Denmark Is Being Heavily Targeted: Weekly DDoS Threat Intelligence Analysis

Analysis Period: December 15–21, 2025

Between 15 and 21 December 2025, SOCRadar identified a coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) and their project DDoSia. The campaign resulted in 4,559 recorded attack entries, targeting 148 unique domains and 137 unique IP addresses across multiple countries.

The activity focused primarily on Denmark and Ukraine, with additional targeting of international critical infrastructure and private sector organizations.

The majority of attacks targeted government infrastructure and critical services, especially municipal and local government websites, while high-value critical infrastructure including energy, telecommunications, and transportation sectors were also heavily impacted.

Executive Summary Table:

Key Highlights

• Threat Actor: NoName057(16) & DDoSia Project (Pro-Russian hacktivist collective)
• Total Attack Entries: 4,559
• Primary Attack Methods: SYN Flood, HTTP GET Flood, ACK Flood, POST Flood
• Most Targeted Port: 443 (HTTPS)
• Most Affected Countries:Denmark (67.9%), Ukraine (18.6%), Other (13.5%)
• Targeted Sectors: Government (Municipal/Local), Critical Infrastructure, Energy, Telecommunications, Transportation

Campaign Analysis

Attack Volume and Scope

During the seven-day analysis period, the campaign demonstrated persistent and sustained activity, with frequent updates to target lists and continuous attack execution distributed through Telegram channels.

• Denmark accounted for 67.9% of all attack entries (3,095 attacks)

Geographic Distribution by Country:

1. Denmark: 3,095 attacks (67.9%)
2. Ukraine: 848 attacks (18.6%)
3. Other: 616 attacks (13.5%)

This distribution reflects a strategic effort to pressure NATO member states and Ukraine simultaneously, with a particularly heavy focus on Danish municipal infrastructure suggesting an attempt to demonstrate reach throughout the entire country at the grassroots level.

Targeted Sectors

The campaign demonstrated a clear focus on government infrastructure, particularly at the municipal and local level, which accounted for the majority of Danish targets.

Key targeted sectors included:

• Municipal and local government services
• Regional government authorities
• National government ministries (particularly Defense)
• Energy and utility companies (Ørsted)
• Transportation infrastructure (Scandlines ferry services)
• Telecommunications providers
• Critical infrastructure operators

Government and critical infrastructure targets represented the primary focus, with these attacks aimed at high-impact and high-visibility services, such as defense portals, municipal service websites, regional administration platforms, and essential transportation services.

Attack Techniques and Methods

NoName057(16) employed a multi-vector attack strategy, increasing the complexity of mitigation efforts.

Most common methods observed across all countries:

• SYN Flood attacks (26.8% – 1,014 attacks)
• HTTP GET flood attacks (25.2% – 1,133 attacks)
• ACK Flood attacks (12.9% – 566 attacks)
• POST-based attacks (11.3% – 516 attacks)
• SYN-ACK Flood (10.9% – 492 attacks)
• PING/ICMP Flood (9.1% – 413 attacks)
• UDP Flood (7.1% – 325 attacks)

The heavy concentration on port 443 (HTTPS) indicates a deliberate focus on public-facing web services, government portals, and encrypted business services where disruption has immediate public and operational impact.

Attack Types Distribution:

• TCP-layer attacks: 2,485 attacks (54.5%)
• HTTP/HTTPS attacks: 1,234 attacks (27.1%)
• Application-layer attacks (nginx_loris, HTTP/2, HTTP/3): 775 attacks (17.0%)
• UDP attacks: 65 attacks (1.4%)

Most Targeted Organizations

The campaign targeted a mix of government, defense, critical infrastructure, energy, telecommunications, and transportation entities.

Denmark – Top 10 Most Targeted:

1. www.fmn.dk (111 attacks) – Ministry of Defence, National government
2. soroe.dk (68 attacks) – Sorø Municipality, Local government
3. www.jammerbugt.dk (60 attacks) – Jammerbugt Municipality, Local government
4. www.qq.dk (60 attacks) – Municipal services, Local government
5. www.aal.dk (60 attacks) – Aalborg services, Local government
6. www.middelfart.dk (59 attacks) – Middelfart Municipality, Local government
7. orsted.com (57 attacks) – Ørsted, Critical Infrastructure (Energy)
8. www.vejen.dk (56 attacks) – Vejen Municipality, Local government
9. www.nordfynskommune.dk (56 attacks) – Nordfyns Municipality, Local government
10. www.ikast-brande.dk (55 attacks) – Ikast-Brande Municipality, Local government

Ukraine – Top 5 Most Targeted:

1. zp.gov.ua (57 attacks) – Zaporizhzhia Regional Administration
2. aesgroup.com.ua (46 attacks) – AES Group Ukraine
3. www.vmr.gov.ua (45 attacks) – Regional government authority
4. smr.gov.ua (45 attacks) – Regional administration
5. adm.dp.gov.ua (39 attacks) – Dnipro City Administration

Other International Targets – Top 5:

1. orsted.com (68 attacks) – Ørsted Energy (included in both Denmark and Other)
2. ntg.com (45 attacks) – Network Telecommunications Group
3. copenhagensuborbitals.com (45 attacks) – Aerospace organization
4. www.scandlines.com (40 attacks) – Ferry transportation services
5. www.bws.net (40 attacks) – Network/telecommunications services

These targets reflect a strategy aimed at political disruption, economic impact, and psychological warfare.

