There is a high chance of a Distributed Denial of Service (DDoS) attack around and during the “Summit on Peace in Ukraine” conference at the Bürgenstock Switzerland on the upcoming weekend of June 15th and June 16th, 2024. Find a complete breakdown of technical details of what happened over the entire weekend in the article.
Attacks on Swiss web properties were seen during the World Economic Forum in January 2024, the visit of the Ukrainian President Wolodymyr Selenskyj to Switzerland in January 2024, and in June 2023 when the Ukrainian President Wolodymyr Selenskyj was speaking in front of the Swiss Parliament in the form of a remote conference.
In the news leading up to the summit
Based on the news shared by SRF and NZZ, the Swiss NCSC is “expecting” or rating the likelihood of DDoS or other cyber incidents as high.
The latest news on cyber attacks in Switzerland suggests that there are concerns that systems may already be compromised, with the possibility that backdoors installed long before efforts were made to enhance protection against cyber risks that now could be exploited.
- 20min.ch Russland intensiviert Cyberangriffe auf die Schweiz
- watson.ch Propaganda, Cyber-Attacken und eine Verhaftung – die Schweiz im Visier Putins
Other DDoS attacks against EU political parties
In the news, it is also mentioned that the upcoming elections in the EU Parliament are attracting DDoS attacks in the European region. This might not directly affect Switzerland, however.
Read the article from Cloudflare about “Dutch political websites hit by cyber attacks as EU voting starts“.
General IT problem in federal administration
News has broken that there are general IT problems in the federal administration. It reports about issues in the customs office. The reason is unclear at this point, so it could or could not be related.
Read the article from watson.ch Generelles IT-Problem in der Bundesverwaltung – Grund unklar
National Cyber Security Centre NCSC: First DDoS attacks on federal government websites and those of organisations involved in the Summit on Peace in Ukraine (2024-06-13 11:15)
Some preparations
It’s not clear yet if the actor NoName057(16) also known as “NNM057(16)” will return or if other actors will be involved. However, it does make sense to keep an eye on the NCSC, or more precisely on the GovCERT, which is the Government Computer Emergency Response Team Git repository. Once they gather information about DDoS attacks, they usually publicly post lists of properties to block in the GovCERT.ch Cyber Threat Intelligence.
In the past, it was not always clear who was being attacked, except for attacks carried out by the NoName057(16) group, where the Security Researcher Kevin Beaumont @GossiTheDog was identifying the targets from the DDoSia Project Client. These attacks targeted various sectors such as Logistics, Transport, Finance, Post, Tourism and State Websites, both in privately owned and state-owned entities. DDoS attacks can occur at OSI Layers 3-4, but more commonly and effectively these days are OSI Layer 7 attacks, which manifest as HTTP GET or POST requests also using TLS.
Tiny word of advice: If you are running or operating web-based services where uptime is crucial for the business or reputation, consider using a Content Delivery Network (CDN) and a robust Web Application Firewall (WAF). Familiarize yourself with log analysis and blocking rules specific to your service provider, and cache as much as possible.
Concrete Preparations
Information about a specific ASN was posted online. Also, Stark Industries Solutions is not an unknown service to me. I have seen malicious traffic multiple times coming from this ASN. Based on the latest details from the articles, I would recommend blocking that ASN to anyone.
- krebsonsecurity.com Stark Industries Solutions: An Iron Hammer in the Cloud
- correctiv.org Hacks und Propaganda: Zwei Brüder aus Moldau tragen Russlands digitalen Krieg nach Europa
AS44477 Stark Industries
AS52000 MIRhosting B.V.
AS206932 MIRhosting B.V.
They do not show up as malicious in IP reputation services.
Hacktivist Groups
There is a whole list of known and unknown hacktivist groups. One of the most famous ones is NoName057(16). I think this is because of the large amount of public posting about their actions and also some indicators show that they might be one of the most prominently visible players.
The website cyjax.com published a post titled “Hacktivism Roundup Q1 2024: Warfare in the Digital World” that also includes an analysis of links for check host.
