top of page
Search

NoName057(16): Russia’s Digital Spoiler Force in Ukraine and Beyond

  • Writer: Matthew Parish
    Matthew Parish
  • Jul 16
  • 5 min read
ree

In the shadowy world of Russian cyber warfare, one name has emerged with increasing frequency since the full-scale invasion of Ukraine in February 2022: NoName057(16). Though not as storied or technically sophisticated as some of Russia’s better-known cyber groups—such as Fancy Bear (APT28) or Cozy Bear (APT29)—NoName057(16) has made a name for itself through relentless, noisy, and politically targeted denial-of-service attacks. Its operations illustrate the evolution of hybrid warfare in the digital age: disruptive, deniable, and performed as much for spectacle as for strategic effect.


Here we trace the history of NoName057(16), explore its likely affiliations and objectives, examine the types of attacks it has launched—especially in Ukraine and NATO states—and evaluate the threat it poses in the context of wider Russian information and cyber operations.


Origins and Identity


NoName057(16) first appeared in March 2022, just weeks after Russia’s full-scale invasion of Ukraine. Its naming convention—cryptic, self-conscious, and reminiscent of earlier hacktivist subcultures—suggests a hybrid identity: part patriotic volunteer brigade, part information warfare proxy. Its Telegram channels, where it posts regular updates about its attacks, give the impression of a loosely organised group of ideologically motivated individuals aligned with Russian state interests.


Despite this veneer of independence, there is growing consensus among cybersecurity experts that NoName057(16) functions as a state-aligned actor, if not under the direct control of Russian intelligence. Its operations consistently mirror Russian foreign policy priorities, targeting countries that support Ukraine militarily or diplomatically. Its infrastructure, meanwhile, overlaps with known Russian cyber capabilities, and its activities are never directed against Russian entities.


Most observers assess that it operates in close cooperation with the Federal Security Service (FSB) or the Main Directorate of the General Staff (GRU)—Russia’s principal security and military intelligence services. However, it may also receive tacit encouragement from the Russian Ministry of Digital Development, which has increasingly fostered cyber “patriotic” initiatives since 2022.


Methods and Tactics


Unlike more sophisticated advanced persistent threat (APT) groups that specialise in espionage or long-term infiltration, NoName057(16) focuses primarily on distributed denial-of-service (DDoS) attacks. These involve overwhelming websites or online services with malicious traffic, causing them to crash or become inaccessible. The group’s principal targets are government portals, news outlets, transportation systems, and banking platforms.


Key aspects of its methodology include:


  • DDoS Attacks: Using rented botnets or self-developed platforms, NoName057(16) floods websites with traffic. Its preferred tool is “DDOSIA,” a publicly distributed toolkit that allows volunteers to participate in attacks. This creates a decentralised, semi-crowdsourced operation that increases plausible deniability.


  • Telegram Propaganda: After launching attacks, the group posts screenshots and mockery-laden messages on its Telegram channels, often with nationalist rhetoric, anti-NATO language and memes. The tone is crude and theatrical—more akin to an internet troll than a disciplined espionage unit, but still capable of causing disruption.


  • Target Selection: The group’s attacks coincide closely with events or decisions that are politically inconvenient for Moscow. For example, it has targeted government and media websites in Poland, the Czech Republic, Slovakia, Finland, Lithuania and Ukraine, often shortly after those countries announced new weapons deliveries to Kyiv or passed sanctions legislation against Russia.


  • Harassment Operations: In some cases, the group has attempted rudimentary phishing or disinformation campaigns, although this is not its principal activity. Unlike more professional state units, it does not generally attempt data exfiltration or stealthy long-term intrusions.


High-Profile Campaigns


Among NoName057(16)’s most notable operations:


  • Attacks on Ukrainian Media (2022–2024): The group frequently targeted online platforms of Ukrainian newspapers, broadcasters, and even emergency services during periods of intense fighting. While rarely causing long-term damage, these attacks were designed to create confusion, slow the dissemination of information, and degrade trust in online infrastructure.


  • Targeting NATO States (2023–2025): The group launched coordinated DDoS waves against the official websites of parliaments, ministries and airports in countries such as Denmark, Latvia, Estonia, and Germany. During NATO summits, especially in Vilnius (2023) and Washington (2024), the group intensified its activity to coincide with alliance deliberations.


