Canadian Government Targeted With DDoS Attacks by Pro-Russia Group

Cyber Security Threat Summary:
The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine. To date, the group has targeted financial, government, military, media, supply, telecoms, and transportation organizations in Ukraine and NATO-associated targets, including the Czech Republic, Denmark, Estonia, Lithuania, Norway, and Poland. ‘Since 13 September 2023, the Cyber Centre has been aware and responding to reports of several distributed denial of service (DDoS) campaigns targeting multiple levels within the Government of Canada, as well as the financial and transportation sectors,’ the Canadian Centre for Cyber Security warns. In July 2022, Canada’s Cyber Centre assessed that Russian state-sponsored threat actors would continue to engage in malicious activities in support of Russia’s military objectives in Ukraine. In February, the Centre observed similar DDoS activity targeting Ukraine-supporting countries” (Security Week, 2023).

Security Officer Comments:
According to the alert sent out by the Canadian Centre for Cyber Security, NoName057 actors use a custom denial of service toolkit called DDoSia, which has been used since the beginning of the Russian invasion to target entities across the globe. The actors are also known for using compromised systems, which are collected together to form a sophisticated botnet capable of launching DDoS attacks. In particular, this group was observed by researchers at Avast, launching attacks throughout last year using a botnet consisting of devices infected with Bobik malware. “NoName057(16)’s success rate using the Bobik botnet to attack selected targets was around 40%. However, the success rate rapidly dropped when the botnet was taken down – as was reported in the group’s Telegram channel early September,” stated researchers in a blog post

Suggested Correction(s):
The Cyber Centre recommends organizations:

  • Review perimeter systems to determine if related activity has occurred.
  • Review and implement preventative actions outlined within the Cyber Centre's guidance on protecting your organization against denial-of-service attacks .
  • Review the Cybersecurity and Infrastructure Security Agency (CISA) published guidance for US agencies to aid in DDoS considerations including technical mitigation recommendations in responding to DDOS activity
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security ActionsFootnote8 with an emphasis on the following topics:
  • Consolidate, monitor, and defend Internet gateways
  • Isolate web-facing applications
If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email