Based on the published links, which are mostly related to different web properties, it seems that NoName057(16) has one of the larger footprints among the attackers who publicly post about their operations.
You can typically find links to check hosts in the Telegram channel posts of NoName057(16).
Check Host is a website for checking “worldwide uptime,” and each check result can also be retrieved at a later date using a permalink.
Those results are supposed to showcase the strength of the attack. In this case, we see a 403 error, which indicates that the checking host reached a blocked page. It does not clearly indicate that the website was unavailable for its intended users.
NoName057(16)
Find current attack targets from NoName057(16) on Mastodon from the Computer Incident Response Center Luxembourg (CIRCL).
https://social.circl.lu/@NoName57Bot
The posting usually also contains a JSON object containing instructions for the attacking client. This information is from the client and describes in detail how the client should attack. This will show you the attack pattern exactly and can be used to create rules on how to protect against and block the attacks. Alternatively, it can also provide guidance on processing the log files more efficiently to isolate IP addresses, networks, ISPs, or ASNs to block.
Technical Report on the Inner Workings of DDoS Group NoName057(16) and their DDoSia Client. NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts
You can also review their public postings on Telegram.
As seen in the image above, the DDoSia target list includes on June 6th, 2024 www.gvb.nl, and the attack is having an effect. The site is displaying an Azure typical request blocked message.
If you are checking global availability, you can see that geoblocking is used as an attack mitigation tactic.
Geoblocking is often easy and effective to rollout, and can be implemented on either a Firewall or CDN, depending on your web-stack.
Search for DDoSia v41 by UserAgent
The awesome people at witha.name did post the user agent strings used by DDoSia, allowing for effective filtering or blocking of traffic.
Please note that this information is valid as of DDoSia client version 41. If you plan to use this after June 13, 2024, you are advised to review the latest data on the witha.name website.
Here is an Azure KQL query to filter for the user agent strings in your FrontDoor access log. This will allow you to see if those User Agents are common for your traffic or not at all. If the User Agents are not present, then the best case scenario is to preemptively block them during high-risk phases. Of course, you can deploy a block rule as needed if you anticipate being hit by traffic.
let userAgents = dynamic([
"AppleCoreMedia/1.0.0.23A344 (Macintosh; U; Intel Mac OS X 14_0; da_dk)",
"Dalvik/2.1.0 (Linux; U; Android 11; Tibuta_MasterPad-E100 Build/RP1A.201005.006)",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021208 Debian/1.2.1-2",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050319",
"Mozilla/5.0 (Linux; Android 11; SM-A115M Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/102.0.5005.125 Mobile Safari/537.36 Instagram 306.0.0.35.109 Android (30/11; 280dpi; 720x1411; samsung; SM-A115M; a11q; qcom; pt_BR; 530130405)",
"Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.",
"Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.28.7586",
"Mozilla/5.0 (Linux; Android 13; SM-F711U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36 EdgA/114.0.1823.43",
"Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/115.0.5738.217 Chrome/115.0.5738.217 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/102.0.5143.178 Chrome/102.0.5143.178 Safari/537.36",
"Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-T220) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36",
"Mozilla/5.0 (Linux; Android 9) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.66 Mobile DuckDuckGo/1 Lilo/1.2.3 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.76 GLS/97.10.7399.100",
"Mozilla/5.0 (X11; Linux x86_64; SMARTEMB Build/3.12.9076) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/103.0.5060.129 Chrome/103.0.5060.129 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/19G82 Instagram 306.0.0.20.118 (iPhone12,1; iOS 15_6_1; en_GB; en; scale=2.00; 828x1792; 529083166) NW/3",
"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532MT Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/436.0.0.35.101;]",
"Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1"
]);
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category contains "FrontDoorAccessLog"
| where TimeGenerated >= ago(30d)
| where userAgent_s in (userAgents)
| summarize count() by bin(TimeGenerated, 1h), userAgent_s
| render columnchart
Best case scenario, you review your access log to see if those user agents are present during a non-attack phase. In my case, those user agents have not been present in the last 30 days. Therefore, I will preemptively block all of them.
