European cyber cops target NoName057(16) DDoS network

Takedowns

The so-called Operation Eastwood has resulted in the takedown of 100 servers and a major part of the NoName operation’s infrastructure, two arrests in France and Spain and 24 property searches across Europe.

Europol said that 13 individuals have also been questioned and over 1,000 ‘supporters’ of the NoName network – including 15 admins – have been notified for their legal liability. These individuals are understood to be Russian-speaking hacktivists.

Additionally, the German authorities have issued six arrest warrants against Russian nationals. Five of them have been named as Andrej Stanislavovich Avrosimov, Mihail Evgeyevich Burlakov (aka darkklogo), Olga Evstratova (aka olechochek), Maxim Lupin and Andrey Muravyov. A seventh warrant has been issued by Spanish police.

Burlakov and Evstratova are both accused of being among the group’s ringleaders – Burlakov is suspected of leading on developing and optimising the softwares used to identify targets, and subsequently attack them, as well as overseeing payments made to rent NoName’s server infrastructure. Evstratova allegedly played a key role in the creation and optimisation of NoName’s proprietary DDoSia malware.

All of these individuals – who are listed on Europol’s Most Wanted website – are believed to be located in Russia.

Large network

Unlike well-known Russian state threat actors such as Fancy Bear, the ideologically-driven NoName network is thought to have acted more like a cyber criminal ransomware gang, without support from the Russian authorities but on the unspoken understanding that Moscow would not interfere with their work.

Europol estimates that at its peak, NoName had around 4,000 supporters and had been able to build a botnet made up of several hundred servers, which were used to bombard their targets with junk traffic.

NoName’s leaders used pro-Russian channels, web forums, and niche chat groups on social media and messaging forums, with volunteers often informally recruiting their friends and contacts from the gaming and hacking communities.

These individuals were given access to platforms, such as DDoSia, to simplify their processes and automate cyber attacks, meaning the operation could stand up new recruits quickly and enable them to work effectively with minimal technical skillsets.

NoName’s volunteer army was paid in cryptocurrency, incentivising sustained commitment and involvement, and Europol said this may also have played a factor in attracting opportunists to the group.

Culturally, NoName mimicked computer game dynamics, with regular shout-outs, leaderboards, and earned badges doled out to instill a sense of status.

Leaders emotionally reinforced this gamified manipulation – often targeted at young, impressionable people – by playing off the narrative of defending their country, where national propaganda often exploits the memory of the 25 million Soviet citizens killed during World War II to convince people that the country is facing a renewed Nazi onslaught.

Rafa López, security engineer at Check Point, said: “While the recent international crackdown on the NoName057(16) group has disrupted their operations, it is unlikely to mark the end of their activities. This Russia-affiliated hacktivist group, which primarily targets countries with anti-Russian stances, continues to operate through encrypted channels like Telegram and Discord. Although their DDoS capabilities have been reduced, they are shifting toward more sophisticated methods, including system intrusions and data exfiltration. The group remains active and has built a vast network of affiliates, with thousands of volunteers across various platforms, including online gaming and hacktivist forums.

“We recommend that organisations strengthen their defences by implementing multi-layered security strategies, including robust DDoS protection, intrusion detection systems, and regular security audits.

“It is also essential to educate employees about the risks of cyber attacks, as well as to monitor for unusual activities on communication platforms that might indicate potential recruitment efforts. By staying vigilant and proactive, companies can better safeguard themselves against evolving threats from groups like NoName057(16),” said Lopez.

The operation brought together authorities from Czechia, Finland, France, Germany, Italy, Lithuania, the Netherlands, Poland, Spain, Sweden, and the US, with support also received from agencies in Belgium, Canada, Denmark, Estonia, Latvia, Romania and Ukraine. Private sector bodies ShadowServer and abuse.ch also provided technical support.