DDoSia Targets France: Weekly DDoS Threat Intelligence Analysis

Analysis Period: December 1 to 8, 2025

NoName057(16), a pro-Russian hacktivist group, kept its DDoS campaign active during the week of December 1–8, 2025. The group used its volunteer powered DDoS tool, DDoSia, to hit public sector and private sector targets across several European countries and international domains.

This week, France clearly stood out as the main focus. Many high value French government, transport, tourism, energy, and financial assets appeared in the target lists.

1. Executive Summary

DDoSia showed a strong shift toward French infrastructure in this period. France recorded the highest number of attacks, followed by international .com services, Ukraine, and Belgium. French overseas territories using .re and .nc domains also faced intense pressure.

The main patterns:

• Focus on French national and regional government services
• Heavy interest in road safety and traffic fine portals
• Continued pressure on airlines, logistics, and tourism platforms
• Repeated activity against French energy and defense related organizations

This week’s total numbers:

• Total attack targets: 3,654
• Countries or domain zones affected: 7
• Unique hosts: 169
• Unique IPs: 159

DDoSia actors kept distributing new target lists through their Telegram channels, in line with previous operational cycles.

2. Key Graphs

Attack Distribution by Country or Domain

Top countries or domains this week:

• France – 1,474 attacks
• International (.com) – 1,036 attacks
• Ukraine – 433 attacks
• Belgium – 235 attacks
• French territories (.re, .nc) – 373 attacks combined
• Other zones – .aero, .org, .net, .biz with lower but constant volume

France and international .com domains together made up more than two thirds of all recorded targets.

3. Country Highlights

1. France

• Total attacks: 1,474
• Unique hosts: 54
• Unique IPs: 44
• Top port: 443

Notes:

France was clearly the main focus.

Key themes:

• National and regional government portals under gouv.fr
• Road safety and traffic fine services
• Airline and transport booking platforms
• Tourism and national promotion sites
• Energy sector platforms linked to major providers

Several French domains reached high or critical volume levels and stayed in the lists across several snapshots.

2. International (.com)

• Total attacks: 1,036
• Unique hosts: 46
• Unique IPs: 47
• Top port: 443

Notes:

The .com space included:

• Logistics and transport companies
• Financial and insurance services
• Industrial and defense related vendors

These targets show that DDoSia actors do not focus only on state owned assets. They also try to hit private companies that support national capability.

3. Ukraine

• Total attacks: 433
• Unique hosts: 31
• Unique IPs: 29
• Top port: 443

Notes:

Ukraine remained a stable target in line with the ongoing war.

The group continued to target government related portals, information sites, and public services connected to the conflict.

4. Belgium

• Total attacks: 235
• Unique hosts: 19
• Unique IPs: 19
• Top port: 443

Notes:

Belgium showed medium volume but broad scope:

• Public administration and local government
• Economic and industry related sites
• Services with links to European level activity

5. French Overseas Territories and Other Domains

• .re (Réunion) – 192 attacks, 7 hosts, 7 IPs
• .nc (New Caledonia) – 181 attacks, 6 hosts, 5 IPs

Notes:

Targets under .re and .nc mostly belonged to local government portals and municipal sites.

Additional lower volume zones:

• .aero – aviation related
• .org, .net, .biz – organizations, networks, and smaller commercial entities

4. Weekly Shift Overview

This week showed a clear tactical move toward France and French linked infrastructure:

• France became the top target by a wide margin
• International .com targets supported that focus with many France related companies and suppliers
• Ukraine and Belgium stayed in the list with medium intensity
• French overseas territories also came under pressure

The pattern suggests a coordinated narrative that links French national policy, European roles, and support to Ukraine. The threat actor likely aims to raise the perceived cost of these positions.

5. Sector Breakdown

Based on host analysis, the most targeted sectors were:

• Government and municipal websites
  • National ministries and prefectures
  • Local and regional government sites in mainland France and overseas territories
• Transport and mobility
  • Airline portals and booking systems
  • Road safety and traffic fine payment platforms
  • Logistics and transport operators
• Tourism and national image
  • National tourism promotion sites
  • Regional tourism boards and travel related platforms
• Financial and insurance services
  • Insurance providers and financial service platforms
• Energy and utilities
  • Portals linked to French energy providers
  • Technical and industrial subdomains used for monitoring and control
• Defense and industrial organizations
  • Industry associations and defense related companies

Transport and government services showed the highest visible impact, as they directly affect citizens and daily life.

