Cyber Threat Actor: HANO
| Actor Type | Location | Known Incidents |
Activist
|
Hungary
|
1 incident |
|---|
Profile
HANO is a threat actor known by that alias and has been linked to operations originating from Hungary. The actor’s activities have focused on independent media organizations, both within Hungary and internationally, with the stated aim of retaliating against press‑freedom advocacy. Public reporting describes the actor’s actions as a response to criticism of media restrictions in Hungary, indicating a strategic objective of disruption intended to silence critical voices. No public sources attribute HANO to a state sponsor or a criminal consortium, and the actor’s affiliation remains unspecified beyond the use of the alias.
Observed tactics involve sustained distributed denial‑of‑service campaigns that employ HTTP flood techniques to overwhelm target web servers. The actor leverages ordinary web‑hosting infrastructure—including services from Amazon AWS, Microsoft Azure and Google Cloud—to generate attack traffic, suggesting the use of botnets composed of compromised hosting resources rather than custom malware. Persistence is evident as the actor adjusted attack volume in response to defensive measures, eventually shifting from volumetric DDoS to attempts at unauthorized access after initial mitigation. A distinctive element of the operations is the留下 of taunting messages in English and Hungarian, such as “see you next time Hano hates u,” which have appeared in logs and on compromised sites.
The most publicly documented operation occurred on September 1 2023 when HANO launched a large‑scale DDoS assault against the International Press Institute, taking its website offline for several days before the organization scaled up defenses. This incident is presented as part of a broader wave of attacks that have affected dozens of Hungarian independent media outlets over the preceding five months, with the actor demonstrating knowledge of the local media landscape and individual journalists. While the actor’s resource level is described as relatively well‑resourced due to the scale and duration of the campaigns, no further details about malware families, initial‑access vectors beyond DDoS, or financial motives are available in the source material. The profile therefore remains confined to the confirmed facts of alias, geographic association, targeting of media entities, disruption‑oriented objective, observed DDoS TTPs, and the representative campaigns outlined above.
