Menu
Browse

Cyber Threat Actor: DEV-0586

Actor Type Location Known Incidents
 Icon
Activist
0 incidents
Profile

DEV‑0586, also referenced in open‑source reporting as the pro‑Russian hacktivist group NoName057(16), is a threat actor that has been active since the start of Russia’s invasion of Ukraine in 2022. The actor describes itself as supportive of the Russian Federation and has claimed responsibility for a series of distributed denial‑of‑service (DDoS) campaigns targeting entities in countries that have provided military, financial or humanitarian aid to Ukraine. Public attributions from Ukrainian officials and cyber‑defense sources have noted that the activity bears the hallmarks of a state‑backed effort, describing it as “definitely a state actor” and citing observed Russian‑controlled traffic patterns, although no definitive state sponsor has been publicly confirmed by the sources provided.

The group’s observed tactics, techniques and procedures are centered on volumetric and application‑layer DDoS methods. Reporting repeatedly mentions the use of botnets to generate high volumes of traffic, as well as specific techniques such as SYN floods, amplification attacks and Slow HTTP (Slowloris) attempts designed to exhaust server connection resources. The actor has advertised cryptocurrency payouts to volunteers who join its DDoS efforts and uses a Telegram channel to claim responsibility, share targeting lists and coordinate actions. No custom malware families or persistence mechanisms are described in the supplied material; the primary effect sought is disruption of online availability rather than data theft or espionage.

Geographically, DEV‑0586 has focused on Ukrainian critical infrastructure, including the country’s largest mobile operator Kyivstar, numerous Ukrainian banks and government‑related websites. Beyond Ukraine, the actor has struck NATO‑aligned organizations such as Eurocontrol, the Swiss Federal Administration, the Dutch National Cyber Security Centre‑monitored hospitals, the French Senate and National Assembly, the Canadian federal government sites and various transportation authorities in Italy and Switzerland. Additional campaigns have hit German airports and administrative bodies, U.S. airports, the Czech presidential election sites, the Swedish Financial Supervisory Authority and a range of European ports. The stated motivation in the group’s communications is retaliation for political support of Ukraine, with messages framing the attacks as a form of hacktivist protest rather than financially motivated crime. These activities have resulted in temporary service outages, disrupted public information services such as air‑raid alerts and online banking portals, and have prompted mitigations like geolocation blocking and the deployment of web‑application firewalls by the victims.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
61 sources