Cyberattacks Continue Despite Peace Talks: Weekly DDoS Threat Intelligence Analysis

Analysis Period: December 22–28, 2025

Between 22 and 28 December 2025, SOCRadar identified an extensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) and their project DDoSia. The campaign resulted in 6,567 recorded attack entries, targeting 158 unique domains and 161 unique IP addresses across multiple European nations.

The activity focused primarily on Finland, France, and various international targets, with additional attacks distributed across other European countries. This represents a significant escalation in both scale and geographic scope compared to previous weeks, demonstrating that hostile cyber operations continue unabated even as diplomatic efforts intensify.

This week’s analysis reveals that both physical and cyber attacks persist during these “thorny” diplomatic talks, with pro-Russian threat actors maintaining aggressive DDoS campaigns against NATO member states and their allies.

Executive Summary Table:

Campaign Analysis

Attack Volume and Scope

During the seven-day analysis period, the campaign demonstrated unprecedented scale and persistence, with continuous updates to target lists and sustained attack execution distributed through Telegram channels. The volume of attacks represents a significant escalation compared to previous weekly campaigns observed in December 2025.

• Finland accounted for 53.3% of all attack entries (3,503 attacks)
• France represented 11.8% of attacks (778 attacks)
• International domains (.com, .org, .net) comprised 23.5%(1,542 attacks)
• Other countries accounted for 11.3%(744 attacks)

This distribution reflects a strategic multi-pronged approach to pressure NATO member states, critical European infrastructure, and international services simultaneously. The overwhelming focus on Finland (over half of all attacks) demonstrates continued targeting of NATO’s newest Nordic member following its accession in April 2023.

Attacks by Target Country

Geographic Distribution by Country:

1. Finland: 3,503 attacks (67.9%)
2. International: 1,542 attacks (23.5%)
3. France: 778 attacks (11.8%)
4. Other: 744 attacks (11.3%)

Targeted Sectors

The campaign demonstrated a diversified targeting strategy affecting multiple critical sectors simultaneously:

Attacks by Industry Sector

Key targeted sectors included:

• Private Sector Organizations (68.7%) – Industrial companies, manufacturing, logistics, taxi services, and business services
• Government Services (11.1%) – National agencies, social security systems, road safety authorities, digital identity platforms
• Critical Infrastructure – Energy (7.3%) – National gas operators, power producers, energy transmission systems
• Private Sector – Telecommunications (6.2%) – Network providers, telecommunications infrastructure
• Critical Infrastructure – Transportation (4.8%) – Seaports, logistics hubs, transportation networks
• Private Sector – Finance (1.8%) – Banking and financial services

Government and critical infrastructure targets, while comprising less than 30% of total attacks, represent the highest-impact targets due to their essential nature and the cascading effects their disruption can cause across dependent systems and services.

Attack Techniques and Methods

NoName057(16) employed a sophisticated multi-vector attack strategy, combining multiple attack types to increase complexity and make mitigation more challenging for defenders.

Attack Methods Distribution

Most common methods observed across all countries:

• HTTP GET Flood attacks (26.9% – 1,766 attacks)
• SYN Flood attacks (19.7% – 1,295 attacks)
• ACK Flood attacks (13.2% – 869 attacks)
• SYN-ACK Flood (12.0% – 786 attacks)
• POST-based attacks (11.3% – 740 attacks)
• UDP Flood (9.1% – 600 attacks)
• PING/ICMP Flood (7.3% – 480 attacks)
• Other methods (0.5% – 31 attacks)

The heavy concentration on port 443 (HTTPS) (72.6% of all attacks) indicates deliberate targeting of public-facing encrypted web services, including government portals, business websites, and critical infrastructure management systems where disruption has immediate public and operational impact.

Attack Types Distribution

Attack Types Distribution:

• TCP-layer attacks: 3,430 attacks (52.2%)
• HTTP/2 attacks: 1,357 attacks (20.7%)
• HTTP/1 attacks: 1,037 attacks (15.8%)
• Application-layer attacks (nginx_loris): 610 attacks (9.3%)
• HTTP/3 attacks: 125 attacks (1.9%)
• UDP attacks: 8 attacks (0.1%)

This distribution demonstrates a layered attack approach, combining volumetric network-layer floods (TCP) with more sophisticated application-layer attacks (HTTP/2, nginx_loris) designed to bypass simple rate-limiting defenses and exhaust server resources more efficiently.

Most Targeted Organizations

The campaign targeted a diverse mix of government, critical infrastructure, energy, telecommunications, transportation, and private sector entities across multiple countries. The selection of targets demonstrates intelligence gathering and strategic planning rather than opportunistic targeting.

