Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to NoName057(16) used the DDoSia tool to generate 6,649 recorded attack entries between Feb. 23 and Mar. 1, targeting 126 domains and 135 IPs with a multi-country focus on Denmark, Greenland, and Ukraine. Reported targeting emphasized public-sector services (about 44% of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at 443/tcp (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland.
Separately, Russia’s internet regulator Roskomnadzor and the Russian Defense Ministry reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the Main Radio Frequency Center (GRFC). Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
Sources
Related Stories
Coordinated Pro-Russian DDoS and Cyberattacks Targeting Denmark
The Danish Defence Intelligence Service (DDIS) publicly attributed two major cyber incidents to Russian-linked actors: a cyberattack on a Danish water utility in 2024 by the group Z-Pentest, and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of the municipal and regional council elections, attributed to NoName057(16). These attacks targeted critical infrastructure and government services, raising concerns about the security of essential services and the integrity of democratic processes in Denmark. The DDIS highlighted the connection between these threat actors and the Russian state, underscoring the geopolitical motivations behind the campaigns. In December 2025, threat intelligence analysis revealed a significant escalation in DDoS activity against Denmark, with NoName057(16) and their DDoSia project orchestrating 4,559 attacks against 148 unique domains and 137 IP addresses, primarily focusing on government, energy, telecommunications, and transportation sectors. The campaign also extended to Ukraine and other countries, but Denmark was a primary target, with municipal and local government websites bearing the brunt of the attacks. The use of port 443 (HTTPS) as the most targeted vector indicates a focus on disrupting secure web services critical to public administration and infrastructure.
2 months ago
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
1 months ago
DDoS and Phishing Activity Targeting Germany, Israel, and Canadian Residents
Reporting described multiple, unrelated threat activities rather than a single cohesive incident. SOCRadar assessed a sustained DDoS campaign by **NoName057(16)** using the **DDoSia** toolset during March 2–8, 2026, logging **7,512** attack entries against **169 domains** and **153 IPs**, with **Germany** as the primary target (65.6% of entries) and **Israel** as a major secondary target (19.7%). The most notable pattern was heavy, systematic disruption of Germany’s public procurement ecosystem, including at least **17 procurement portals** (974 entries), alongside Israeli targeting across defense industry, finance, telecom, and municipal services. Separately, Flare reported an active **phishing campaign** using fraudulent domains impersonating Canadian institutions (including the Government of British Columbia and *Hydro-Québec*) to harvest personal and payment data; the infrastructure was linked to **RouterHosting LLC / Cloudzy**, a provider previously accused (in 2023) of supporting services used by multiple state-sponsored groups, including Iran-aligned actors. Two other items were not incident-specific: Hackmageddon published aggregated February 2026 attack statistics, and DataBreaches.Net summarized research on offender age distribution in cybercrime; both are higher-level analysis and do not materially add to the DDoS or phishing reporting.
5 days ago