Categories
Security

NoName057(16) DDoS January 2025

Visual representation of the World Economic Forum annual meeting, highlighting discussions among international economic leaders.

On January 20-24, 2025, we have the World Economic Forum in Switzerland. Last year this caused various DDoS attacks on Swiss websites. If this year we see DDoS activity again is yet unknown. Being only days away from the forum taking place, we might soon see if Switzerland is again in focus of NoName057(16) or other actors.

Preparations

The website witha.name is tracking NoName057(16) closely and is publishing the DDoSia configuration files. Those files contain valuable information for countermeasures as it makes isolating the requests faster to deploy effective blocking measures.

https://witha.name/ (2025-01-09), TLP:UNCLEAR

Newly, it seems there is also protected information about IP addresses used in the attacks. Sadly, I’m unaware of how to access this, but this would be very powerful information ahead of an attack.

https://www.reddit.com/r/cybersecurity/comments/1gjb85c/ddosia_access_to_target_list_withaname/ (2025-01-09)

Also on Reddit, the question popped up about how to get access, but with no responses.

🔥 Blocklist from NCSC

The NCSC has published a denylist for subnets from various ASNs that can be blocked preemptively. Please do so as preparation.

The following autonomous system numbers (ASNs) have been observed as part of the attack.

AS174, COGENT-174
AS3462, Data Communication Business Group
AS7203, LEASEWEB-USA-SFO
AS8100, ASN-QUADRANET-GLOBAL
AS9009, M247 Europe SRL
AS11878, TZULO
AS12389, Rostelecom
AS13737, AS-INCX
AS14061, DIGITALOCEAN-ASN
AS15640, MTS PJSC
AS16276, OVH SAS
AS23470, RELIABLESITE
AS24940, Hetzner Online GmbH
AS25106, Mobile TeleSystems JLLC
AS33083, AXCELX-NET
AS35758, Rachamim Aviel Twito
AS36352, AS-COLOCROSSING
AS41564, Orion Network Limited
AS41745, Baykov Ilya Sergeevich
AS42708, GleSYS AB
AS44477, Stark Industries Solutions Ltd
AS46562, PERFORMIVE
AS47236, CityLink Ltd
AS50916, CityLink Ltd
AS51430, AltusHost B.V.
AS51852, Private Layer INC
AS56971, Cgi Global Limited
AS58065, Orion Network Limited
AS60068, Datacamp Limited
AS61272, Informacines sistemos ir technologijos, UAB
AS61317, Hivelocity LLC
AS198983, 'Tornado Datacenter GmbH & Co. KG'
AS199058, Serva One Ltd
AS199785, Cloud Hosting Solutions, Limited.
AS201670, S.c. Infotech-grup S.r.l.
AS205119, TELEKS DOOEL Skopje
AS206804, EstNOC OY
AS207083, HostSlim B.V.
AS212238, Datacamp Limited
AS213702, QWINS LTD
AS215540, Global Connectivity Solutions Llp
AS215590, DpkgSoft International Limited
AS396362, LEASEWEB-USA-NYC
AS397373, H4Y-TECHNOLOGIES

Activity

Hackmaniac is collecting from public information data about cyberattacks and cyber threats and classified for the first days of 2025 that NoName057(16) was the most active or visible group in this area of well-known attacks.

https://hackmanac.com/news/hack-tuesday-week-01-07-january-2025 (2025-01-09)

Follow hack-tuesday for more.

Without knowing the background, there were very public DDoS campaigns ongoing already in January 2025.

NoName057(16)

The old channels over on Telegram seem to no longer exist, but there is a verified profile over on X (formerly Twitter) that is posting in the name.

https://x.com/Noname05716 (2025-01-09)

We also have a new Telegram channel posting in Cyrillic letters.

https://t.me/nnm057_16 (2025-01-09)

Plus one new Telegram channel posting in English.

https://t.me/noname05716engver (2025-01-09)

There is also a group called DDoSia, but it requires you to join. I did not join to see.

https://t.me/+LpLxgU4upoYxMzQ8 (2025-01-09)

Noname057 (16) change tracking

For Noname057(16), a treasure trove of data exists. This means that this year I can see that on Sundays, changes are mostly executed between 7:15 and 7:30 AM and 8:15 and 8:30 AM. As of today, Sunday, January 19, 2025, we saw the update taking place at 7:05 AM and targeting sites in the UK.

