Since the 24th of September – an unusual calmness, one hard to notice between the rest of the action and noise of the cyber world, has been gifted to Lithuania. That day marks the last time a Lithuanian domain has been included in the NoNam057(16) DDoS malware target list. In general, compared with the large frequency of attacks in 2023 – there’s only been four unique dates when the group has targeted Lithuanian institutions – a significant change in operating methods. 

While the frequency of attacks has decreased, and the trendline seems to show that eventually – the attacks should disappear – unfortunately real life doesn’t always work like that. Looking at global trends, we can see that neither the frequency nor intensity of the attacks has decreased.  

Additionally, it is important to note that the group continues to develop their DDoS malware, with major redesigns increasing efficiency and throughput – meaning that each target may be experiencing a more intense attack than previously.

In addition to the overall change in tactics targeting Lithuania, there’s also been a major shift in targeted sectors. The trends below show the total number of times a sector was included in a target list. This data contains duplicates, when a target was included in multiple target lists (in the same or different days), as well as when a target appears multiple times in the same target list. Mainly, we see that there was a large increase in attacks on the communications sector as well as a significant increase on insurance companies. 

Additionally, targeting of Lithuania widely differs from global trends. In a blog post in June, Sekoia.io1 provides their insights on NoName057(16)’s globally targeted sectors. In their assessment, 54% of targeted websites belong to the Government sector. Meanwhile, the sector most targeted by the DDoS attacks in Lithuania is Transportation – from public transport services, logistics companies, transport infrastructure (airports, docks, etc.). Finally, there was one website that was a complete outlier – the only targeted website of a person, rather than an organization – the political campaign website of Tomas Vytautas Raskevičius, https://raskevicius.lt/.

While the changing attacks in Lithuania may seem to suggest that the threat of such attacks is diminished – the attacks themselves are still effective, with the latest attacks in September disrupting services of government institutions. It is essential to understand that unlike in a global trend – looking at local data allows us to understand that while the attacks often come as a response to pro-Ukraine actions in Lithuania – the NoName057(16) attacks often target a wide range of organizations that may inconvenience daily lives of regular Lithuanians, rather than trying to deface public institutions that directly support Ukraine. 

Additionally, as the attacks decrease in frequency – organizations may invest less in protecting against such attacks. Finally, we see that organizations that have successfully mitigated these DDoS attacks previously tend to be excluded from further attacks, unless, as mentioned previously, such an attack would cause inconvenience for a larger number of people (ex.: public transport information). 

What should you do? Follow general guidelines for protecting against DDoS attacks. CISA’s publication Understanding and Responding to Distributed Denial-Of-Service Attacks https://www.cisa.gov/resources-tools/resources/understanding-and-responding-distributed-denial-service-attacks as well as the Lithuanian National Cybersecurity Center’s protection against DDoS bulletin https://www.nksc.lt/doc/biuleteniai/2021-11-05_DDoS.pdf are a good starting point. In addition, as the nature of the NoName057(16) attacks is a network of volunteers performing the attacks for monetary gain – by joining the network you also gain access to the target list. As joining such a network raises ethical and legal questions, we do not recommend actually doing this. Instead, there are publicly available resources with the latest target lists, and trusted organizations sharing this information in MISP. Using this data, you can detect when you are added to the target list, and extract the precise data of how you will be targeted – what requests will be sent to exactly which paths – allowing you to mitigate the attack once it’s started.  

Research into such trends comes as part of the SOCcare project, as part of wider investigations into trending threats and their prevalence in Lithuania. Additionally, in sharing the results of the investigation with our project partner’s – University of Polytechnics Bucharest and RevelSI – we were surprised to find that not a single Romanian institution was targeted by the group. 

The SOCcare project is co-funded by the European Union, alongside our collaborators, NRD Cyber Security and RevelSI, and supported by the European Cybersecurity Competence Centre (ECCC) Centre (ECCC) under Grant Agreement No. 101145843. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.