poland among the favorites

The website’s experts calculated that since its inception – i.e. in about 1.5 years – hackers from the pro-Russian group have carried out at least 5,200 DDoS attacks. They regularly brag about some of them (in Russian and English) on the Telegram social network, which is very popular in Russia. Most often, in the form of evidence, they publish (as evidence) links to Check-host.net, and sometimes also screenshots of the attacked sites. On the example of those shown on Wednesday (on the occasion of the attack in the Czech Republic), we can see that hackers use Russian on their computers.

The group does not seem to have a centralized structure, and the attacks are carried out by hacktivists who support Russia in the war against Ukraine. Therefore, the targets of NoName057(16) are those countries that have sided with the defending country. The favorite targets of this group are five European countries – Switzerland, Spain, Lithuania, Poland and Ukraine. Recently, however, there has been an increase in attacks against entities based in the Czech Republic, Denmark, Estonia, Germany, Slovakia and Slovenia.

NoName057(16) also seems to follow the Russian propaganda message. In their first Telegram post (March 11, 2022), hackers posted an image of a Russian soldier trying to kill a snake with a Ukrainian flag attached to it. Next to it was a swastika painted in Ukrainian colors. In subsequent posts, NoName057(16) explains his attacks, among others fight against hatred towards Russia and allegedly spreading in the West “Russophobia”.

Specialists from FalconFeeds.io do not say whether the group is associated with the Kremlin (such a suggestion is often made in the media). What we do know is that he is working with the notorious Russian hacker group Killnet, which may be linked to Moscow. NoName057(16) also cooperates with the pro-Russian groups Zarya and Xaknet.