NoName057 Hacktivist Group Conducts DDoS Attacks on South Korea
/ 3 min read
Quick take - The hacktivist group NoName057, active since March 2022, primarily conducts politically motivated Distributed Denial of Service (DDoS) attacks against organizations perceived as anti-Russian, and in November 2024, collaborated with other pro-Russian groups to target South Korean government websites in response to remarks about military support to Ukraine.
Fast Facts
- NoName057, a hacktivist group active since March 2022, conducts DDoS attacks against organizations with anti-Russian sentiments.
- In November 2024, they collaborated with other pro-Russian groups to target South Korean government websites in response to military support for Ukraine.
- The group utilizes automated DDoS bots called DDoSia, which allows users to participate in attacks and earn cryptocurrency rewards.
- DDoSia operates by downloading a file from the group’s Telegram channel, which provides real-time updates and attack targets.
- The attacks aim to disrupt services and create social disorder, reflecting the group’s objectives within the current geopolitical context.
Hacktivist Group NoName057: Overview and Activities
Background and Collaboration
Hacktivist group NoName057 has been active since March 2022, primarily engaging in Distributed Denial of Service (DDoS) attacks. These attacks target organizations perceived to have anti-Russian sentiments. In November 2024, NoName057 collaborated with other pro-Russian hacktivist organizations, including the Cyber Army of Russia Reborn and Alixsec. Together, they launched DDoS attacks on South Korean government websites, reportedly triggered by remarks from South Korean officials concerning military support to Ukraine. The attacks led to significant damages for various South Korean organizations.
DDoSia and Operational Methods
NoName057 employs automated DDoS bots, notably DDoSia, which allows individual users to participate in these attacks. The group has a substantial following on its Telegram channel, serving as a platform to promote activities and provide real-time updates on attack targets and their progress. Participants in these operations can earn cryptocurrency as a reward, incentivizing their involvement.
DDoSia operates by downloading a file named “client_id.txt” from the Telegram channel, which is essential for its execution. The command and control (C&C) server address used by DDoSia changes frequently, requiring users to obtain new IP addresses from Telegram. Upon execution, DDoSia performs an authentication process that collects and transmits system information to the C&C server. After authentication, it retrieves a timestamp and a list of attack targets, periodically reporting the status of the attacks back to the C&C server.
Technical Details and Objectives
DDoSia supports various commands for launching attacks, including http and http2 protocols, but does not support TCP and nginx_loris commands. The previous version of DDoSia was written in Python and included support for the TCP SYN Flood technique, which may be reintroduced in future updates. To avoid detection by security measures, the C&C server randomly selects a User-Agent for its HTTP requests.
Specific indicators of compromise (IOCs) related to DDoSia are available through AhnLab Threat Intelligence Platform (TIP). Notable IP addresses associated with DDoSia activities include 45.152.115.205, 62.60.237.103, 77.91.100.134, and 94.131.97.202. The politically motivated DDoS attacks conducted by NoName057 aim to disrupt services and create social disorder, reflecting the group’s broader objectives set in the context of the ongoing geopolitical landscape.
Original Source: Read the Full Article Here
