NoName057(16) Splinter Cells represent a decentralized evolution of the original NoName057(16) pro-Russian hacktivist collective. Rather than operating as a single coordinated unit, these splinter cells function as semi-autonomous teams that share tooling, ideology, and targeting priorities while executing independent operations. Since late 2023, splinter activity has increased in scale and frequency, enabling sustained disruption campaigns against European governments, financial institutions, and public services supporting Ukraine.
Aliases / Attribution
- NoName057(16) (parent collective)
- NoName Splinter Cells (analyst designation)
- Pro-Russia DDoS Brigades (informal intelligence term)
Attribution is assessed as state-aligned but not state-controlled, with operations consistently matching Russian strategic interests.
Recent Victims of NoName057(16)
- Polish government websites — sustained DDoS attacks disrupted public services following Poland’s announcement of additional military aid to Ukraine.
- Czech banks and financial institutions — coordinated attacks intermittently disrupted online banking and customer portals.
- Italian government and transport portals — targeted during NATO and EU political events to generate public disruption and media attention.
- Nordic public sector organizations — repeatedly disrupted in campaigns framed as retaliation for regional support of Ukraine.
NoName057(16) Tactics, Techniques & Procedures (TTPs)
- DDOSIA platform enabling volunteer-driven attack participation
- Crowdsourced botnets using ideologically motivated participants
- Pre-attack target announcements to amplify psychological impact
- HTTP/S and TLS exhaustion floods to bypass basic rate limiting
- Rapid infrastructure and channel rotation to evade takedowns
MITRE ATT&CK® Mapping of NoName057(16)
| ATT&CK Tactic | Technique ID | Technique Name | How It Is Used |
|---|---|---|---|
| Reconnaissance | T1595 | Active Scanning | Identifies exposed web services and application endpoints prior to DDoS campaigns. |
| Resource Development | T1584 | Compromise Infrastructure | Uses volunteer endpoints and transient VPS infrastructure to generate attack traffic. |
| Command and Control | T1071.001 | Application Layer Protocol: Web | Coordinates attacks over HTTP/HTTPS using centralized tasking servers and Telegram-distributed targets. |
| Impact | T1499.004 | Endpoint Denial of Service: Application Exhaustion Flood | Sustained HTTP/S floods and TLS exhaustion attacks against government and financial portals. |
| Impact | T1499.003 | Endpoint Denial of Service: Network Flood | Volumetric traffic floods during high-visibility political events. |
| Influence | T1646 | Influence Campaigns | Publicly claims attacks, pre-announces targets, and amplifies geopolitical narratives via Telegram. |