Config changes 2025-01-19 review. Data Source: https://witha.name/data/

Monday January 20th, 2025

www.davoscongress.ch
pool-alpin.com
www.rhb.ch
www.sunrise.ch
www.gemeindedavos.ch
www.hcd.ch

Source: witha.name (2025-01-20 07:37)

From January 20th the start of the WEF in Davos, we see attention from NoName057(16) shift away from the United Kingdom to DDoS targets in Switzerland.

www.davoscongress.ch
pool-alpin.com
www.rhb.ch
www.sunrise.ch
www.gemeindedavos.ch
alpenhof-davos.ch
www.hcd.ch
www.davos-pischa.ch
lengmatta-davos.ch

Source: witha.name (2025-01-20 07:37)

www.topcard.info
www.davoscongress.ch
pool-alpin.com
www.rhb.ch
www.sunrise.ch
www.gemeindedavos.ch
europe-davos.ch
www.davosklostersmountains.ch
alpenhof-davos.ch
www.hcd.ch
www.davos-pischa.ch
lengmatta-davos.ch

Source: witha.name (2025-01-20 07:37)

www.topcard.info
www.davoscongress.ch
pool-alpin.com
schweizerfamilie.ch
www.rhb.ch
presserat.ch
www.sunrise.ch
www.gemeindedavos.ch
europe-davos.ch
www.davosklostersmountains.ch
alpenhof-davos.ch
www.hcd.ch
www.davos-pischa.ch
lengmatta-davos.ch

Source: witha.name (2025-01-20 08:21)

www.topcard.info
www.davoscongress.ch
pool-alpin.com
schweizerfamilie.ch
www.rhb.ch
nashagazeta.ch
presserat.ch
www.sunrise.ch
www.gemeindedavos.ch
europe-davos.ch
www.davosklostersmountains.ch
alpenhof-davos.ch
www.hcd.ch
www.davos-pischa.ch
www.bakom.admin.ch
lengmatta-davos.ch

Source: witha.name (2025-01-20 08:37)

www.topcard.info
www.davoscongress.ch
pool-alpin.com
schweizerfamilie.ch
www.rhb.ch
nashagazeta.ch
presserat.ch
www.sunrise.ch
www.gemeindedavos.ch
europe-davos.ch
www.davosklostersmountains.ch
alpenhof-davos.ch
www.hcd.ch
www.davos-pischa.ch
www.bakom.admin.ch
www.nzz.ch
lengmatta-davos.ch

Source: witha.name (2025-01-20 08:55)

www.topcard.info
www.mit.gov.it
www.davoscongress.ch
pool-alpin.com
schweizerfamilie.ch
www.rhb.ch
nashagazeta.ch
presserat.ch
www.sienamobilita.it
www.sunrise.ch
www.rada.gov.ua
europe-davos.ch
www.gemeindedavos.ch
alpenhof-davos.ch
www.hcd.ch
www.carabinieri.it
www.davosklostersmountains.ch
komsamovr.rada.gov.ua
kompravlud.rada.gov.ua
kompravpol.rada.gov.ua
komzakonpr.rada.gov.ua
www.davos-pischa.ch
www.cartaidentita.interno.gov.it
komfinbank.rada.gov.ua
komit.rada.gov.ua
www.mise.gov.it
concorsi.difesa.it
kompek.rada.gov.ua
www.bakom.admin.ch
www.nzz.ch
komtrans.rada.gov.ua
lengmatta-davos.ch
www.gtt.to.it
komnbor.rada.gov.ua
itd.rada.gov.ua
www.aeronautica.difesa.it
www.marina.difesa.it
agenzie.interno.gov.it

