Multi-Country DDoS Campaign: Weekly DDoS Threat Intelligence Analysis

Analysis Period: January 26 – February 1, 2026

Between January 26 and February 1, 2026, SOCRadar identified an extensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 5,830 recorded attack entries, targeting 160 unique domains and 181 unique IP addresses across multiple countries, with a significant multi-national focus demonstrating the group’s expanding operational scope.

Unlike previous campaigns that concentrated on individual nations, this week’s activity demonstrates a sophisticated multi-country targeting strategy with the United Kingdom accounting for 55.0% of all attacks (3,204 targets), complemented by significant attacks against Ukraine (12.7%), Czechia (4.9%), and numerous commercial and international domains (27.4%). The campaign reveals systematic targeting of critical infrastructure, government services at all administrative levels, and strategic economic assets across NATO member states and Ukraine.

Executive Summary Table:

For comprehensive, real-time DDoS threat intelligence covering ongoing campaigns across Europe, explore SOCRadar’s free DDoS intelligence dashboard where we continuously analyze and showcase actionable threat data.

Campaign Analysis

Attack Volume and Scope

During the seven-day analysis period, the campaign demonstrated unprecedented geographic diversity and operational intensity, with daily target list updates distributed through Telegram channels. The campaign’s multi-national focus represents an evolution in NoName057(16)’s strategy from concentrated single-country pressure campaigns to simultaneous multi-country operations designed to maximize strain on defensive resources across NATO’s alliance structure.

Geographic Distribution:

1. United Kingdom accounted for 55.0% of all attack entries (3,204 attacks)
2. Commercial/International domains comprised 27.5% (1,602 attacks)
3. Ukraine received 12.7% of attacks (738 attacks)
4. Czechia received 4.9% of attacks (286 attacks)

This distribution reflects a highly diversified targeting strategy aimed primarily at multiple NATO member states simultaneously. The concentration on UK infrastructure (55.0%) establishes it as the primary target, while maintaining pressure on Ukraine (12.7%) and expanding operations to include Czechia (4.9%) and commercial international entities. This multi-front approach prevents defensive concentration and demonstrates capability to sustain high-volume attacks across diverse geographic and organizational targets.

The sustained nature of attacks over seven consecutive days (January 26 – February 1) with twenty-one distinct target list updates indicates highly coordinated operational planning and substantial infrastructure resources. The timing suggests strategic coordination with broader geopolitical developments affecting NATO cohesion and Ukraine support commitments.

Targeted Sectors

The campaign demonstrated a comprehensive multi-sector targeting strategy affecting government, critical infrastructure, private sector, and commercial institutions simultaneously across multiple countries.

Key targeted sectors included:

• Private Sector (49.2%) – Commercial organizations, business services, finance, and general private industry
• Government & Public Sector (31.7%) – Federal/national agencies, regional authorities, municipal councils
• Critical Infrastructure – Water (7.4%) – Water utilities and wastewater services
• Critical Infrastructure – Transportation (3.4%) – Rail information, metro systems, aviation
• Critical Infrastructure – Energy (2.0%) – Energy brokers and utility services
• Media & Communications (1.9%) – News platforms and information services
• Private Sector – Business Services (1.8%) – Business advocacy and confederation organizations
• Critical Infrastructure – Maritime (1.6%) – Port authorities and maritime services
• Private Sector – Finance (0.8%) – Banking and financial institutions
• Critical Infrastructure – Telecommunications (0.2%) – Telecom providers

The targeting of private sector entities (49.2%) represents the largest single category, indicating a strategy to create widespread economic disruption beyond government services. Combined with government targeting (31.7%), over 80% of attacks focus on either public services or commercial operations, demonstrating intent to undermine both governmental authority and economic confidence simultaneously.

