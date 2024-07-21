Spanish authorities have detained three people accused of carrying out cyberattacks as part of a known pro-Russian hacker group that targets Ukraine and NATO countries that support Ukraine.

Details: The Spanish Civil Guard, one of Spain's two national law enforcement agencies, announced on 20 July that it had detained three people in Manacor, the Balearic Islands and the province of Andalusia for conducting Distributed Denial-of-Service (DDoS) attacks targeting government agencies and strategic sectors of countries that support Ukraine. The attacks took place after the start of the Russian full-scale invasion.

The Spanish Civil Guard reported that the hackers were affiliated with the Russian "hacktivist" group "NoName057(16)" and that it is continuing to investigate various leads to identify those responsible for the cyberattacks.

"NoName057(16)" is a pro-Russian cyber collective that surfaced in March 2022. Initially focusing on Ukrainian government and media sites, the group later broadened its operations to include attacks on Western government, economic, and logistical infrastructures, extending its reach to NATO member states.

"NoName057(16)" operates with the help of volunteers to execute its cyberattacks and has previously released its own crowdsourced botnet, DDoSia. This botnet comes with detailed instructions in both Russian and English on how to employ it for DDoS attacks.

"NoName057(16)" has repeatedly stressed its willingness to cooperate with other cyber actors with whom it shares "similar values" and has previously collaborated with other well-known Russian cyber actors such as Killnet, XakNet Team and CyberArmyofRussia_Reborn.

"Mandiant Intelligence assessed with moderate confidence in an article published in September 2022 and updated in April 2024 that XakNet Team and CyberArmyofRussia_Reborn are coordinating operations with the Russian Main Intelligence Directorate (GRU)-sponsored 'Sandworm,' or Advanced Persistent Threat (APT) 44, and that Killnet also likely has 'limited' links to the Russian GRU."

