UK councils bat away DDoS barrage from pro-Russia keyboard warriors
Local authority websites downed in response to renewed support for Ukraine
Multiple UK councils had their websites either knocked offline or were inaccessible to residents this week after pro-Russia cyber nuisances added them to a daily target list.
The targeting began on Tuesday and among the many authorities on the list, the websites of Bradford, Eastleigh, Keighley, Salford, Tameside, and Trafford were rendered inaccessible. Eastleigh and Trafford's sites remained down on Wednesday, as did Salford's until the afternoon, when it returned with warnings of lingering technical difficulties.
An updated list was distributed on Thursday containing various other local authorities and other organizations like small banks. Of these, the council websites of Middlesbrough, Medway, and Hastings were unavailable for some time, while others such as Plymouth and BCP (Bournemouth, Christchurch, and Poole) displayed banners indicating issues across the site.
Premier League football club Tottenham Hotspur was also among the many other organizations to be targeted and its website was inaccessible on Thursday, returning an Error 500.
The NoName057(16) group is known for being a band of DDoSers acting on instructions set by the group's leadership. These instructions typically include target domains and IP addresses on which NoName members carry out coordinated DDoS attacks.
According to the message sent to group members, the councils were targeted because of the UK's renewed support for Ukraine's fight against Russia's invasion, citing news stories over a month old.
The Register contacted every local authority on NoName's lists that experienced an outage or issue of some kind, and only two – Hastings and BCP – explicitly confirmed that the issues were caused by a DDoS attack.
Cllr Glenn Haffenden, deputy leader of Hastings Borough Council, said: "Hastings Borough Council was one of a number of councils impacted by a DDoS attack this week. Due to this, our website became unavailable for use on Wednesday 30 October. The National Cyber Security Centre (NCSC) has alerted us to this being a potential pro-Russia attack, however this has not been confirmed."
Likewise, the NCSC confirmed it was supporting affected councils. A spokesperson said: "The NCSC has provided guidance to affected councils. Whilst DDoS attacks are relatively low in sophistication and impact, they can cause disruption by preventing legitimate users from accessing online services.
"Organizations are encouraged to familiarize themselves with our actionable Denial of Service guidance to support the prevention and mitigation of such attacks."
The most revealing update came from Middlesbrough council's social media team who attributed the website's total outage to "suspected online hackers."
"While the website has been temporarily taken offline, no data or services have been put at risk," it said on Thursday.
"Work is currently under way to ensure that the council and its data remains protected against future attacks, and it is hoped to have our website up and running shortly."
Salford council's issues appear to be lingering longer than most, despite its website coming back online in a relatively quick time.
"We're still experiencing issues with the web pages and maps," its social media manager announced on Thursday, after previously attributing the issues to "pesky gremlins in the system."
None of the councils that responded to us denied a link between the DDoS attacks and their website outages, although an absence of denial is not an admission.
The authorities stricken with website issues unsurprisingly didn't go into any technical detail about the issues, let alone disclose whether they were due to a DDoS attack.
Watching on, however, was security expert Kevin Beaumont who claimed Eastleigh's site remained down due to Azure App Service - which doesn't have native DDoS protection - falling over. He also said Trafford's on-site webserver couldn't handle the load, causing the site to go offline.
NoName's game
The group of so-called hacktivists was one of many – on both sides of the conflict – that emerged shortly after Russia's invasion of Ukraine.
NoName operates via Telegram channels through which updates on its activities are shared and instructions to members are communicated. Lists of targets are shared most days and always comprise targets the group believes to be anti-Russian.
As with the UK councils this week, NoName's leadership will usually justify the target list by linking to a news story, such as one describing X country's support for Ukraine or Y country arresting some of its members.
- Chinese attackers accessed Canadian government networks – for five years
- Russian spies use remote desktop protocol files in unusual mass phishing drive
- Uncle Sam outs a Russian accused of developing Redline infostealing malware
- Russian court fines Google $20,000,000,000,000,000,000,000,000,000,000,000
Spanish authorities, for example, arrested three alleged members of NoName in July, a month after the group claimed responsibility for an attack on a Spanish defense company. Following the arrests, the group assembled to successfully hobble the websites of major seaports around the country in retaliation.
Sometimes they just time attacks for maximum visibility, such as during major election periods.
The effectiveness of NoName's efforts, however, is questionable. The FBI cast major doubts over the long-term technical and operational impact of DDoS barrages, saying its these left more of a psychological impact than a political or technical one.
"These attacks are generally opportunistic in nature and, with DDoS mitigation steps, have minimal operational impact on victims; however, hacktivists will often publicize and exaggerate the severity of the attacks on social media," it said in 2022. "As a result, the psychological impact of DDoS attacks is often greater than the disruption of service."
At the time, the feds were mainly talking about Killnet, a similar pro-Russia band of nuisances that has since faded into nothingness.
NoName currently has more than 77,000 followers on its main Telegram channel and more than 10,000 on its separate channel for the DDoSia Project – its automated DDoS tool that's designed to allow anyone to carry out attacks on its behalf, whether they have technical expertise or not. ®