The significant critical infrastructure targeting (14.4% combined across water, transportation, energy, maritime, and telecommunications) includes:

• Water Infrastructure: Scottish Water (serving 2.5 million households), ICOSA Water Services
• Transportation Systems: Rail.co.uk (UK rail information), metro systems, airports
• Energy Sector: Energy brokers and utility management services
• Business Advocacy: Confederation of British Industry (CBI) representing 190,000 businesses

This infrastructure selection reveals strategic understanding of cascading failure potential and psychological impact on civilian populations when essential services face disruption.

Attack Techniques and Methods

NoName057(16) employed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks to increase complexity and bypass single-layer defensive measures.

Most common methods observed:

• SYN Flood attacks (27.3% – 1,590 attacks)
• HTTP GET Flood attacks (23.1% – 1,347 attacks)
• ACK Flood attacks (13.7% – 797 attacks)
• HTTP POST-based attacks (11.1% – 650 attacks)
• SYN-ACK Flood (10.4% – 606 attacks)
• UDP Flood (6.9% – 405 attacks)
• PING-based attacks (6.0% – 349 attacks)
• Other methods (1.5% – 86 attacks)

The near-equal distribution between TCP SYN floods (27.3%) and HTTP GET floods (23.1%) demonstrates a balanced dual-layer approach, combining application-layer resource exhaustion with transport-layer volumetric attacks. This strategic balance makes defensive efforts significantly more complex, requiring both network-layer and application-layer protections deployed simultaneously.

Combined with ACK and SYN-ACK floods, transport-layer attacks represented 57.3% of all methods, while application-layer HTTP attacks comprised 35.7%, indicating sophisticated understanding of how to maximize attack effectiveness against modern web infrastructure and DDoS mitigation services.

The overwhelming concentration on port 443 (HTTPS) (65.1% of all attacks – 3,795 attacks) indicates deliberate targeting of encrypted web services, including:

• Government citizen portals and authentication systems
• Critical infrastructure management systems
• Business services and commercial platforms
• Municipal and regional service portals
• National security and law enforcement platforms

Additional targeting of port 80 (HTTP) (19.7% – 1,148 attacks) suggests attacks against both modern HTTPS services and legacy HTTP infrastructure still in operation, particularly affecting older government systems and smaller municipal websites with limited security resources.

Attack Types Distribution:

• TCP-layer attacks: 3,342 attacks (57.3%)
• HTTP/2 attacks: 989 attacks (17.0%)
• HTTP/1.1 attacks: 938 attacks (16.1%)
• Application-layer attacks (nginx_loris): 470 attacks (8.1%)
• HTTP/3 attacks: 69 attacks (1.2%)
• UDP attacks: 22 attacks (0.4%)

This distribution demonstrates a heavily layered attack methodology, with dominant volumetric network-layer floods (TCP: 57.3%) combined with sophisticated application-layer attacks (HTTP/1.1: 16.1%, HTTP/2: 17.0%, nginx_loris: 8.1%) designed to bypass rate-limiting defenses and exhaust server resources efficiently.

The significant nginx_loris component (8.1%) demonstrates the DDoSia botnet’s capability to execute specialized attacks exploiting specific server software vulnerabilities. Nginx_loris attacks are designed to keep connections open with minimal data transmission, slowly exhausting server connection pools—particularly effective against inadequately configured web servers.

The presence of HTTP/3 attacks (1.2%), while minor in volume, indicates the threat actor’s capability to exploit cutting-edge protocols, demonstrating technical sophistication and ability to adapt attack vectors to emerging technologies.

Most Targeted Organizations

The campaign targeted a strategically selected mix of government services, critical infrastructure, economic development agencies, and commercial platforms across the United Kingdom, Ukraine, Czechia, and international domains. The selection demonstrates intelligence gathering and tactical planning rather than opportunistic targeting.