Source: witha.name (2025-01-20 12:20)

Tuesday January 21st, 2025

www.stadtluzern.ch
www.ebikon.ch
www.adligenswil.ch
www.sz.ch
www.stadt-kriens.ch
www.zkb.ch
www.bcge.ch
www.bcv.ch

Source: witha.name (2025-01-21 07:52)

www.sige.ch
www.stadtluzern.ch
www.ebikon.ch
www.adligenswil.ch
www.sz.ch
www.stadt-kriens.ch
www.bkb.ch
www.zkb.ch
www.bcge.ch
www.bcv.ch
my.sige.ch
swiss.tech
chlogin.zd.eiam.admin.ch
ebanking.bkb.ch
eportal.admin.ch
auth.bcv.ch
onba.zkb.ch
auth.agov.admin.ch
www.sif.admin.ch

Source: witha.name (2025-01-21 08:35)

Wednesday January 22st, 2025

www.vevey.ch
www.geneve.ch
www.dietikon.ch
sh.ch
www.sierre.ch
cologny.ch
www.aigle.ch
www.shpower.ch

Source: witha.name (2025-01-22 07:05)

my.peoplenet.ua
vak.com.ua
www.am-switzerland.ch
www.vevey.ch
tucha.ua
disnet.com.ua
www.geneve.ch
www.dietikon.ch
sh.ch
icn.ua
www.sierre.ch
cologny.ch
www.aigle.ch
wnet.ua
www.peoplenet.ua
fcom.pl.ua
isp.od.ua
gig.wnet.ua
www.stat.icn.od.ua
www.shpower.ch
www.vbsh.ch
login.fedlogin.eiam.admin.ch
tim.geneveid.ch
www.belogin.apps.be.ch
www.zuglogin.ch
login.eduid.ch
account.idm.eda.admin.ch
www.postfinance.ch

Source: witha.name (2025-01-22 14:08)

Thursday January 23rd, 2025

www.bj.admin.ch
www.integrationsfoerderungintg.admin.ch
samil20-a.admin.ch

Source: witha.name (2025-01-23 07:15)

www.estv.admin.ch
www.bj.admin.ch
www.integrationsfoerderungintg.admin.ch
www.bakom.admin.ch
maxnet.ua
www.seco.admin.ch
www.vodafone.ua
www.jona.ch
samil20-a.admin.ch
www.nashnet.ua
veranstaltungen.zug.ch
uar.net
alsvaportal.ezv.admin.ch
www.zg.ch
homenet.ua
www.sust.admin.ch
new.nashnet.ua
hydrogeo.astra.admin.ch
vdi-admin-old.ras.admin.ch
my.homenet.ua
www.zuglogin.ch
my.vodafone.ua
my.maxnet.ua
stat.uar.net

Source: witha.name (2025-01-23 12:15)

Friday January 24th, 2025

www.energiestadt.ch
www.swisscommunity.org
www.allschwil.ch
www.ebikon.ch
houseofswitzerland.org
www.sz.ch
www.raiffeisen.ch
www.opfikon.ch
www.juliusbaer.com
www.biel-bienne.ch
www.agov.admin.ch
www.ecublens.ch
sso.juliusbaer.com
login.raiffeisen.ch
www.be.ch

Source: witha.name (2025-01-24 07:20)

cci.sumy.ua
training.orcci.odessa.ua
www.kcci.kharkov.ua
www.energiestadt.ch
www.swisscommunity.org
www.bulle.ch
www.allschwil.ch
houseofswitzerland.org
www.ittigen.ch
www.ebikon.ch
www.sz.ch
orcci.odessa.ua
www.raiffeisen.ch
www.opfikon.ch
www.juliusbaer.com
www.biel-bienne.ch
www.baar.ch
odgaz.odessa.ua
www.sg.ch
1535.omr.gov.ua
omtp.com.ua
gasolina-online.com
ooek.od.ua
www.agov.admin.ch
www.ecublens.ch
sso.juliusbaer.com
citizen.omr.gov.ua
login.raiffeisen.ch
www.be.ch