Thursday, June 13, 2024 08:45
DDoS attacks against Swiss websites seem to have started.
burgenstockresort.com, Bürgenstock Resort Lake Lucerne
www.bazl.admin.ch, Federal Office of Civil Aviation (FOCA)
www.eda.admin.ch, Federal Department of Foreign Affairs (FDFA)
Source witha.name NoName57Bot
The websites www.bazl.admin.ch and www.eda.admin.ch currently do not show any downtime. However, burgenstockresort.com is currently unavailable.
The Bürgenstock resort website hosted on infomaniak.ch has been successfully restored and is now online and running smoothly. This was accomplished without the need for geoblocking. 2024-06-13 10:41
Thursday, June 13, 2024 09:25
www.postauto.ch 🆕
burgenstockresort.com 🆕
www.nw.ch 🆕
www.bazl.admin.ch 🆕
www.eda.admin.ch 🆕
Source witha.name
The website www.postauto.ch also had some struggles to stay up, but it is now a bit slower than usual but still working.
Postauto took quick and effective actions; the site is fast and stable. This was achieved without using geoblocking. 2024-06-13 10:38
Thursday, June 13, 2024 12:45
www.zvv.ch 🆕
www.postauto.ch
burgenstockresort.com
www.flughafen-zuerich.ch 🆕
www.nw.ch
www.bazl.admin.ch
www.eda.admin.ch
At the time of posting, all sites appear to be online. 2024-06-13 at 14:20.
However, it seems I have been blocked as I was checking the website availability at the wrong time.
We have seen various trophy posts from NoName057(16), such as burgenstockresort.com, that have been unavailable for a moment.
However, some of the trophies, like today’s with Airport Zurich, are reported as unavailable, but the print screen only shows a blocked request.
You can also see here that a trophy is claimed a few days ago while showing a screenshot with the message “you are not supposed to be here” and a shield, which also indicates that the website might have been available to anyone else other than the attacker.
This makes me assume that the DDoS is not that important, but maybe the publicity can also be achieved by simply claiming a trophy.
Friday June 14, 2024 03:40
www.zvv.ch
www.investquebec.com 🆕
www.postauto.ch
www.crtc.gc.ca 🆕
www.portbelledune.ca 🆕
burgenstockresort.com
www.gva.ch 🆕
peoples.ch 🆕
www.euroairport.com 🆕
www.sionaeroport.ch 🆕
www.flughafen-zuerich.ch
www.nw.ch
www.bazl.admin.ch
www.engadin-airport.ch 🆕
www.eda.admin.ch
At the time of posting, all websites are up. However, www.investquebec.com and www.euroairport.com are using GeoBlocking. 2024-06-14 05:53
Geoblocking is a good first mitigation step when it comes to defending against a DDoS attack.
On www.investquebec.com, it can be seen on Telegram that the trophy has also already been claimed, despite the mitigation measures appearing to be effective.
Friday June 14, 2024 07:05
www.investquebec.com
As support for https://t.me/s/user_secc
www.crtc.gc.ca
As support for https://t.me/s/user_secc
www.portbelledune.ca
As support for https://t.me/s/user_secc
burgenstockresort.com
www.euroairport.com
www.sionaeroport.ch
www.flughafen-zuerich.ch
www.bazl.admin.ch
www.engadin-airport.ch
www.eda.admin.ch
source witha.name
The list of DDoS targets has reduced in size. This, in turn, means there is more traffic for the targets on the list.
At first glance, the Canadian targets appeared different in the middle of the campaign against Switzerland. However, on Telegram, we can see that this was in collaboration with another group.
Friday June 14, 2024 08:05
www.luganoairport.ch 🆕
The latest update removed all previous entries and now only targets Lugano Airport. It seems to have taken its toll and the website went offline.
