Swiss Government Reports Nuisance-Level DDoS DisruptionsSelf-Proclaimed Russian Hacktivists Continue Putin-Aligned Information Operations
Russia's strategy of attempting to bolster its apparent military might by launching online, high-profile nuisance attacks appears to remain active.
Switzerland's federal government, based in Bern, reports that distributed denial-of-service attacks hit multiple Swiss federal agencies Wednesday, causing some of their public-facing websites to be temporarily unavailable. The self-proclaimed Russian hacktivist group NoName057(16), aka NoName, claimed credit for the attacks.
"Hackers generally use such attacks on website availability as a means of gaining media attention for their cause," Swiss authorities said. "They do this by flooding a website with a massive volume of requests so as to overload it and make it unavailable for a period of time. No data is lost or compromised in a DDoS attack."
Swiss authorities said they had alerted all critical infrastructure organizations on Jan. 10 to expect attacks that would be timed to coincide with Ukrainian President Volodymyr Zelenskyy's attendance at the annual World Economic Forum meeting in Davos, which began Monday and ends Friday.
The government said the Swiss National Cyber Security Center "promptly detected" the DDoS attacks "and the federal administration's specialists took the necessary action to restore access to the websites as quickly as possible." Switzerland's NCSC has published a list of the 949 different IP addresses used in the attacks.
Since Russian President Vladimir Putin in February 2022 committed his military to the illegal, all-out invasion of Ukraine, many supposed hacktivist groups have appeared, claiming to be independent of Moscow but aligned with its agenda. They include NoName, which appeared in March 2022; KillNet, which describes itself as a "private military hacker company"; and its curiously well-funded spinoff, Anonymous Sudan.
Google Cloud's Mandiant incident response unit has reported that attacks launched by KillNet and its ilk tend to "generate only shallow impacts lasting short periods of time." Their top targets remain Ukraine and its NATO and EU allies.
Whether or not these groups are directly run by Moscow - or behave more as independent contractors - is probably academic, since their attempts to advance a pro-Putin agenda appear to be largely successful.
Indeed, the actual intent of these DDoS attacks - and occasional data leaks - appears to be psychological. "They may succeed in carrying out a serious incident, but we have to remember that immediate effects aren't nearly as important to them as undermining our sense of security," said John Hultquist, chief analyst at Mandiant.
Heavy Use of 'Free or Low-Cost' Services
Some of these efforts look quite nimble. A new report from NetScout Systems says NoName "heavily utilizes free or low-cost public cloud and web services," including content delivery networks, "as a launchpad for DDoS botnets that flood target web servers," and that its attacks typically involve only "HTTP/HTTPS floods meant to consume targets' bandwidth and resources."
NoName has developed a botnet called DDoSia that ties into a cross-platform attack tool of the same name that can run on Windows, Linux and Mac systems, NetScout said. Via its botnet, the group can track individual DDoSia users and promises to reward high performers with cryptocurrency, which since last November has been a NoName-created token called dCoin that can be converted into TON coins, it said.
Outsourcing attacks to "ideologically motivated volunteers" helps NoName's disruptions come from a variety of often legitimate sources, NetScout said. In an analysis of one attack against a client by NoName, the firm found that the greatest amount of attack traffic came from a CDN - not named by the researchers - that appeared to take at least four hours to detect and then attempt to block the abuse of its service.
Repeat Targeting of Switzerland
This week wasn't the first time Swiss government sites have been targeted with DDoS attacks. In June 2023, NoName took credit for attempted disruptions that involved application-layer DDoS attacks. The attacks left multiple high-profile agencies' websites - including those for the Swiss Parliament, Swiss Post and Swiss Federal Railways - publicly inaccessible - most for just a few hours but some for several days.
In a postmortem analysis, Swiss authorities said the attacks had caused scant disruption, as most of the targeted agencies were already prepared, and that no data of any importance was leaked as part of the effort. Instead, it said, the attacker's real objective had been to gain "media, public and political attention."
"The aim of pro-Russian hacker group NoName was to convey its political grievances in response to a series of decisions by the Swiss Parliament, including the transfer of war materiel to third countries and the announcement of President Zelenskyy's address" to the Swiss Parliament, the government said.
The disruptions likely met the self-proclaimed hacktivist group's goals, and thus those of Moscow. "The actor's multiple targets and the political sensitivity of Ukrainian President Volodymyr Zelenskyy's address to the Swiss Parliament led to the DDoS attacks garnering wide media coverage," Swiss authorities said. "As a result of this comprehensive reporting, the actor received the high level of public attention that it was seeking."