United Kingdom (Primary Target – 55.0%)

Top 10 Most Targeted UK Organizations:

1. www.energybrokers.co.uk (119 attacks) – Energy Brokers, energy procurement company (Private Sector – Energy)
   • Strategic Reason: Disrupting energy sector services creates economic uncertainty and impacts business operations across multiple sectors dependent on energy procurement services.
2. www.harwichtowncouncil.co.uk (117 attacks) – Harwich Town Council (Government – Municipal)
   • Strategic Reason: Harwich is a strategically important North Sea port. Disrupting local government services undermines public confidence and affects port-related administrative functions.
3. my.blackburn.gov.uk (112 attacks) – Blackburn with Darwen Borough Council citizen portal (Government – Municipal)
   • Strategic Reason: Citizen service portals are high-value targets as their disruption directly impacts public access to essential government services, causing frustration and undermining trust in digital government.
4. www.trafford.gov.uk (108 attacks) – Trafford Metropolitan Borough Council (Government – Municipal)
   • Strategic Reason: Large metropolitan councils provide critical services to significant populations (236,000 residents). Disruption affects public service delivery, emergency response coordination, and citizen welfare.
5. www.cbi.org.uk (104 attacks) – Confederation of British Industry (Private Sector – Business Advocacy)
   • Strategic Reason: The CBI influences UK economic policy and represents 190,000 businesses. Disrupting their operations sends a message targeting UK business interests and economic decision-making.
6. www.rail.co.uk (100 attacks) – Rail.co.uk rail information services (Critical Infrastructure – Transportation)
   • Strategic Reason: Disrupting rail information services creates transportation chaos, affects millions of daily commuters, and demonstrates capability to impact critical transportation infrastructure.
7. buckfastleigh.gov.uk (100 attacks) – Buckfastleigh Town Council (Government – Municipal)
   • Strategic Reason: Targeting small town councils demonstrates reach and creates disproportionate impact on vulnerable communities with limited IT resources to defend against or recover from attacks.
8. www.icosawater.co.uk (98 attacks) – ICOSA Water Services (Critical Infrastructure – Water)
   • Strategic Reason: Water utilities are essential infrastructure. Even service disruption to utility websites can affect billing, emergency notifications, and water quality reporting, creating public safety concerns.
9. www.scottishwater.co.uk (98 attacks) – Scottish Water, Scotland’s national water provider (Critical Infrastructure – Water)
   • Strategic Reason: As Scotland’s sole public water provider, disrupting Scottish Water services affects the entire Scottish population (2.5 million households), creates public safety risks, and demonstrates capability against national-level infrastructure.
10. www.eastmidlands-cca.gov.uk (98 attacks) – East Midlands Combined County Authority (Government – Regional)
    • Strategic Reason: Regional authorities coordinate economic development, transportation, and infrastructure across multiple areas. Disruption affects regional planning, funding allocation, and inter-county coordination.

Additional High-Profile UK Targets:

• Municipal councils across England and Scotland (representing various population sizes)
• Regional government bodies and combined authorities
• Transportation services and infrastructure providers
• Water utilities and essential services
• Energy sector companies and brokers
• Business advocacy organizations

The UK targeting pattern reveals comprehensive geographic coverage from major metropolitan areas (Greater Manchester, Greater London) to small towns (Buckfastleigh: 3,600 residents), demonstrating systematic exploitation of organizations with varying levels of cybersecurity maturity.

Ukraine (Secondary Target – 12.7%)

While the United Kingdom dominated targeting (55.0%), Ukraine received sustained attacks (12.7% – 738 attacks) focused on:

• Government services and administrative portals
• Critical national infrastructure
• Economic and financial systems
• Transportation and logistics networks

The dual-targeting of both the United Kingdom and Ukraine demonstrates NoName057(16)’s strategic objective of applying pressure simultaneously on NATO’s strong Ukrainian supporters and Ukraine itself, creating a two-front information warfare campaign.