Calls from my browser and Global Uptime are both unavailable. 2024-06-14 08:16
Lugo Airport Website is still operational despite the DDoS attacks. 2024-06-14 08:33
Friday June 14, 2024 08:25
airportbuochs.ch 🆕
www.gva.ch 🆕
www.stans.ch 🆕
www.euroairport.com 🆕
www.flughafen-zuerich.ch 🆕
www.nw.ch 🆕
www.luganoairport.ch
www.engadin-airport.ch 🆕
The list expanded again after having only 1 entry for 20 minutes. Currently, I do not see any issues on all targeted websites.
Friday June 14, 2024 09:05
airportbuochs.ch
www.gva.ch
www.stans.ch
www.euroairport.com
www.flughafen-zuerich.ch
www.nw.ch
www.luganoairport.ch
www.vbl.ch 🆕
www.engadin-airport.ch
The configuration has been updated frequently recently, and now we also see Luzern Transportation on the list.
Friday June 14, 2024 09:25
airportbuochs.ch
www.sob.ch 🆕
airport-grenchen.ch 🆕
www.gva.ch
www.stans.ch
www.euroairport.com
www.flughafen-zuerich.ch
www.nw.ch
www.luganoairport.ch
www.vbl.ch
www.engadin-airport.ch
Both newly added sites seem to be struggling with the increased load.
Friday June 14, 2024 09:45
airportbuochs.ch
www.sob.ch
airport-grenchen.ch
www.gva.ch
peoples.ch 🆕
www.stans.ch
www.euroairport.com
www.flughafen-zuerich.ch
www.nw.ch
www.luganoairport.ch
www.vbl.ch
www.engadin-airport.ch
Friday June 14, 2024 10:05
airportbuochs.ch
www.sob.ch
www.zimex.com 🆕
airport-grenchen.ch
www.gva.ch
www.swisshelicopter.ch 🆕
peoples.ch
www.pc7-team.ch 🆕
www.stans.ch
www.euroairport.com
www.flughafen-zuerich.ch
www.nw.ch
www.luganoairport.ch
www.vbl.ch
www.engadin-airport.ch
It seems like all websites are able to handle the traffic except zimex.com.
No issues over at Swiss Helicopter. Well done!
No issues with the PC-7 Team either.
Latest claims from NoName057(16) over on Telegram
The Swiss helicopters website was also reported as unavailable.
The configuration has remained unchanged for a while now. 2024-06-14 14:06
The host check link from the Telegram post displays a 403 Forbidden error.
What I can tell you now is that the website is up and working, utilizing Cloudflare as a CDN provider.
Saturday June 15, 2024 07:15
airportbuochs.ch
www.pc7-team.ch
www.euroairport.com
www.flughafen-zuerich.ch
www.luganoairport.ch
www.vbl.ch
www.engadin-airport.ch
The list was reduced, and no new targets have been added. The biggest change, therefore, is that existing targets will see increased pressure as the load of the network is concentrated on fewer targets.
Saturday June 15, 2024 08:15
www.srgssr.ch 🆕
pretestmy.srgssr.ch 🆕
pretestsearch.srgssr.ch 🆕
pretestintranet-swi.srgssr.ch 🆕
pretestintranet.srgssr.ch 🆕
pretestintranet-rtr.srgssr.ch 🆕
pretestintranet-rsi.srgssr.ch 🆕
pretestintranet-swisstxt.srgssr.ch 🆕
pretestintranet-rts.srgssr.ch 🆕
pretestcollab.srgssr.ch 🆕
testintranet.srgssr.ch 🆕
testintranet-rtr.srgssr.ch 🆕
testintranet-swisstxt.srgssr.ch 🆕
testcollab.srgssr.ch 🆕
testmy.srgssr.ch 🆕
testsearch.srgssr.ch 🆕
testintranet-rts.srgssr.ch 🆕
testintranet-swi.srgssr.ch 🆕
The focus has shifted from transportation to news. Since the summit starts today, I believe attention has now turned to news reporting. Currently, I don’t see any issues on the national new websites. The website is functioning as usual. Additionally, the approach has changed; now only one property is being targeted along with many of its services, whereas previously we saw multiple properties targeted, focusing mainly on the primary domains. The presence of a large number of “test” words in the domains indicates that some of them may not even be production systems.
