Our presentation will share findings from more than a year of tracking the pro-Russian hacktivist group NoName057(16), which uses DDoS attacks. They have targeted critical infrastructures, such as railways, finance, government, and administrative services. Most recently, The Canadian Centre for Climate Services (CCCS) and the National Cyber Security Centre (NCSS) have also issued warnings about their activities, making them a threat that cannot be ignored globally.

We analyzed the DDoS tool used by NoName057(16), DDoSia, to emulate communications and independently collect DDoS target lists and C2 infrastructure. We contributed to Operation So-seki, which used this information to alert organizations that could be affected.

The contributions of this research are as follows:

1. Information gathering/analysis/observation from multiple perspectives over a long period of time.
   The reports released by security vendors related to NoName057(16) are mainly success reports of attacks which issued on their public Telegram channel over a specific period. We have obtained the DDoS tool that NoName057(16) uses which is botnet client tool called "DDoSia” and clarified the mechanism of the command and control (C2).
   In addition, We realized automatic collection of DDoS target information, and analyzed more than 1,000 attacks by monitoring botnets and effectively tracking the their infrastructure using net flow.
   Based on the cross-analysis on the above information, the session presents our observations about the operators behind the NoName057(16) and DDoS countermeasure techniques.

2. Latest IoCs and tracking methods Detailed analysis of the infrastructure and DDoSia malware used by NoName057(16) has been published by Avast, SEKOIA in the past.

   • https://decoded.avast.io/martinchlumecky/ddosia-project/
   • https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/
   • https://blog.sekoia.io/noname05716-ddosia-project-2024-updates-and-behavioural-shifts/
     However, NoName057(16) changes the internal structure of the DDoSia and C2 infrastructure each time when a detailed analysis report is published by a security organization, and the latest status of the infrastructure is not publicly available. This presentation shares unpublished IoC information on the C2 infrastructure at the time of writing this session outline, as well as methods for identifying C2 servers used by active server scanning.

3. Observations about responses to hacktivists Media coverage of NoName057(16)'s DDoS activities has increased over the past year, and public awareness and precaution toward the attacker group has grown. On the other hand, we observed many cases where information sharing activities in media reports and social media were used for propaganda, encouraging NoName057(16) to launch more attacks and change the TTPs during our long-term research. We summarize the advantages and disadvantages of disclosing and sharing information and its significance.
   We also developed scripts to scan DDoSia's c2 server and get the DDoS target list. If the c2 server is alive, we can demonstrate getting the targets from the attacker's server. If it is not alive, we will public pre-recorded data.

Outline

I intend to cover the following in the talk:

1. Introduction - 3 min
   • Notes for this presentation
     • How to deal with information against hacktivists
   • Who we are
   • What is “Operation So-seki” and overview of this operation
2. Threat Actor Profile - 7 min
   • What is NoName057(16)
   • Introduction of NoName057(16)'s activity bases (Telegram)
   • Description of their activities and DDoS attack techniques
     1. DDoSia, a tool they developed to build DDoS botnets
3. DDoS Infrastructure and Capability - 12 min
   • Details of artifact analysis for the DDoSia
   • How to get DDoS target list
     • (DEMO) Send dummy data simulating DDoSia to the infrastructure to obtain a list of DDoS attack targets
   • NoName057(16)’s infrastructure hunting with active scan
   • DDoS Target List Analysis
   • DDoS Capability Analysis
     • Introduction and transition of DDoS attack capabilities obtained by analyzing DDoSia
4. DDoS Activities Analysis - 10 min
   • Telegram Posts Analysis
     • Considerations related to changing operators based on activity time and posting frequency
     • Insights into organizational activities
   • The cross-analysis on Telegram and DDoS target lists
     • Estimating attack success rates for DDoS attack
     • Statistics on attack trends
5. Exploring Threat Infrastructure using Flows - 5 min
   • Case study introduction of tracking attacker's infrastructure using Flow
   • Limitation of Flow information
6. Hacktivist and Threat Intelligence Sharing - 5 min
   • Negative effects of sharing threat intelligence about NoName057(16)
   • Lessons learned from confronting hacktivists
   • Summarize Pros and Cons for information sharing about hacktivists
7. Summary - 3 min
   • Conclusions
   • Key Takeaways
     • Sharing cross-analysis research from long-term observations.
     • The latest IoCs, TTPs and analysis techniques of their infrastructure
     • Scripts for analyzing botnet traffic
     • Insights into dealing with DDoS hacktivist groups
   • Questions?