  • Anti-European Parliament Attacks (2023): Following a European Parliament resolution declaring Russia a state sponsor of terrorism, NoName057(16) attacked the Parliament’s website and that of several EU member states, claiming retaliation.


  • Interference with Banking and Transport Systems: In late 2024, the group temporarily disrupted regional railway ticketing systems in Czechia and Slovakia. It also targeted online banking portals in Poland and Finland, seeking to sow panic or undermine consumer confidence.


Damage and Strategic Impact


The technical damage caused by NoName057(16) has been modest by traditional cyberwarfare standards. DDoS attacks are rarely long-lasting and can usually be mitigated with standard cybersecurity protocols. The group does not appear to have the capacity to breach highly secure systems or cause physical damage to critical infrastructure—unlike Russia’s most dangerous cyber units, such as Sandworm (part of Fancy Bear).


However, the psychological and political effects of NoName057(16)’s operations are significant. Its repeated targeting of Western institutions is part of a broader Russian campaign of hybrid war: aiming to confuse, intimidate, and exhaust democratic societies. By harassing news media and public-facing government websites, the group attempts to erode public trust and create an atmosphere of instability.


Moreover, the group’s visibility—its Telegram fanfare, its nationalist imagery, and its meme-heavy language—suggests that its mission is as much information warfare as cyberwarfare. It serves a dual purpose: externally, it frustrates Russia’s adversaries; internally, it projects the illusion of patriotic digital activism, feeding a narrative of Russian resistance to Western “aggression.”


State Actor or Proxy?


The central question surrounding NoName057(16) is whether it is truly an independent “hacktivist” organisation or a proxy for Russian state cyber agencies. On balance, the latter seems more likely. Its targeting precision, alignment with state interests and operational tempo suggest coordination with intelligence agencies.


However, the group also performs a useful plausible deniability function for the Kremlin. By operating through Telegram and outsourcing tasks to volunteers, NoName057(16) allows Russia to claim that such attacks are spontaneous responses by private citizens, not state policy.


This ambiguity mirrors Russia’s wider doctrine of “non-linear warfare, in which privateers, mercenaries and unofficial actors advance state goals under the cloak of deniability—an approach mirrored in the use of Wagner mercenaries and propagandist media figures.


Defensive Measures


Western states increasingly recognise NoName057(16) as part of the wider Russian cyber apparatus. NATO’s Cooperative Cyber Defence Centre of Excellence has included the group in multiple threat assessments, and private cybersecurity firms (such as Sekoia, Mandiant and Recorded Future) regularly track its campaigns.


Effective defences include:


  • Robust DDoS mitigation tools, particularly for public sector websites.


  • Information campaigns to educate citizens about disinformation and infrastructure reliability.


  • Proactive monitoring of Telegram and other social media platforms where operations are announced.


  • Legal and diplomatic pressure on services hosting botnets or attack infrastructure.


Although not a top-tier threat, NoName057(16) reflects a persistent nuisance with the potential to escalate. If given access to more sophisticated tools or absorbed into larger APTs, its capacity could increase.


A Digital Front of Disruption


NoName057(16) is a new type of threat: not a covert cyber espionage team, but a brash, ideologically driven digital militia operating under the protective umbrella of the Russian state. Its damage is rarely technical in depth but symbolically potent. In the new geopolitics of hybrid warfare, such groups are not sideshows—they are part of the main act.


For Ukraine and her allies, confronting this threat requires not only technical resilience but narrative control. As Russia continues to blur the line between state and private aggression, visibility and vigilance remain key weapons. In the fog of cyberwar, knowing the face behind the pseudonym may make all the difference.

 
 

Note from Matthew Parish, Editor-in-Chief. The Lviv Herald is a unique and independent source of analytical journalism about the war in Ukraine and its aftermath, and all the geopolitical and diplomatic consequences of the war as well as the tremendous advances in military technology the war has yielded. To achieve this independence, we rely exclusively on donations. Please donate if you can, either with the buttons at the top of this page or become a subscriber via www.patreon.com/lvivherald.

Copyright (c) Lviv Herald 2024-25. All rights reserved.  Accredited by the Armed Forces of Ukraine after approval by the State Security Service of Ukraine. To view our policy on the anonymity of authors, please click the "About" page.

bottom of page