Coordinated Hacktivist Threat Activity Targeting Belgium

A coalition of eight hacktivist threat groups with pro-Russian and pro-Palestinian affiliations has announced a campaign targeting Belgium’s internet infrastructure. Although no further statements have been issued since the initial announcement, the campaign is expected to include Distributed Denial-of-Service (DDoS) operations, targeting of operational technology (OT) environments, and potential data exposure claims over the next 24 to 48 hours.

Who are the groups behind the campaign?

While the specific group names remain undisclosed, six of the groups demonstrate pro-Russian alignment, one has pro-Kurdish, and one has pro-Moroccan orientation.
The groups maintain relatively small online communities, averaging approximately 500 members. This limited size may be attributed to Telegram’s policy changes, which have resulted in the frequent removal of politically motivated or extremist cyber-collectives.

How active are these groups?

The coalition of eight groups has not issued any operational claims or attack statements related to the announced campaign. Their channels remain inactive, and no verifiable activity targeting Belgium has been observed to date.

In contrast, NoName057(16) continues to operate independently of the coalition, maintaining its DDoS attack claims against Belgian entities.

Although the eight groups have not yet acted, their historical behavior suggests a potential for defacement, data exposure, or OT/SCADA targeting should the campaign escalate. For now, DDoS mitigation remains the primary defensive priority, while continuous monitoring for other potential attack vectors is advised.

What triggered the campaign?

The campaign appears to have been initiated following reactions within several cyber threat group channels to statements made by the Belgian Defense Minister regarding potential NATO responses to Russian aggression. These remarks gained significant attention across pro-Russian hacktivist networks, where they were interpreted as provocative and disrespectful toward Russia.

In early November, corresponding narratives began to circulate in Telegram channels associated with pro-Russian and allied hacktivist communities. Soon after, NoName057(16) announced the start of a separate campaign against Belgian digital infrastructure. The overall activity indicates that both the eight-group coalition and NoName057(16) are conducting politically motivated retaliation campaigns, operating independently but under the same ideological premise.

What has NoName057(16) claimed?

Since November 2, NoName057(16) has claimed responsibility for multiple DDoS attacks targeting both public and private sector organizations in Belgium. The following entities were specifically mentioned in the group’s public statements, accompanied by “check-host” verification links intended to demonstrate temporary service disruptions:

Initial wave of attacks (November 2):

• Citydev Brussels – development company for the Brussels-Capital Region
• Secure document exchange platform of the Walloon Parliament
• Vivaqua – operator of water treatment and supply systems in Belgium

Subsequent wave of attacks:

• Wallonia – southern region of Belgium
• Municipal elections platform in Brussels
• Burg-Reuland Municipality – German-speaking municipality in Liège Province
• Liège Province – administrative portal
• Flemish Brabant Province – regional portal

Follow-up activity:

• Province of Limburg
• Weismes Municipality
• Walloon Brabant Province
• Luxembourg Province Authorization portal of the City of Antwerp
• Authorization portal of the City of Antwerp
  

Ongoing campaign (as of November 5):

• C.P. Bourg S.A. – manufacturer of printing and finishing equipment
• Scarlet – Belgian mobile and internet service provider
• Telenet – telecommunications operator and service portal
• Proximus – national telecommunications and digital service provider
• Comines-Warneton Municipality – local administrative website

While NoName057(16) has made public statements suggesting ideological alignment with other pro-Russian actors, the group’s current campaign against Belgium appears to be conducted separately from the eight-group coalition, under its own command structure and narrative control.

Are the attacks still ongoing?

Yes. As of November 5, NoName057(16) continues to issue statements indicating active targeting of Belgian organizations across both governmental and telecommunications sectors.

Which hosts and IPs were most targeted in the campaign?

An analysis of the campaign data shows that the majority of DDoS activity targeted Belgium’s provincial and municipal infrastructure. Attackers appeared focused on regional administration and public service portals rather than national critical systems.

Below is the compiled list of the most frequently targeted hosts and IP addresses associated with the ongoing campaign against Belgium.

Top Targeted Hosts:

• www.provincieantwerpen.be
• www.limburg.be
• www.waimes.be
• www.burg-reuland.be
• www.kelmis.be
• www.wallonie.be
• www.provincedeliege.be
• www.hainaut.be
• www.brabantwallon.be
• gouvernement.cfwb.be

Top Targeted IP Addresses:

• 35.187.168.7
• 149.202.76.91
• 185.243.10.178
• 92.51.162.157
• 157.164.185.203
• 212.166.12.42
• 212.166.60.40
• 51.38.198.209
• 77.246.241.58
• 212.123.20.183

Which DDoS techniques were used?

Further telemetry from the campaign provides insight into how Belgian targets were attacked. The data below shows that threat actors primarily relied on SYN-based and HTTP GET flood methods, which are common techniques used in DDoS campaigns aimed at exhausting bandwidth and server response capacity.

DDoS Attack Method Distribution in the Belgium Campaign

Which network ports did hacktivists target?

The port analysis further indicates that Port 443 (HTTPS) and Port 80 (HTTP) were the top targets, confirming the attackers’ intent to disrupt public-facing government and regional service websites.

Targeted Network Ports in the Belgium Campaign

How SOCRadar Can Help Against Hacktivist Threat Actors?

Hacktivist groups like those currently targeting Belgium often rely on open coordination, propaganda, and rapid exploitation of public-facing systems. Their activities blend information operations with opportunistic technical attacks such as DDoS, defacement, and limited data exposure. Combating these threats requires continuous visibility, early detection, and intelligence-led response planning.

SOCRadar provides a unified platform that enhances an organization’s ability to detect, monitor, and mitigate such hacktivist campaigns through the following core capabilities:

• Dark Web Monitoring & Cyber Threat Intelligence: Enables real-time monitoring of threat actor channels, Telegram groups, and dark web sources to identify early indicators of planned operations, target discussions, and shared attack tools. This intelligence helps organizations move from reactive defense to proactive prevention.

• Attack Surface Management (ASM): Continuously discovers and monitors exposed infrastructure, domains, and IP assets. By identifying misconfigurations and unpatched services, ASM helps organizations reduce the attack surface, which is exploitable in such DDoS and defacement attempts.
• Brand Protection: Detects phishing pages, impersonation domains, and misuse of corporate or government branding used to amplify disinformation or social engineering during hacktivist operations.
• Supply Chain Intelligence: Assesses risks in third-party ecosystems by mapping vendor exposures that could propagate the effects of hacktivist attacks across interconnected networks.

Through these combined capabilities, SOCRadar supports governments and enterprises in building resilience against hacktivist operations, enabling faster detection, data-driven decision-making, and coordinated incident response before disruptions escalate.