Pro-Russian hackers launched a massive DDoS attack against Norway

Norway’s National Security Authority (NSM) confirmed that a DDoS attack took down some of the country’s most important websites.

Norway’s National Security Authority (NSM) confirmed that some of the country’s most important websites and online services were taken down by a massive DDoS attack conducted by a pro-Russian group.

NSM did not explicitly attribute the attacks to a threat actor, but the Pro-Russian Legion/Cyber Spetsnaz group published on its Telegram channel a list of Norwegian organizations to target.

Similar attacks recently targeted the Lithuanian government, Italian organizations and government websites, and Romania for providing support to Ukraine.

Now Norwegian authorities confirmed that the attacks have hit large companies that offer essential services to the population.

“The attacks are aimed at a number of large Norwegian companies that offer important services to the population” explained NSM director Sofie Nystrøm. “In light of the ongoing security policy situation, NSM went out in May and asked Norwegian companies to make sure that they were able to handle denial of service attacks. “We have seen similar attacks in other countries recently, but none of these have reported lasting consequences. The attacks will still be able to create uncertainty in the population, and give the impression that we are a piece in the current political situation in Europe.”

Norway’s National Security Authority also issued instructions to local organizations for the mitigation of DDoS attacks.

Starting May 24, the group calling themselves “Cyber Spetsnaz” announced the launch of a new campaign “Panopticon” which aimed to recruit 3,000 volunteer cyber offensive specialists willing to participate in attacks against the European Union and the Ukrainian government institutions including Ukrainian companies.

Around April time, “Cyber Spetsnaz” built one of its first divisions called “Zarya”, they looked for experienced penetration testers, OSINT specialists, and hackers.

Around this time the group performed one of their first coordinated attacks against NATO. Prior to that, “Cyber Spetsnaz” members have been distributing domains assigned to the NATO infrastructure, by doing so they could plan an effective attack. The actor shared a list of NATO resources and a comprehensive Excel file.

On June 2nd, the group created a new division called “Sparta”. The responsibility of the new division includes “cyber sabotage”, disruption of Internet resources, data theft and financial intelligence focused on NATO, their members and allies. Notably, “Sparta” outlines this activity as a key priority today and confirms the newly created division is an official part of “Killnet Collective” group.

Based on the description, the actors call themselves “hacktivists”, however, it’s not yet clear if the group has any connection to state actors. Sources interviewed by Security Affairs interpreted this activity with high levels of confidence to be state-supported. Interestingly, the name “Sparta” (in context of the current Ukrainian war) is related to the name of a unit from the Donetsk People’s Republic (DNR).

Besides proprietary tools, they’re leveraging MHDDoS, Blood, Karma DDoS, Hasoki, DDoS Ripper and GoldenEye scripts to generate malicious traffic on Layer 7 which may impact the availability of WEB resources.

The group performed cyber-attacks against 5 logistic terminals in Italy (Sech, Trieste, TDT, Yilprort, VTP) and several major financial institutions too. “Phoenix” coordinated its activities with another division called “Rayd” who previously attacked government resources in Poland including the Ministry of Foreign Affairs, Senate, Border Control and the Police. Other divisions involved in the DDoS attacks included “Vera”, “FasoninnGung”, “Mirai”, “Jacky”, “DDOS Gung” and “Sakurajima” who previously attacked multiple WEB-resources in Germany. 

According to Resecurity firm, such hacktivist campaigns typically have the goal to orchestrate certain information operations rather than a real cyber-attack that disrupts networks or the availability of critical resources. Cybersecurity specialists should be especially careful with attribution, as in some cases such activity leads to provocations and purposely generated operations.

Based on the observed victims and close collaboration with several impacted organizations, the attacks primarily focused on the exploitation of poorly configured WEB servers and short-term disruptions. Proper hardening and implementation of WAF, along with DDoS protection may preemptively resolve the issue, as the total network attack pool of unique sources may be exhausted relatively quickly. The logged sources of attacks showed how the attackers are actively using spoofed IP addresses and the deployment of tools on compromised IoT devices and hacked WEB resources.

Secondly, Norway donated long-range rocket artillery (MLRS) systems and 5,000 rounds of shells to Ukraine to help the country thwart the ongoing Russian invasion.

Experts believe the Pro-Russian group will continue to conduct attacks against Norway and other countries supporting Ukraine.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

[adrotate banner=”5″]

[adrotate banner=”13″]