Tracking Russia’s NoName057[16] attempts to DDoS UK public services

Today I noticed NoName057[16] — basically a poor man’s “Ukraine IT army” — attempting to DDoS various UK councils and transport services:

They post about their exploits on Telegram, similar to those crazy Ukrainians. It’s basically Russia styled as hacktavists, with some great bear drawings.

I decided to have a look at monitoring them, and was able to break in pretty easily.

They attacked these 14 targets:

pa.eastcambs.gov.uk

politics.leics.gov.uk

www.liverpool.gov.uk

www.mil.be

www.bollington-tc.gov.uk

www.cranbrooktowncouncil.gov.uk

cert.be

www.wymetro.com

my.swiftcard.org.uk

www.monarchie.be

www.premier.be

www.david-clarinval.be

www.dekamer.be

www.senaat.be"

The attacks looked like this:

As an example of service impact, we go to West Yorkshire bus services:

I tooted about this at 11:23am GMT, you may notice the other unannounced Belgium sites:

Then 90 minutes later they posted about the Belgium targets:

If it’s of any interest I may start publishing this data publicly on an ongoing basis, like a cheap HaveIBeenDDoS’d. I think the visibility of the techniques they are using may help orgs better defend.

~g