UK NCSC Warning on Pro-Russian Hacktivist DDoS Threat to Local Government and Critical Infrastructure
The UK’s National Cyber Security Centre (NCSC) issued a renewed warning that Russian-aligned hacktivist groups continue to target UK local authorities and critical national infrastructure (CNI) with disruptive denial-of-service (DoS/DDoS) activity intended to take public-facing websites and online services offline. The alert emphasizes that while these attacks are often technically simple, they can still create significant operational disruption and recovery costs, and the NCSC urged organizations—especially those providing essential services—to review and implement its publicly available DoS resilience guidance.
The NCSC highlighted the ongoing activity of NoName057(16), an ideologically motivated pro-Russian actor associated with the DDoSia crowdsourced DDoS platform, noting that prior international law-enforcement disruption (including server takedowns and arrests under Operation Eastwood) did not eliminate the threat and the group has resumed operations. The warning also aligns with broader international advisories that have named additional pro-Russian hacktivist groups (including Cyber Army of Russia Reborn (CARR), Z-Pentest, and Sector16) as part of the wider DoS threat to Western organizations and critical services.
Related Entities
Malware
Organizations
Sources
4 more from sources like security online info, securityaffairs, bleeping computer and register security
Related Stories
Pro-Russia Hacktivist Attacks on Critical Infrastructure via Exposed VNC and OT Systems
Pro-Russia hacktivist groups, including Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16, have escalated their operations from DDoS attacks to targeting operational technology (OT) systems in critical infrastructure sectors such as water, food, agriculture, and energy. These groups exploit exposed Virtual Network Computing (VNC) connections with weak security, using tools like Nmap and brute-force attacks to gain access to human-machine interfaces (HMIs). Once inside, they manipulate system parameters, disable alarms, and cause operational disruptions, often publicizing their actions for propaganda purposes. The U.S. and international cybersecurity agencies have issued joint advisories detailing these tactics, highlighting the opportunistic nature of these attacks and the use of MITRE ATT&CK techniques ranging from reconnaissance to impact, including "loss of view" scenarios that force manual intervention. Recent U.S. government indictments and sanctions confirm that CARR was founded and directed by Russian military intelligence (GRU) as a means to conduct unattributable disruptive operations. Notable incidents attributed to these groups include attacks on public drinking water systems, resulting in water spills, and a Los Angeles meat processing facility, which suffered spoiled products and an ammonia leak. While the technical sophistication of these actors is limited, their ability to cause downtime, remediation costs, and occasional physical damage underscores the persistent risk posed by exposed OT systems and weak remote access protections in critical infrastructure environments.
2 months agoNoName057(16) DDoSia Campaigns Targeting Belgium and NATO Entities
Pro-Russian hacktivist group NoName057(16) conducted a large-scale distributed denial-of-service (DDoS) campaign between December 8 and 14, 2025, primarily targeting organizations in Belgium and Ukraine. The campaign, orchestrated using the group's proprietary DDoSia tool, resulted in over 4,400 recorded attacks against 155 unique domains and 144 IP addresses, affecting both private sector infrastructure—such as telecommunications, utilities, and industrial organizations—and high-value government and defense-related services. The attacks also impacted European Union institutions and international organizations, highlighting the group's broad targeting scope and operational reach. NoName057(16) is a pro-Russian hacktivist collective with origins linked to the Kremlin-backed Centre for the Study and Network Monitoring of the Youth Environment (CISM). The group leverages Telegram for coordination and GitHub for tool distribution, and has expanded its influence through collaborations with other pro-Russian groups, including the Cyber Army of Russia Reborn (CARR). Their operations have increasingly focused on NATO member states and adversaries of Russian geopolitical interests, with the DDoSia tool serving as a central component in mobilizing and executing attacks against critical infrastructure and government entities across Europe.
3 months ago
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
1 months ago