Based on the latest update, NoName057 (16) expects vastly different systems behind those domain names than I would expect. Since most of them contain “test” in the name, they are likely not even in productive use. However, the assumption seems to be that they targeted a large list of identity providers. This looks rather confusing to me.
In review, attack duration
As of today, Saturday, June 15, 2024, 13:10 the longest attacks have been running against the following 10 NoName057(16) targets.
URL | Total Duration (Minutes) |
---|---|
www.nw.ch | 2669 |
www.flughafen-zuerich.ch | 2589 |
www.euroairport.com | 1694 |
www.engadin-airport.ch | 1694 |
www.gva.ch | 1574 |
peoples.ch | 1493 |
www.luganoairport.ch | 1450 |
airportbuochs.ch | 1430 |
www.eda.admin.ch | 1420 |
www.bazl.admin.ch | 1420 |
Saturday June 15, 2024 17:56
GovCERT.ch has published Cyber Threat Intelligence. It mostly consists of a list of IP Addresses that have been used by NoName057(16).
The list appears to be rather short but is definitely a good starting point. I recommend everyone who is trying to defend against or preparing to defend against NoName057(16) DDoS attacks to use and deploy blocking lists based on these details.
- https://github.com/govcert-ch/CTI
- https://github.com/govcert-ch/CTI/blob/main/20240615_NoName057-attacking-ips.csv
Which ASNs can be found in this CSV? We see AS212238, AS60068, AS9009, and AS43350.
ASN | ASNOrg | Subnet | Numer of IP |
---|---|---|---|
212238 | Datacamp Limited | 138.199.47.0/24 138.199.58.0/23 143.244.41.0/24 149.102.224.0/19 149.36.48.0/22 149.40.48.0/20 149.50.208.0/20 212.102.35.0/24 212.102.57.0/24 37.19.220.0/23 84.239.16.0/23 84.239.37.0/24 84.239.41.0/24 84.239.42.0/23 84.239.45.0/24 84.239.47.0/24 84.239.6.0/23 84.247.112.0/21 87.249.132.0/22 | 193 |
60068 | Datacamp Limited | 212.102.60.0/22 84.17.42.0/24 84.17.44.0/22 84.17.50.0/23 | 70 |
9009 | M247 Europe SRL | 146.70.96.0/19 146.70.220.0/22 146.70.240.0/21 185.156.172.0/22 185.183.104.0/22 185.212.168.0/22 185.253.96.0/22 193.239.84.0/22 37.120.208.0/21 82.102.16.0/20 84.39.112.0/21 | 49 |
43350 | NForce Entertainment B.V. | 109.201.128.0/19 46.166.128.0/20 46.166.176.0/20 | 13 |
As stated: “Data published here is provided “as it is” without any warranty or liability.“
Sunday June 16, 2024 06:08
Most DDoS client configuration updates are between 07:00 and 10:30. So, it’s likely we will see a change soon.
Adding the weekdays gives us some visual clues on what to expect today, Sunday. Indications are that we might only see one configuration update today.
Also, the latest post went online showing what seems to be AI-generated images depicting NoName057(16). However, I do not think the DDoS attack was as successful as they are trying to make the public believe.
Today is the second and also the last day of the “Summit on Peace in Ukraine.“
Sunday June 16, 2024 08:10
sponsoring.srgssr.ch 🆕
www.srgssr.ch
mars.es.srgssr.ch 🆕
janus.es.srgssr.ch 🆕
charon.es.srgssr.ch 🆕
gemini.es.srgssr.ch 🆕
portal.srgssr.ch 🆕
portal.app.srgssr.ch 🆕
As expected, a new list did come in. We are still on Swiss National TV.
Systems are running fine over at SRG SSR. Well done!
This does not stop NoName057(16) from claiming the trophy of the website being unavailable. The screenshots, however, show the service is working. The “proof” from check-host.net is a ping check, which most providers block, even without an incoming DDoS attack.
