Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to NoName057(16) used the DDoSia tool to generate 6,649 recorded attack entries between Feb. 23 and Mar. 1, targeting 126 domains and 135 IPs with a multi-country focus on Denmark, Greenland, and Ukraine. Reported targeting emphasized public-sector services (about 44% of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at 443/tcp (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland.
Separately, Russia’s internet regulator Roskomnadzor and the Russian Defense Ministry reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the Main Radio Frequency Center (GRFC). Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Roskomnadzor says it contained the DDoS attack
Roskomnadzor stated it contained the attack on Friday after the disruption briefly affected access to multiple Russian government websites. Despite that claim, user reports cited by DownDetector indicated some access problems continued through the weekend and into Monday.
Russian government websites hit by multi-vector DDoS attack
In late February 2026, servers supporting Roskomnadzor, the Russian Defense Ministry, and the Main Radio Frequency Center were hit by a large multi-vector DDoS attack. Roskomnadzor said the traffic originated mainly from servers and botnets in Russia, with additional sources in the United States, China, the United Kingdom, and the Netherlands.
DDoS campaign targets Denmark, Greenland, Ukraine, and other domains
Between 2026-02-23 and 2026-03-01, SOCRadar observed a sustained DDoS campaign attributed to the pro-Russian hacktivist group NoName057(16) using the DDoSia framework. The activity generated 6,649 attack entries against 126 domains and 135 IPs, with government services most heavily targeted and Greenland highlighted as a new strategic focus.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Denmark, Greenland, and Ukraine Under DDoS Assault: Weekly DDoS Threat Intelligence Analysis
socradar.io
Open sourceCyberattack briefly disrupts Russian internet regulator and defense ministry websites | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Coordinated Pro-Russian DDoS and Cyberattacks Targeting Denmark
The Danish Defence Intelligence Service (DDIS) publicly attributed two major cyber incidents to Russian-linked actors: a cyberattack on a Danish water utility in 2024 by the group Z-Pentest, and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of the municipal and regional council elections, attributed to NoName057(16). These attacks targeted critical infrastructure and government services, raising concerns about the security of essential services and the integrity of democratic processes in Denmark. The DDIS highlighted the connection between these threat actors and the Russian state, underscoring the geopolitical motivations behind the campaigns. In December 2025, threat intelligence analysis revealed a significant escalation in DDoS activity against Denmark, with NoName057(16) and their DDoSia project orchestrating 4,559 attacks against 148 unique domains and 137 IP addresses, primarily focusing on government, energy, telecommunications, and transportation sectors. The campaign also extended to Ukraine and other countries, but Denmark was a primary target, with municipal and local government websites bearing the brunt of the attacks. The use of port 443 (HTTPS) as the most targeted vector indicates a focus on disrupting secure web services critical to public administration and infrastructure.
Mar 21, 2026
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
Mar 21, 2026
DDoS and Phishing Activity Targeting Germany, Israel, and Canadian Residents
Reporting described multiple, unrelated threat activities rather than a single cohesive incident. SOCRadar assessed a sustained DDoS campaign by **NoName057(16)** using the **DDoSia** toolset during March 2–8, 2026, logging **7,512** attack entries against **169 domains** and **153 IPs**, with **Germany** as the primary target (65.6% of entries) and **Israel** as a major secondary target (19.7%). The most notable pattern was heavy, systematic disruption of Germany’s public procurement ecosystem, including at least **17 procurement portals** (974 entries), alongside Israeli targeting across defense industry, finance, telecom, and municipal services. Separately, Flare reported an active **phishing campaign** using fraudulent domains impersonating Canadian institutions (including the Government of British Columbia and *Hydro-Québec*) to harvest personal and payment data; the infrastructure was linked to **RouterHosting LLC / Cloudzy**, a provider previously accused (in 2023) of supporting services used by multiple state-sponsored groups, including Iran-aligned actors. Two other items were not incident-specific: Hackmageddon published aggregated February 2026 attack statistics, and DataBreaches.Net summarized research on offender age distribution in cybercrime; both are higher-level analysis and do not materially add to the DDoS or phishing reporting.
Mar 21, 2026