Top 10 Targeted IP Addresses

Top 10 Targeted Hosts

Finland

1. www.lahitaksi.fi (162 attacks) – Lähitaksi, Finland’s largest taxi service provider
2. gasgrid.fi (144 attacks) – Gasgrid Finland, national gas transmission operator (Critical Infrastructure)
3. www.pohjolanvoima.fi (128 attacks) – Pohjolan Voima, major energy producer with nuclear facilities (Critical Infrastructure)
4. www.airpro.fi (120 attacks) – Airpro, industrial equipment supplier
5. www.korrek.fi (120 attacks) – Korrek, engineering and manufacturing company
6. ouluport.com (120 attacks) – Port of Oulu, major seaport (Critical Infrastructure)
7. www.kela.fi (119 attacks) – Kela, Finnish Social Insurance Institution (Government)
8. opas.matka.fi (112 attacks) – Matka.fi, national travel information platform
9. www.finavia.fi (estimated 100+ attacks) – Finnish airport operator
10. Additional Finnish targets with 80-110 attacks each

France

1. www.securite-routiere.gouv.fr (133 attacks) – French Road Safety Authority (Government)
2. lidentitenumerique.laposte.fr (112 attacks) – La Poste Digital Identity platform (Government)
3. Additional French government and infrastructure targets

International Targets

1. ouluport.com (120 attacks) – International shipping and logistics
2. Various .com and .org domains serving European operations
3. Cross-border business services and platforms

These targets reflect a strategy aimed at political disruption, economic impact, social disruption, and psychological warfare. The inclusion of civilian services (taxi companies, travel platforms) alongside critical infrastructure (energy, ports) and government services (social security, identity systems) demonstrates an intent to create widespread disruption affecting both state operations and daily life.

Threat Actor Overview: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that emerged in 2022 following Russia’s invasion of Ukraine. The group has been consistently active in conducting DDoS campaigns against countries perceived as supporting Ukraine or opposing Russian interests.

Threat actor card of NoName057(16)

The group operates through a crowdsourced, volunteer-driven model using custom DDoS tooling frameworks distributed via Telegram channels. Participants download attack tools and receive target lists, creating a distributed attack infrastructure that is difficult to attribute and disrupt.

NoName057(16) operations typically align with Russian geopolitical objectives, with targeting that prioritizes:

• NATO member states
• Countries providing military, financial, or political support to Ukraine
• Ukrainian government services and critical infrastructure
• European Union institutions and member states

The group is known for its persistent operations, regularly updating target lists multiple times per day and maintaining sustained pressure on selected targets over extended periods. The technical sophistication is moderate-to-high, employing multiple attack vectors including HTTP floods, TCP SYN floods, and application-layer attacks to bypass basic DDoS protections.

Key Characteristics:

• Operational Model: Crowdsourced attacks using volunteer participants recruited via Telegram
• Motivation: Aligned with Russian geopolitical objectives, particularly opposition to NATO expansion
• Technical Capability: Multi-vector attacks combining volumetric and application-layer techniques
• Target Selection: Strategic, intelligence-driven targeting of high-value government and infrastructure targets
• Persistence: Sustained campaigns over weeks and months with continuous target list updates
• Infrastructure: Distributed attack network leveraging thousands of volunteer-operated systems

Mitigation and Recommendations

Organizations within affected sectors, particularly those in Finland, France, and other European countries, should consider implementing or strengthening the following defensive measures:

Immediate Actions:

• Review and strengthen DDoS mitigation controls, particularly for public-facing web services on ports 443 and 80
• Monitor traffic anomalies on web-facing services, looking for patterns consistent with HTTP floods, SYN floods, and application-layer attacks
• Ensure redundancy for critical online services to maintain availability during attacks
• Coordinate with ISPs and DDoS protection providers to implement upstream traffic filtering
• Implement or update Web Application Firewall (WAF) rules to detect and block HTTP/2 and nginx_loris attacks

Medium-Term Actions:

• Implement rate limiting and traffic shaping on web servers to prevent resource exhaustion
• Deploy DDoS scrubbing services that can filter malicious traffic before it reaches your infrastructure
• Establish baseline traffic patterns to improve detection of anomalous activity
• Create and test incident response procedures specifically for DDoS scenarios
• Train staff on recognizing DDoS attacks and following response procedures

Strategic Actions:

• Conduct DDoS resilience assessments to identify vulnerabilities in critical services
• Implement defense-in-depth strategies combining network-layer and application-layer protections
• Establish information sharing with sector peers and national CERT/CSIRT teams
• Consider CDN and anycast solutions to distribute traffic and absorb volumetric attacks
• Develop business continuity plans that account for extended service disruptions
• Monitor threat actor channels (via threat intelligence services) for early warning of targeting

Conclusion

The NoName057(16) campaign observed between 22 and 28 December 2025 demonstrates a persistent, coordinated, and strategically motivated DDoS operation that continues unabated despite intensive peace negotiations. With Trump stating negotiations are in their final stages with “95%” of issues settled, the cyber domain reveals a more complex reality: hostile operations persist across both kinetic and digital battlefields.

The overwhelming focus on Finnish critical infrastructure and government services (53.3% of attacks) represents a significant escalation in targeting NATO’s newest member, while concurrent attacks on France, international infrastructure, and other European targets demonstrate a multi-pronged approach to advancing geopolitical objectives during a critical diplomatic period.

The technical sophistication demonstrated through multi-vector attacks combining TCP floods (52.2%), HTTP/2 attacks (20.7%), and application-layer exploits (9.3%) indicates continued evolution of NoName057(16) capabilities. The heavy targeting of HTTPS services (72.6% on port 443) shows understanding of modern infrastructure and focus on high-value encrypted services.

SOCRadar will continue monitoring NoName057(16) activity and provide updated intelligence as new campaigns emerge. Organizations requiring detailed threat intelligence, sector-specific analysis, or assistance with DDoS mitigation strategies can contact our threat intelligence team.

If you would like a more detailed breakdown for your organization or sector, you can reach out to us at [email protected].