Russia Affiliated NoName057(16) Hacktivist Group Puts 2023 Czech Presidential Election on the Spot
January 2023 by Check Point Research Team
NoName057(16) is a Russian-affiliated hacktivist group that has been active since March 2022. They have been known to target Ukrainian and pro-Ukrainian organizations, businesses, and governments, with the targets shifting according to geopolitical developments. In recent months, the group has focused on various countries in the European Union that have publicly supported Ukraine, including but not limited to Poland, Lithuania, Latvia, Slovakia, Norway, Finland, Germany, Spain, and Denmark. Additionally, the group has also launched attacks on specific targets in the US and the UK.
DDoS is the primary method used by NoName057(16) in their attacks. The group has managed to cause temporary unavailability of websites of top private sector targets, such as banks and other financial institutions. This was seen in Denmark last week and continues the pattern of attacks against the website of the Finnish Parliament in August 2022, the websites of the Ministry of Defense of Greece and the Ministry of Defense of Croatia in December, and many more.
On January 11, 2023, the group started executing DDoS attacks on websites related to the 2023 Czech presidential election, two days before voters were scheduled to go to the polls. The group posted on their Telegram channels that their reason for the attacks was that 4,000 Ukrainian soldiers were expected to be trained at the Libavá military training ground in the Czech Republic, and therefore they decided to "participate" in the Czech elections.
The group accelerated their attacks on January 12, taking down the websites of a nonprofit organization that presented the election programs of all the candidates, the Watchman of the State organization website, and the Czech Statistical Office and Ministry of Foreign Affairs.
On Election Day (January 13), the group continued to target key websites, including those of pro-western candidates General Petr Pavel and Tomas Zima, as well as the Watchman of the State and the Ministry of Foreign Affairs. One candidate, Tomas Zima, claimed that due to the DDoS attack on his website, he was unable to publicly present his campaign finance reports, as required by law.
In the days following the elections (January 14-15), the group continued targeting the Czech Statistical Office, which is responsible for counting and publishing the election results, as well as the Watchman of the State organization website. Since January 16 up to the present day, the group has continued to attack sites in the Czech Republic, but now with a focus on major companies in the manufacturing sector.
Most of the attacks aforementioned have been confirmed by the Czech Republic authorities.
This is not the first time NoName057(16) or other Russian-affiliated hacktivist groups have operated in such a persistent way to attack specific countries. But it is the first time they have successfully attempted to disrupt the availability of key websites during democratic western elections. While election-related attacks by Russian-affiliated hacktivist groups were spotted in October 2022 when Killnet tried to attack US targets before elections, and during November when the Russian hacktivist group The People’s Cyber Army targeted the American Democratic party’s website, those attacks were much smaller. Most of those attacks failed to cause any disruptions to site availability, as opposed to the relatively high success rate reported in the Czech Republic.
On the operational side, similar to other hacktivist group spotted since the beginning of the conflict, NoName057(16) mainly operates via Telegram Channels. It has a main Russian-language channel with almost 20,000 members, an equivalent channel in English, and a group of volunteers called the DDosia Projects who act on their behalf. The DDosia Project includes only 1,427 members but is highly active and executes a large number of attacks per month. It has four subchannels, with one dedicated to selecting targets for DDoS attacks. Activities are incentivized as NoName057(16) offers cash rewards to the sub-groups that volunteer, starting at 20,000 rubles ($290) and going up to 80,000 rubles (approximately $1150). The DDosia Project and NoName057(16) also use GitHub to host DDoS tools tied to the operations, and these pages were recently taken down by Github.
As the Czech presidential elections enter their second round on January 27-28, the DDoS attacks against the country persist. The hacktivist group is currently focusing its efforts on government websites as well as those in the private sector, with a recent emphasis on the manufacturing sector.