DDoSia Campaign Targeting Belgium: Weekly DDoS Threat Intelligence Analysis

Analysis Period: December 8–14, 2025

Between 8 and 14 December 2025, SOCRadar identified a coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16). The campaign resulted in 4,435 recorded attack entries, targeting 155 unique domains and 144 unique IP addresses across 15+ countries.

The activity focused primarily on Belgium and Ukraine, with additional spillover targeting European Union institutions and international organizations.

The majority of attacks targeted private sector infrastructure, especially telecommunications, utilities, and industrial organizations, while high-value government and defense-related services were also impacted.

Key Highlights

• Threat Actor: NoName057(16) and DDoSia Project (Pro-Russian hacktivist collective)
• Total Attack Entries: 4,435
• Primary Attack Methods: SYN Flood, HTTP Flood, ACK Flood
• Most Targeted Port: 443 (HTTPS)
• Most Affected Countries: Belgium, Ukraine, International entities
• Targeted Sectors: Telecommunications, Utilities, Government, Defense, Transportation

Campaign Analysis

Attack Volume and Scope

During the six-day analysis period, the campaign demonstrated persistent and sustained activity, with frequent updates to target lists and continuous attack execution.

• Belgium accounted for 57.3% of all attack entries
• Ukraine accounted for 22.8%
• Remaining attacks targeted international, EU, and network-related entities

This dual focus reflects a strategic effort to pressure both NATO member states and Ukraine simultaneously.

Targeted Sectors

The campaign overwhelmingly focused on the private sector, which accounted for 89.6% of all recorded attacks.

Key targeted sectors included:

• Telecommunications providers
• Energy and utility companies
• Industrial and defense-related organizations
• Transportation and logistics services

Government and critical infrastructure targets represented a smaller share by volume, but these attacks focused on high-impact and high-visibility services, such as defense portals, government administration sites, and public transportation systems.

Attack Techniques and Methods

DDoSia employed a multi-vector attack strategy, increasing the complexity of mitigation efforts.

Most common methods observed:

• SYN Flood attacks (25.5%)
• HTTP GET flood attacks (23.3%)
• ACK Flood attacks (14.5%)
• SYN-ACK and POST-based attacks

The heavy concentration on port 443 (HTTPS) indicates a deliberate focus on public-facing web services, government portals, and encrypted business services where disruption has immediate public and operational impact.

Most Targeted Organizations

The campaign targeted a mix of government, defense, telecommunications, utilities, and academic institutions.

Highly targeted entities included:

• Regional and federal Belgian government portals
• Major Belgian telecommunications providers
• Energy and utility operators
• Defense and aerospace-related organizations
• Public transportation authorities in Brussels
• Academic and research institutions with defense relevance

These targets reflect a strategy aimed at economic disruption, political signaling, and psychological impact.

Threat Actor Overview: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that has been active since 2022 and is widely associated with sustained DDoS campaigning against countries that support Ukraine.

The group runs campaigns through a crowdsourced operational model. It promotes participation via Telegram channels and relies on a volunteer-driven tooling ecosystem. In this reporting cycle, the activity aligns with operations executed through the DDoSia tooling framework, which enables participants to launch coordinated attacks against centrally distributed target lists.

NoName057(16) operations typically align with Russian geopolitical objectives, with targeting that prioritizes:

• NATO member states
• Countries providing military, financial, or political support to Ukraine
• Ukrainian government services and critical infrastructure

Strategic Assessment

The observed activity aligns with hybrid warfare objectives, combining cyber disruption with political messaging.

Key strategic goals likely include:

1. Undermining public trust in government digital services
2. Creating economic pressure through private sector disruption
3. Disrupting critical service dependencies such as telecommunications
4. Sending political messages to NATO and EU institutions
5. Testing defensive capabilities and response readiness

The sustained nature of the attacks suggests organized infrastructure and continued operational capacity.

Mitigation and Recommendations

Organizations within affected sectors should consider the following actions:

• Review and strengthen DDoS mitigation controls
• Monitor traffic anomalies on web-facing services
• Ensure redundancy for critical online services
• Coordinate with ISPs and DDoS protection providers
• Maintain updated incident response procedures

Telecommunications and utility providers should be treated as high-risk targets due to their role as dependency infrastructure for both public and private services.

Conclusion

The DDoSia campaign observed between 8 and 13 December 2025 demonstrates a persistent, coordinated, and strategically motivated DDoS operation. The focus on Belgium, Ukraine, and EU-related entities highlights continued pressure on nations aligned with Western support for Ukraine.

Given DDoSia’s operational history and sustained capability, similar campaigns are expected to continue, particularly during periods of geopolitical tension.

SOCRadar will continue monitoring DDoSia activity and provide updated intelligence as new campaigns emerge. If you would like a more detailed breakdown for your organization or sector, you can reach out to us at [email protected].