International operation dismantles cyber-sabotage network in Russia that launched attacks on Spain

Joint international Operation Eastwood, coordinated by Europol and Eurojust, has dismantled 'NoName057(16)' - the most active Russian hacker platform sponsored by the Kremlin's secret services and responsible for countless cyber-attacks on European institutions, including many Spanish entities.

According to Europol, this macro-operation has resulted in the arrest of two of the ringleaders. One of the arrests was made in Spain and the other in France. The European institution has not provided further information on the identity of the detainees or the place of their capture.

Operation Eastwood was launched on 14 July with the participation of law enforcement agencies from 19 countries: the Czech Republic, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the US "took simultaneous action. The investigation was also "supported" by Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine, as well as private companies ShadowServer and Abuse.ch.

In addition to the two arrests, the police questioned 13 people, five of them in Spain and the rest in Germany (2), France (1), Italy (4) and Poland (1). The operation also included 24 searches, half of them in Spain and the rest in the Czech Republic (2), France (1), Germany (3), Italy (5) and Poland (1).

National authorities have issued seven arrest warrants for "six Russian citizens for their involvement in the criminal activities" of 'NoName057(16)'. Five of these criminals have ended up on the EU's most wanted lists in the last few hours.

According to Europol, the operation cleared up around a hundred "server" attacks on institutions around the world and took down "a large part of the main infrastructure of NoName057". Around a thousand "supporters" and collaborators have been identified, among them 15 administrators, who were not arrested. However, they received notifications informing them of the criminal liability of their actions. In most cases, these individuals are "Russian-speaking sympathisers" led by ideology. They operate as lone wolves and "without formal leadership or sophisticated technical skills".

'NoName057' was born in March 2022, shortly after the start of the invasion of Ukraine. Its first actions were cyber-attacks on Ukrainian, US and European websites, targeting government agencies, media outlets and private companies.

In Spain, they went full force in the summer of 2023, when they attacked a hundred or so websites of institutions, public companies and businesses as punishment for the "support of the Zelensky regime by the Russophobic authorities in Spain with their taxpayers' money". On 23 July of that year - election day - the Kremlin-sponsored hackers claimed to have taken down the website of the Ministry of the Interior, which was indeed intermittently down between 4 and 7pm, although the special website launched by the department headed by Fernando Grande Marlaska was always accessible.

On 12 May this year, the Ministry of the Interior launched a tender for a contract to obtain two licences to access the world's largest database of cyber-threats and hackers for two years. The aim is to shield the ministry against the continuous attacks by 'NoName057' hackers.