It almost seems to me that once again the claim is being made that the site is down without actually impacting the service. I have experienced this before, where the website was reported as down but I could not verify that myself, and the evidence provided was not clear and even indicating that the service was available without any issues.
Sunday June 16, 2024 15:44
As expected, there were just a few, or actually only one, change of targets today. In total duration, we see SRG SSR did move up a lot in the top 10 list of longest-running DDoS attacks based on the configuration files.
URL | Total Duration (Minutes) |
---|---|
www.nw.ch | 2669 |
www.flughafen-zuerich.ch | 2589 |
www.srgssr.ch | 1884 (*Ongoing DDoS) |
www.euroairport.com | 1694 |
www.engadin-airport.ch | 1694 |
www.gva.ch | 1574 |
peoples.ch | 1493 |
www.luganoairport.ch | 1450 |
pretestmy.srgssr.ch | 1435 |
pretestsearch.srgssr.ch | 1435 |
* I assume the DDoS attack is still ongoing since the last configuration file targeted this domain and no new information has been published. I do not have any additional insights. All data is derived from when the URI was added and removed from the configuration file. I do not know if there are other means to control traffic.
Monday June 17, 2024 06:18
The conference ended yesterday evening, Sunday. Many state guests likely have already returned, as there were reports of flight delays at Zurich Airport. Between 7:00 and 8:45, it’s likely we will see an update to the NoName057(16) target list. We will see if Switzerland is still the target or if the group will move on.
Monday June 17, 2024 07:15
metro.waw.pl 🆕
sponsoring.srgssr.ch
www.srgssr.ch
mars.es.srgssr.ch
janus.es.srgssr.ch
charon.es.srgssr.ch
gemini.es.srgssr.ch
portal.srgssr.ch
portal.app.srgssr.ch
An update just came in, and we can see that the focus is shifting. A new target, Metro Warsaw, has been added. However, SRG SSR remains on the list for now.
Monday June 17, 2024 08:15
metro.waw.pl
obywatel.gov.pl 🆕
www.mpk.krakow.pl 🆕
rozklad-pkp.pl 🆕
With this, I think the campaign in Switzerland has ended. Also, this will be the last update here unless they come back later today.
URL | Total Duration (Minutes) |
---|---|
www.srgssr.ch | 2880 |
www.nw.ch | 2669 |
www.flughafen-zuerich.ch | 2589 |
www.euroairport.com | 1694 |
www.engadin-airport.ch | 1694 |
www.gva.ch | 1574 |
peoples.ch | 1493 |
www.luganoairport.ch | 1450 |
mars.es.srgssr.ch | 1445 |
janus.es.srgssr.ch | 1445 |
The top 3 targets with the longest DDoS campaigns from NoName057(16) were SRG SSR, Canton of Nidwalden, and Zurich Airport.
We can see that the Swiss NCSC was hit (last) with a DDoS attack. It’s unclear what motivated this attack. It could be related to the release of the IP address details of NoName057(16) clients, but those attacks have also stopped.
Other groups
There are a large number of hacktivist groups, and it is neither possible to track all of them nor to gain valuable insights on what’s going on. So, I would not recommend for defenders to pay too much attention to communication channels during a DDoS attack.
- https://t.me/s/user_secc
- https://t.me/s/bettercallmeris
- https://t.me/s/CyberArmyofRussia_Reborn
- https://t.me/s/hack_n3t
- https://t.me/s/rootkalisploit
- https://t.me/s/KillMilkChannel
- https://t.me/+lYYyb3exPNFjNmRi
- https://t.me/CoupTeam
- https://t.me/+Xa_Qj2Qd1SUyZGYy
Stay online, stay safe
At the time of initially posting this blog post, I had not yet experienced a DDoS attack that I assumed could be related to the event. However, in the meantime, this changed on Thursday morning at 08:45 when we could see publicly that NoName057(16) started attacking targets in Switzerland. I hope everyone can stay safe and online during this time.