Amid the ongoing elections for the European Parliament, the Russia-aligned NoName057(16) cyber criminal operation says it is launching extensive distributed denial of service (DDoS) attacks against internet infrastructure across Europe.
The four-day election – the first to take place since Brexit – kicked off on Thursday 6 June in the Netherlands, although Estonia has been voting since Monday 3 June. Czechia and Ireland vote today (Friday 7 June), and the remaining European Union member states be voting at the weekend.
In a dark web posting surfaced by cyber security news website DailyDarkWeb, the NoName057(16) gang said the European Parliament was “pseudo-democratic and thoroughly Russophobic”.
The statement laid into Brussels, claiming European politicians ignored the “genocide” of the people of Donbas, an eastern region of Ukraine, parts of which are currently illegally occupied by Russian forces in the ongoing war.
It said: “When Russia began protecting the peaceful population of Crimea in 2014 and the residents of Donbas in 2022, the EP [European Parliament], like a rabid printer, started issuing meaningless anti-Russian sanctions in bulk.
“For the Russophobia and double standards of European authorities, Europe’s internet infrastructure will suffer from Russian hackers.”
NoName057(16) claims to have enlisted several other malicious hacking collectives to its cause, including 22C and IAMKILLMILK, CoupTeam, Cyberdragon, People’s CyberArmy, Root@kali and Usersec, with other participants supposedly wanting to remain anonymous.
According to Cloudflare, some DDoS attacks against political websites in the Netherlands have already been observed on 5 and 6 June, although these have been linked (by Cloudflare) to a group called HackNet, and it is unclear if there is a link to NoName057 (16).
Cloudflare’s João Tomé said the attacks on 5 June peaked at 1pm Central European Time (CET) at a rate of 73,000 hypertext transfer protocol (HTTP) requests per second (RPS), while those on 6 June peaked at about the same time of day at a rate of 52,000 RPS. Cloudflare’s daily DDoS mitigations in the Netherlands reached one billion HTTP requests on 5 June.
Nick Biasini, head of outreach at Cisco’s Talos cyber unit, said that as of the morning of 7 June, NoName057(16) had claimed to have taken down websites belonging to a transportation company and to various Dutch government bodies – according to messages distributed via the Telegram messaging platform.
He said the gang’s threats should be taken very seriously: “Unlike other hacktivist groups, they rely on paid operatives to conduct DDoS attacks, and they operate a self-developed toolkit named DDoSia, underscoring their relative sophistication.
“Moreover, they’re unusually well-organised and deliberate, conducting reconnaissance against potential victims and developing targeted lists of specific victims to attack. Other groups, by contrast, often care more about public attention and reputation, often claiming responsibility for attacks carried out by other groups.”
Basini continued: “NoName057’s most recent threat to target European entities is consistent with their past behaviour. They typically target countries that have assisted Ukraine in some way in its war against Russia.
“Based on our analysis, they were one of the top hacktivist groups targeting European countries over the last year. In fact, they claimed the most attacks against France than any other DDoS actor between 2023 and 2024, according to our review of social media activity on Telegram.”
UK General Election a target
Coming at a time of heightened sensitivity in global geopolitics, the attacks on the European elections herald similar tactics likely to be deployed against the UK General Election on 4 July 2024, and the US Presidential Election on 5 November.
Shortly after prime minister Rishi Sunak called the General Election on 22 May, Margaret Beckett, chair of the National Security Committee, warned that hostile states – generally taken to be China, Russia and North Korea – could “reach the British public far more easily than ever before”.
Besides DDoS attacks, which generally accomplish little save to generate a lot of noise and fuss, some of the more impactful threats include attempts to manipulate the information landscape through deepfake video and audio, a tactic previously used against London mayor Sadiq Khan during his recent re-election campaign.
The BBC has already identified such attempts to influence the General Election through a panel of so-called “Undercover Voters”, a group of fake profiles set up with various opinion characteristics and internet browsing habits that could make them vulnerable to such material if they were real people.
Its network of honeypot voters has already identified a group of smear campaigners working on X – the platform formerly known as Twitter prior to its purchase by erratic tech billionaire Elon Musk.
In one campaign, this group targeted Labour’s Wes Streeting, former shadow health secretary prior to the dissolution of Parliament, with a doctored video of an appearance on the BBC’s Politics Live show in which he appeared to attack fellow candidate Diane Abbott. The fake video was endorsed by an adversarial network of sockpuppet X accounts, including one who falsely claimed to be a BBC floor manager who had heard Streeting’s remarks.
Other fake clips circulated by the same malicious actors targeted Labour candidate Luke Akehurst, who has been criticised by the party’s left wing over his views on the war in Gaza, and Reform Party leader Nigel Farage.