This presentation shares the findings and lessons learned from an investigation into a pro-Russian hacktivist group, tentatively called X. Their DDoS attacks have been reported worldwide and have been conducted in an organized manner. Since their activities began in March 2022, both the scale and the targets of their attacks have gradually expanded.

We have been tracking the DDoS attacks conducted by X for nearly a year and carrying out "Operation So-seki" to alert and provide knowledge to the targeted organizations. In Operation So-seki, we obtained a botnet client tool used by X and clarified the mechanism of the command and control (C2). We have automated collecting DDoS target information and analyzed more than 1,000 attacks by monitoring botnets and effectively tracking their infrastructure using net flow.

In this presentation, we will share the findings through cross-analysis of the above information, the methods of analyzing and tracking their infrastructures, operators behind the X, their tactics techniques and procedures (TTPs), DDoS countermeasure techniques, and what we have learned from dealing with DDoS hacktivist groups.