Threat Actor Overview: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that has been active since 2022 and is widely associated with sustained DDoS campaigning against countries that support Ukraine.

The group runs campaigns through a crowdsourced operational model. It promotes participation via Telegram channels and relies on a volunteer-driven tooling ecosystem. In this reporting cycle, the activity aligns with operations executed through the DDoSia tooling framework, which enables participants to launch coordinated attacks against centrally distributed target lists.

NoName057(16) operations typically align with Russian geopolitical objectives, with targeting that prioritizes:

• NATO member states
• Countries providing military, financial, or political support to Ukraine
• Ukrainian government services and critical infrastructure

The group is known for its persistent operations, regularly updating target lists multiple times per day and maintaining sustained pressure on selected targets over extended periods. The technical sophistication is moderate, employing multiple attack vectors including HTTP floods, TCP SYN floods, and application-layer attacks to bypass basic DDoS protections.

Strategic Assessment

The observed activity aligns with hybrid warfare objectives, combining cyber disruption with political messaging.

Key strategic goals likely include:

1. Undermining public trust in government digital services – By targeting municipal websites that citizens depend on for daily services, the campaign creates frustration with local authorities and demonstrates government vulnerability.
2. Creating economic pressure through critical infrastructure disruption – Attacks on energy providers (Ørsted), transportation services (Scandlines), and telecommunications create economic costs and service disruptions.
3. Demonstrating capability and reach – The widespread targeting of Danish municipalities throughout the country demonstrates the threat actor’s ability to identify and attack targets across an entire nation, not just major cities or federal institutions.
4. Political messaging to NATO and EU – Denmark, as a NATO member and strong supporter of Ukraine, represents a high-value symbolic target. The attacks send a clear message about consequences for supporting Ukraine.
5. Testing defensive capabilities – The sustained nature and variety of attack methods serve as reconnaissance, revealing which organizations have strong DDoS protections and which are vulnerable.
6. Supporting Ukrainian theater operations – Concurrent attacks on Ukrainian regional government infrastructure directly support Russian military objectives by disrupting governance and administration.

The sustained nature of the attacks suggests organized infrastructure and continued operational capacity. The high volume of attacks against Denmark specifically indicates this country was a priority target during this period, possibly in response to political developments or military aid announcements.

Mitigation and Recommendations

Organizations within affected sectors should consider the following actions:

• Review and strengthen DDoS mitigation controls, particularly for public-facing web services,
• Monitor traffic anomalies on web-facing services, especially port 443 (HTTPS),
• Ensure redundancy for critical online services to maintain availability during attacks,
• Coordinate with ISPs and DDoS protection providers to implement traffic filtering,
• Maintain updated incident response procedures and ensure staff are trained,
• Implement rate limiting and traffic shaping on web servers,
• Review and update Web Application Firewall (WAF) rules.

Conclusion

The DDoSia campaign observed between 15 and 21 December 2025 demonstrates a persistent, coordinated, and strategically motivated DDoS operation. The overwhelming focus on Danish municipal infrastructure (67.9% of attacks) represents a significant escalation in targeting breadth, moving beyond high-value federal targets to demonstrate capability across an entire nation’s local government ecosystem.

The concurrent targeting of Ukraine (18.6%) and strategic international infrastructure (13.5%) highlights the campaign’s dual objectives: supporting Russian geopolitical goals while pressuring NATO member states that support Ukraine.

The technical sophistication, demonstrated through multi-vector attacks combining TCP floods, HTTP floods, and application-layer exploits, indicates continued evolution of DDoSia’s capabilities. The sustained volume of attacks (4,559 entries over seven days) shows significant operational capacity and organized infrastructure.

Key Takeaways:

• Municipal and local government services are increasingly targeted, not just federal/national infrastructure
• Critical infrastructure sectors (energy, transportation, telecommunications) remain high-priority targets
• Multi-vector attacks require sophisticated, multi-layered defenses
• NATO member states supporting Ukraine should expect continued targeting
• Organizations in targeted countries must prioritize DDoS resilience measures

Given NoName057(16) DDoSia’s operational history and sustained capability, similar campaigns are expected to continue, particularly during periods of geopolitical tension, major political announcements regarding Ukraine support, or significant developments in the Ukrainian conflict.

The pattern of targeting suggests future campaigns will continue to focus on:

• NATO member states and EU countries
• Municipal and regional government infrastructure to maximize disruption visibility
• Critical infrastructure sectors that create economic impact
• Ukrainian government and essential services

SOCRadar will continue monitoring DDoSia activity and provide updated intelligence as new campaigns emerge. If you would like a more detailed breakdown for your organization or sector, you can reach out to us at [email protected].