Czechia (Tertiary Target – 4.9%)

Czechia received focused attention (4.9% – 286 attacks) targeting:

• Government institutions and public services
• Critical infrastructure elements
• Business and commercial platforms
• Municipal and regional authorities

The inclusion of Czechia, a NATO member and vocal Ukraine supporter, indicates expansion of the group’s targeting beyond traditional focus areas, demonstrating willingness to strike at Eastern European NATO members with strong anti-Russian positions.

Commercial and International Entities (27.4%)

A significant portion of attacks (1,602 attacks – 27.4%) targeted commercial domains (.com, .co, .net, .info) representing:

• Multinational corporations and international business
• Commercial service providers
• Global technology platforms
• International organizations

This targeting demonstrates recognition that disrupting commercial entities creates economic pressure and affects international business confidence in addition to direct governmental targeting.

Threat Actor Overview: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and organized hacktivist actors conducting sustained DDoS campaigns against NATO member states, European Union countries, and nations supporting Ukraine.

The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram channels. This operational model provides several advantages: distributed attack infrastructure difficult to attribute and disrupt, plausible deniability for state involvement, and ability to mobilize thousands of volunteer participants incentivized through gamification, cryptocurrency rewards, and ideological motivation.

DDoSia Framework

The technical infrastructure supporting NoName057(16) operations centers on the DDoSia attack tool, which:

• Provides a user-friendly interface for non-technical participants
• Receives centralized target lists updated multiple times daily
• Implements multiple attack vectors (TCP floods, HTTP floods, application-layer attacks)
• Includes evasion techniques to bypass basic DDoS protections
• Reports attack metrics back to central infrastructure for performance tracking
• Coordinates distributed attacks across thousands of volunteer participants

Geopolitical Alignment

NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting prioritizing:

• NATO member states, particularly United Kingdom, Poland, Baltic states, and strong Ukraine supporters
• European Union institutions and member states
• Countries providing military, financial, or political support to Ukraine
• Ukrainian government services and critical infrastructure
• Private sector entities in targeted countries to create economic pressure

The group has demonstrated exceptional operational persistence with:

• Regular target list updates multiple times per day (21 updates during this analysis period)
• Sustained campaigns over weeks and months
• Strategic coordination timed to geopolitical events and diplomatic developments
• Rapid adaptation to defensive measures
• Continuous recruitment of new participants through Telegram channels

Recent Activity Patterns

This multi-country campaign represents the latest evolution in NoName057(16)’s pattern of sustained pressure against NATO and Ukraine supporters. Recent campaigns have shown:

• December 2025: Rotating focus across Denmark, France, Finland, Germany
• Early January 2026: United Kingdom focus (85.2% – previous week)
• Mid-January 2026: Poland focus (67.1% – significant campaign)
• January 26 – February 1, 2026: Multi-country diversification (UK 55%, Ukraine 12.7%, Czechia 4.9%, Commercial 27.4%)

This pattern evolution from concentrated single-country campaigns to diversified multi-country operations suggests tactical adaptation to maximize strategic impact while complicating defensive coordination. The simultaneous pressure on multiple nations prevents defensive resource concentration and demonstrates scalable operational capability.

Key Characteristics

• Operational Model: Volunteer-driven crowdsourced attacks via DDoSia botnet tool
• Coordination: Telegram channels for target distribution and participant recruitment
• Motivation: Pro-Russian hacktivist aligned with state geopolitical objectives
• Technical Capability: Multi-vector attacks combining volumetric (TCP/UDP floods) and application-layer techniques (HTTP floods, nginx_loris, HTTP/2, HTTP/3)
• Target Selection: Intelligence-driven, strategically prioritized targeting
• Persistence: Continuous operations with sustained pressure over extended periods
• Scale: 5,830 attacks in one week against 160 unique targets across multiple countries
• Sophistication: Medium-to-high technical capability with evolving tactics
• Attribution: Plausibly deniable connection to Russian state interests

Mitigation and Recommendations

Organizations within affected sectors, particularly those in the United Kingdom, Ukraine, Czechia, and other NATO member states, should consider implementing or strengthening the defensive measures:

Immediate Actions

• Deploy cloud-based DDoS protection services – Implement Cloudflare, Akamai, AWS Shield, Azure DDoS Protection, or equivalent services to filter attack traffic before it reaches your infrastructure
• Review and update Web Application Firewall (WAF) rules – Ensure WAF configurations can detect and block HTTP/HTTP2/HTTP3 flood patterns, particularly GET, POST, CONNECT, and HEAD-based attacks and nginx_loris variants
• Configure rate limiting – Implement rate limiting at multiple layers: web application, reverse proxy (nginx, Apache), load balancer, and network firewall
• Enable SYN cookies and TCP hardening – Configure operating systems and network devices to use SYN cookies, reduce TCP timeout values, increase SYN backlog queues, and limit connection table sizes
• Establish traffic baseline monitoring – Implement real-time traffic monitoring with automated alerting for anomalies in request rates, connection counts, and bandwidth utilization
• Verify geographic redundancy – Ensure critical services have geographic distribution and failover capabilities to maintain availability during regional attacks
• Review DNS configuration – Implement DNS-based DDoS protection (e.g., Cloudflare DNS protection) and ensure proper DNS caching configurations

Strategic Measures

• Conduct comprehensive DDoS risk assessments – Identify all internet-facing services, assess current protections, and document vulnerabilities requiring remediation
• Develop and test incident response plans – Create detailed response procedures for DDoS attacks, conduct tabletop exercises, and ensure 24/7 contact procedures are established
• Allocate appropriate security budget – Budget for DDoS protection services, infrastructure redundancy, security personnel, and incident response capabilities
• Implement defense-in-depth architecture – Design infrastructure with multiple defensive layers: network edge filtering, CDN protection, WAF rules, application hardening
• Engage with national CERT/CSIRT – Participate in information sharing programs with UK NCSC, CERT-UA (for Ukrainian organizations), CERT.cz (for Czech organizations), and sector-specific ISACs
• Monitor threat intelligence feeds – Subscribe to threat intelligence services tracking NoName057(16) and DDoSia activity to receive early warning of targeting
• Consider managed security services – For smaller organizations lacking in-house expertise, consider managed DDoS protection and SOC services
• Train staff on incident recognition and response – Conduct regular training exercises to ensure personnel can recognize DDoS attacks quickly and execute appropriate response procedures
• Establish communication protocols – Prepare pre-drafted public communications and internal stakeholder messaging for use during service disruptions
• Document lessons learned – After incidents, conduct thorough post-mortems to identify defensive gaps and implement improvements

Conclusion

The January 26 – February 1, 2026 campaign represents a significant tactical evolution in NoName057(16) operations, shifting from concentrated single-country pressure to diversified multi-country targeting across NATO alliance members and Ukraine. The campaign’s scale (5,830 attacks), geographic diversity (160 organizations across multiple countries), and sophisticated technical execution (multi-vector attacks combining TCP floods, HTTP attacks, and application-layer techniques) demonstrate the group’s expanding operational capability and strategic ambition.

The United Kingdom’s position as primary target (55.0%), combined with sustained pressure on Ukraine (12.7%) and expansion to Czechia (4.9%) and commercial entities (27.4%), reveals a coordinated strategy to maximize disruption across NATO’s support structure for Ukraine while simultaneously targeting Ukrainian infrastructure directly. This two-front approach creates compounding pressure on alliance cohesion while demonstrating persistent capability against multiple nations

For a detailed breakdown, and comprehensive technical indicators, organizations can access the full interactive threat intelligence dashboard. If you would like a more detailed breakdown for your organization or sector, you can reach out to us at [email protected].

SOCRadar continues our commitment to protecting European organizations with enhanced DDoS threat intelligence capabilities. We are continuously analyzing and showcasing free DDoS threat intelligence through SOCRadar Labs, providing real-time visibility into ongoing campaigns targeting Europe.

Access Free DDoS Intelligence