Summary

Beginning around March 6, 2024, self-proclaimed DDoS hacktivist NoName057(16) turned their attention to the country of Moldova. The group cites concerns that the government is “craving for Russophobia”. Since early March, more than 50 websites have been targeted, according to posted “proof” by the groups involved in attacking the country. 

Hacktivists Claims

While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries. (Figure 1)

Attack Summary

The NoName group typically launches application-layer DDoS attacks at web servers. They do this by gamifying their attack harness as explained in our recent blog. The infrastructure used in these attacks can be extremely resilient and difficult to take down or remediate due to the types of networks (bulletproof and cloud hosting providers) where their DDoSia malware code is deployed. It is uncertain if there’s a hidden agenda beyond what the group posted publicly, but at this time we have no expectations of the activity diminishing soon. Examining the attacks by day (Figure 2), it’s easy to see that the attacks are only increasing in frequency as time goes on, rather than a fast, short-lived campaign as we often see with Anonymous Sudan activity. 

Since the beginning of the activity in March, the vast majority of the attacks fall between 1 to 4 Gbps, with a small handful nearing 6 Gbps. In keeping true to form, most of these attacks are TCP-based with throughput ranging from 1 Kpps to 680 Kpps. These numbers may seem small next to global reporting that puts attacks in the terabit and hundreds of millions of packets-per-second, but it's important to keep in mind that even a small sized or low speed attack can overwhelm a web server sufficient to cause degradation or outages. 

NoName currently leads the field in terms of DDoS attacks by geopolitical hacktivists as outlined in our 2H 2023 Threat Intelligence Report published April 25, 2024. In just the second half of the year they claimed credit for targeting more than 780 different websites, often with proof of their actions attached via a screenshot. Anyone that may find themselves in the crosshairs of political hacktivists need to take the threat seriously. Perhaps now, more than ever before, these hacktivists tend to follow through on their claims and have known success in taking down their targets.

Conclusion

The risk posed by the hundreds of active DDoS hacktivists poses a real and present danger to organizations of any type, in any country. Just because a lot of the current targeting is against countries making vocal claims against Russia or in support of Ukraine, doesn’t mean they won’t be a target. Often, these groups will target an entire industry, or an entire country because of the remarks or ideals of a few. Our recent threat report and findings revealed more than 100 industries in more than 100 countries were on the receiving end of attacks. DDoS Hacktivism is a worldwide problem and everyone needs to be aware and understand the current threat landscape.

Ensure that your organization is positioned to defend against these threats with products like our Sightline/TMS for service providers and large networks, or our AED product line for in-line, always-on protection at the enterprise edge.