NoName057(16) DDoS Campaign Hits Over 3,700 Devices

From recent cybersecurity reports on the pro-Russian hacktivist group NoName057(16), known for its DDoS attacks supporting Russia's geopolitical interests. Active since Russia's invasion of Ukraine in 2022, the group escalated operations in 2024-2025, targeting entities opposing Russia, particularly in the EU and Ukraine. A major international takedown operation, codenamed Eastwood, disrupted their infrastructure on July 15-17, 2025, involving 12 countries, Europol, and Eurojust. This led to arrests, warrants, and server seizures, effectively dismantling their botnet. Reports from Recorded Future and law enforcement highlight the campaign's scale: over 3,700 unique hosts targeted in 13 months (July 1, 2024, to July 14, 2025), with an average of 50 attacks per day. While no widespread data breaches occurred, the attacks disrupted critical infrastructure during key events like EU elections and NATO summits.Key facts from reports:

• Group Profile: NoName057(16) operates as a hacktivist collective with pro-Russian motives, using the DDoSia tool (a Go-based DDoS client) to recruit volunteers via Telegram. They built a botnet with ~4,000 users and hundreds of servers, employing multi-tier C2 infrastructure for resilience.
• Campaign Timeline: Active since early 2022, but intensified from July 2024 to July 2025 (13 months), with peaks during events like the EU elections (June 2024), Ukraine Peace Summit (June 2024), and NATO Summit (June 2025). Attacks followed a Russian workday schedule, with two daily waves of targets.
• Targets and Scale: 3,776 unique hosts targeted globally, primarily government/public sector (41%), transportation/logistics (12%), and tech/media (10%). Top victims: Ukraine (29.47%), France (6.09%), Italy (5.39%), Sweden (5.29%), and other EU nations. In Germany alone, 14 attacks hit ~230 organizations, including arms factories and power suppliers.
• Takedown (Operation Eastwood): Coordinated by Europol/Eurojust on July 15-17, 2025, involving Czechia, Estonia, Finland, France, Germany, Italy, Latvia, Lithuania, Netherlands, Poland, Spain, Sweden, Switzerland, and USA. Outcomes: 2 arrests (France and Spain), 7 international arrest warrants (6 from Germany), 24 house searches, disruption of 100+ servers worldwide, and warnings to 1,100 supporters and 17 admins.
• Response and Impact: NoName057(16) dismissed the operation on Telegram, vowing to continue. The takedown disrupted their botnet, reducing immediate DDoS threats to critical infrastructure (e.g., power, transport). No long-term data loss reported, but attacks caused temporary outages during political events, highlighting risks to EU stability.

This incident underscores the geopolitical nature of hacktivism, with NoName057(16) shifting focus from Ukraine to EU supporters. For mitigation, organizations should enhance DDoS protections (e.g., CDN scrubbing, rate limiting) and monitor Telegram for emerging threats. If you need deeper analysis on specific attacks or IOCs, provide more details!