6. Top 20 Most Targeted Hosts

Below are the top 20 hosts by number of attack entries recorded in DDoSia lists this week:

1. www.adn-tourisme.fr – 63 (Critical)
2. www.amendes.gouv.fr – 57 (High)
3. www.hop.fr – 57 (High)
4. www.securite-routiere.gouv.fr – 57 (High)
5. www.paneuropeenne.com – 57 (High)
6. www.province-sud.nc – 52 (High)
7. lidentitenumerique.laposte.fr – 48 (High)
8. www.ca-assurances.com – 48 (High)
9. gicat.com – 48 (High)
10. auth.entreprises-collectivites.edf.fr – 42 (Medium)
11. gtt.fr – 42 (Medium)
12. www.chapuis-armes.com – 42 (Medium)
13. www.haute-savoie.gouv.fr – 40 (Medium)
14. www.essonne.gouv.fr – 39 (Medium)
15. www.ville-saintesuzanne.re – 39 (Medium)
16. www.moselle.gouv.fr – 39 (Medium)
17. thingsboard.labchatou.edf.fr – 36 (Medium)
18. www.id-logistics.com – 36 (Medium)
19. www.atout-france.fr – 36 (Medium)
20. www.chantiers-atlantique.com – 36 (Medium)

Many of these hosts sit in:

• Government and municipal infrastructure
• Road safety and traffic fine systems
• Tourism and national promotion
• Logistics, shipbuilding, and industrial sectors
• Energy and postal identity services

These categories show why they are attractive to a hacktivist group that wants public visibility and disruption.

7. Attack Method Trends

Port 443 saw the most attacks with 2,660 events, followed by port 80 with 688. Smaller volumes hit ports 22, 21, 3306, 53, 8443, 995, 541, and 143. The mix shows broad targeting of both web services and backend ports.

Attack methods

GET floods lead with 1,014 events. SYN floods follow with 830, then ACK (439), POST (436), SYN_ACK (385), UDP floods (377), and PING traffic (170). The campaign used several vectors rather than one method.

Attack types

TCP floods dominate with 1,824 entries. HTTP2 and HTTP floods add 877 and 584 events, while nginx_loris slow header traffic adds 360. UDP and HTTP3 attacks appear only in very small numbers.

8. Threat Actor Summary

NoName057(16) is a pro-Russian hacktivist group active since 2022. The group:

• Operates volunteer based DDoS campaigns
• Distributes target lists via Telegram channels
• Uses the DDoSia tool to coordinate attacks across many operators
• Aligns target selection with political events, sanctions, and military support actions

The weekly patterns show a clear tactic:

• Rotate between key NATO and EU countries
• Maintain constant pressure on Ukraine
• Include private sector targets that support state capability

9. Defensive Recommendations

To reduce the impact of similar DDoSia campaigns, organizations should:

1. Use managed DDoS protection
   • Cloud based solutions such as Cloudflare, Akamai, AWS Shield, or similar providers.
2. Harden front end infrastructure
   • Apply rate limits, connection limits, and intelligent filtering rules for HTTP and HTTPS.
3. Monitor port 443 closely
   • Watch for fast spikes in request rate and connection attempts.
4. Prepare and test incident response plans
   • Include runbooks for DDoS scenarios and communication templates for public channels.
5. Share indicators and context
   • Report events and share indicators with national CERT teams and sector ISACs.
6. Use temporary geofencing when needed
   • During intense waves, consider short term geofencing and traffic shaping, aligned with legal and business constraints.
7. Review dependencies
   • Identify critical third parties such as hosting, DNS, and payment providers and check their DDoS resilience.

10. Conclusion

The December 1–8, 2025 period marked a clear move toward France and French associated infrastructure. Government portals, traffic and road safety services, tourism platforms, energy related systems, and industrial players faced significant pressure.

DDoSia continued to mix protocol layers, used HTTPS as the main channel, and relied on its volunteer network to sustain activity.

Close monitoring, strong DDoS protection, and coordinated response with national and sector partners remain key to reduce disruption in upcoming cycles.

If you would like a more detailed breakdown for your organization or sector, you can reach out to us at [email protected].