Source: witha.name (2025-01-24 14:05)

Saturday January 25th, 2025

www.topcard.info
www.davoscongress.ch
pool-alpin.com
www.rhb.ch
www.vevey.ch
www.gemeindedavos.ch
www.davosklostersmountains.ch
alpenhof-davos.ch
www.stadtluzern.ch
www.ebikon.ch
www.adligenswil.ch
www.zkb.ch
www.stadt-kriens.ch
www.bcv.ch
my.sige.ch
chlogin.zd.eiam.admin.ch
auth.bcv.ch
auth.agov.admin.ch

Source: witha.name (2025-01-25 07:15)

Sunday January 26th, 2025

www.am-switzerland.ch
www.geneve.ch
www.dietikon.ch
sh.ch
www.jona.ch
www.sierre.ch
cologny.ch
www.aigle.ch
veranstaltungen.zug.ch
www.zg.ch
www.shpower.ch
www.sust.admin.ch
login.fedlogin.eiam.admin.ch
vdi-admin-old.ras.admin.ch
www.zuglogin.ch
www.postfinance.ch

Source: witha.name (2025-01-26 07:20)

Monday January 27th, 2025

We see attention for the group did switch to websites in Poland, so the WEF-related attack campaign looks to be over.

UserAgent in Access Logs

The published user agents used by DDoSia didn’t change on witha.name which could help you find requests with this query for Azure Front Door access logs saved in a Log Analytics Workspace.

let userAgents = dynamic([
    "AppleCoreMedia/1.0.0.23A344 (Macintosh; U; Intel Mac OS X 14_0; da_dk)",
    "Dalvik/2.1.0 (Linux; U; Android 11; Tibuta_MasterPad-E100 Build/RP1A.201005.006)",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021208 Debian/1.2.1-2",
    "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050319",
    "Mozilla/5.0 (Linux; Android 11; SM-A115M Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/102.0.5005.125 Mobile Safari/537.36 Instagram 306.0.0.35.109 Android (30/11; 280dpi; 720x1411; samsung; SM-A115M; a11q; qcom; pt_BR; 530130405)",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.28.7586",
    "Mozilla/5.0 (Linux; Android 13; SM-F711U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36 EdgA/114.0.1823.43",
    "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/115.0.5738.217 Chrome/115.0.5738.217 Safari/537.36",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/102.0.5143.178 Chrome/102.0.5143.178 Safari/537.36",
    "Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-T220) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36",
    "Mozilla/5.0 (Linux; Android 9) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.66 Mobile DuckDuckGo/1 Lilo/1.2.3 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.76 GLS/97.10.7399.100",
    "Mozilla/5.0 (X11; Linux x86_64; SMARTEMB Build/3.12.9076) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/103.0.5060.129 Chrome/103.0.5060.129 Safari/537.36",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/19G82 Instagram 306.0.0.20.118 (iPhone12,1; iOS 15_6_1; en_GB; en; scale=2.00; 828x1792; 529083166) NW/3",
    "Mozilla/5.0 (Linux; Android 6.0.1; SM-G532MT Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/436.0.0.35.101;]",
    "Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1"
]);
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category contains "FrontDoorAccessLog"
| where TimeGenerated >= ago(30d)
| where userAgent_s in (userAgents)
| summarize count() by bin(TimeGenerated, 1h), userAgent_s
| render columnchart

In the media

The DDoS also made headlines, with 20min.ch, one of the biggest news outlets in Switzerland, posting about it. However, they did so in a very catchy and exaggerated way. Here’s a screenshot taken right from the front page.

https://www.20min.ch/ (2025-01-21)

Follow this link to read the full article on 20min.ch: ‘Mega-Attack Paralyzes Swiss Sides: Hacker Group Claims Responsibility

Also, the National Cyber Security Centre (NCSC) wrote a media article about the DDoS attack surrounding the WEF and their motivation.

https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2025/ddos-2024-01-25.html (2025-01-22)

Find the full article following this link. Expected DDoS attacks have begun