Pro-Russia hacktivist activity continues to target UK organisations

Last December, the NCSC co-sealed an advisory highlighting that pro-Russian hacktivists have been conducting worldwide cyber operations against numerous organisations and critical infrastructure sectors.

In particular, the group NoName057(16) has been active since March 2022 and conducting attacks against Government and private sector entities in NATO Member States as well as other European countries that are perceived as hostile to Russian geopolitical interests. These attacks have included frequent Distributed Denial of Service (DDoS) attempts against UK local Government.

The group operates primarily through Telegram channels and used GitHub (and other websites and repositories) to host the proprietary tool DDoSia and to share tactics, techniques and procedures with their followers.

This is not the first time that the NCSC has called out activity from Russian-aligned groups targeting UK organisations. In 2023, the NCSC published an alert on the risk posed by state-aligned adversaries following the Russian invasion of Ukraine. These attacks are ideologically rather than financially motivated and reflect an evolution in the threat, which now targets UK operational technologies. As a result, the NCSC encourages all Operational Technology owners to follow recommended mitigation advice in order to harden their cyber defences.

Understanding and mitigation 

The NCSC is advising that all organisations should review their defences and improve resilience against attacks from Russian-aligned groups. In particular, the NCSC is encouraging all organisations to review their Denial of Service protections.

There are probably many points in the service where an attacker can attempt to overload or exhaust available resources, thereby preventing the serving of legitimate users. It’s important to understand where these points are and, in each case, determine whether the host organisation or a supplier is responsible.

Ensure service providers are ready to deal with resource exhaustion in places where they’re uniquely placed to help. It’s vitally important to:

*understand the Denial of Service mitigations that your ISP has in place on your account

*look into third party DDoS mitigation services that can be used to protect against network traffic-based attacks

*consider deploying a content delivery network for web-based services

*understand when and how your service provider might limit your network access in order to protect its other customers

*consider using multiple service providers for some functionality

Building to allow scaling

In order to deal with attacks which cannot be handled upstream (or only once detected and blocked), make sure the service can rapidly scale. Ideally, it should be possible to scale all aspects of the application and infrastructure.

Cloud-native applications can be automatically scaled using the cloud providers’ APIs. In private Data Centres, automated scaling is possible using modern virtualisation, but this will require spare hardware capacity in order to deal with the additional load.

Design the service and plan the response to an attack so that the service can continue to operate (albeit in a degraded fashion). The plan should encompass graceful degradation, dealing with changing tactics, retaining administrative access during an attack and having a scalable fall-back plan in place for essential services.

Testing and monitoring

Gain confidence in your defences by testing them and ensure that you can spot when attacks start by having the right tools in place. Test your defences so you know the types (and volume) of attacks you are able to defend. System monitoring will help in spotting attacks when they begin. It’s best to analyse the response while an attack episode is underway.

*For more information refer to the NCSC’s core Denial of Service guidance