DDoS and Phishing Activity Targeting Germany, Israel, and Canadian Residents
Reporting described multiple, unrelated threat activities rather than a single cohesive incident. SOCRadar assessed a sustained DDoS campaign by NoName057(16) using the DDoSia toolset during March 2–8, 2026, logging 7,512 attack entries against 169 domains and 153 IPs, with Germany as the primary target (65.6% of entries) and Israel as a major secondary target (19.7%). The most notable pattern was heavy, systematic disruption of Germany’s public procurement ecosystem, including at least 17 procurement portals (974 entries), alongside Israeli targeting across defense industry, finance, telecom, and municipal services.
Separately, Flare reported an active phishing campaign using fraudulent domains impersonating Canadian institutions (including the Government of British Columbia and Hydro-Québec) to harvest personal and payment data; the infrastructure was linked to RouterHosting LLC / Cloudzy, a provider previously accused (in 2023) of supporting services used by multiple state-sponsored groups, including Iran-aligned actors. Two other items were not incident-specific: Hackmageddon published aggregated February 2026 attack statistics, and DataBreaches.Net summarized research on offender age distribution in cybercrime; both are higher-level analysis and do not materially add to the DDoS or phishing reporting.
Sources
Related Stories
Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to **NoName057(16)** used the **DDoSia** tool to generate **6,649** recorded attack entries between Feb. 23 and Mar. 1, targeting **126 domains** and **135 IPs** with a multi-country focus on **Denmark, Greenland, and Ukraine**. Reported targeting emphasized public-sector services (about **44%** of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at `443/tcp` (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland. Separately, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the **Main Radio Frequency Center (GRFC)**. Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
1 weeks ago
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
1 months ago
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
5 days ago