Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Poland Under Intensified DDoS Siege: Weekly DDoS Threat Intelligence Analysis
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | What the EU AI Act Actually Requires for Cybersecurity (And Where Enterprises Are Exposed)
What the EU AI Act Actually Requires for Cybersecurity (And Where Enterprises Are Exposed)
Jun 12, 2026
SOCRadar® Cyber Intelligence Inc. | Electronic Warfare, Drones, and Cyber: Inside Modern Hybrid Warfare
Electronic Warfare, Drones, and Cyber: Inside Modern Hybrid Warfare
Jun 11, 2026
SOCRadar® Cyber Intelligence Inc. | 2026 FIFA World Cup Threat Landscape: The Kickoff for Cybercriminals
2026 FIFA World Cup Threat Landscape: The Kickoff for Cybercriminals
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | Top Supply Chain Risks in 2026 and Management Strategies
Top Supply Chain Risks in 2026 and Management Strategies
Jun 02, 2026
SOCRadar® Cyber Intelligence Inc. | Top 10 Identity Attack Techniques Used by Hackers
Top 10 Identity Attack Techniques Used by Hackers
Jun 01, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Jan 19, 2026
14 Mins Read
Moon

Poland Under Intensified DDoS Siege: Weekly DDoS Threat Intelligence Analysis

Analysis Period: January 12–18, 2026

Between 12 and 18 January 2026, SOCRadar identified an intensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) and their DDoSia attack tool. The campaign resulted in 4,087 recorded attack entries, targeting 149 unique domains and 137 unique IP addresses with an overwhelming concentration on Polish infrastructure.

The activity focused almost exclusively on Poland, accounting for 67.1% of all attacks, with significant secondary targeting of Ukraine (13.3%), reflecting the group’s continued strategic focus on both frontline NATO member states and Ukraine’s digital infrastructure. This represents an escalation in scale from previous weeks’ operations, with nearly double the attack volume compared to the UK-focused campaign (1,812 attacks) observed in early January.

The majority of attacks targeted government infrastructure at regional and local levels (12.1%), complemented by federal government services (8.4%) and significant targeting of private sector organizations (31.2%) including financial services, manufacturing, and retail sectors.

Executive Summary Table:

Metric Value
Analysis Period January 12–18, 2026
Total Attack Entries 4,087
Unique Domains Targeted 149
Unique IP Addresses 137
Primary Countries Poland (67.1%), Ukraine (13.3%), Other (14.1%), EU (3.3%), UK (2.2%)
Most Targeted Port 443 (HTTPS) – 61.3% of attacks
Threat Actor NoName057(16)
Attack Tool/Project DDoSia

For a deeper breakdown of NoName057(16)’s operations, tooling, and long-term targeting patterns, explore our in-depth whitepaper on the DDoSia project. It provides detailed insights into the group’s evolution, attack coordination, and geopolitical motivations.

Campaign Analysis

Attack Volume and Scope

During the seven-day analysis period, the campaign demonstrated unprecedented scale and operational intensity, with daily target list updates distributed through Telegram channels. The campaign’s primary geographic focus on Poland represents the continuation of NoName057(16)’s strategy of applying sustained pressure on NATO’s eastern flank and one of Ukraine’s most critical supporters.

Geographic Distribution:

  • Poland accounted for 67.1% of all attack entries (2,744 attacks)
  • Ukraine received 13.3% of attacks (545 attacks)
  • Other/Unknown domains comprised 14.1%(575 attacks)
  • European Union institutions received 3.3%(133 attacks)
  • United Kingdom received 2.2%(90 attacks)

This distribution reflects a dual-objective targeting strategy aimed at pressuring both Poland—NATO’s frontline member state bordering Ukraine—and Ukraine itself, while maintaining harassment-level attacks against other European targets. The concentration on Poland (67.1%) exceeds even the UK-focused campaign observed the previous week (85.2%), though the absolute volume is significantly higher (2,744 vs. 1,543 attacks), indicating operational escalation.

Geographic Distribution by Country:

Top countries targeted

Top countries targeted

  1. Poland: 2,744 attacks (67.1%)
  2. Ukraine: 545 attacks (13.3%)
  3. Other/Unknown: 575 attacks (14.1%)
  4. European Union: 133 attacks (3.3%)
  5. United Kingdom: 90 attacks (2.2%)

The sustained nature of attacks over seven consecutive days (January 12-18) with sixteen distinct target list updates indicates highly coordinated operational planning and substantial infrastructure resources. The timing coincides with increased Polish military aid announcements to Ukraine and discussions of enhanced NATO presence in Poland, suggesting strategic coordination with geopolitical developments.

Targeted Sectors

The campaign demonstrated a comprehensive multi-sector targeting strategy affecting government, critical infrastructure, private sector, and other institutions simultaneously:

Key targeted sectors included:

Top industries targeted

Top industries targeted

  • Private Sector Services (71.3%) – Diverse commercial entities, business services, industrial companies
  • Government Services – Regional/Local (12.1%) – County administrations (powiat), municipal councils, city portals
  • Government Services – Federal (8.4%) – National agencies, defense industry portals, federal government services
  • Critical Infrastructure – Transportation (3.2%) – Public transportation systems, rail networks
  • Retail/E-commerce (1.6%) – Online stores, commercial platforms
  • Financial Services (1.6%) – Payment systems, banking institutions
  • Other Sectors (2.8%) – Telecommunications, logistics, energy, manufacturing, education
Government vs Private Sector chart

Government vs Private Sector chart

The significant focus on private sector services (71.3%) represents a departure from previous campaigns that demonstrated higher government targeting percentages. This suggests a strategic shift toward economic warfare objectives, aiming to disrupt business operations, damage consumer confidence, and impose economic costs on the Polish economy.

The targeting of government infrastructure (20.5% combined federal, regional, and local) includes:

  • Regional Government (12.1%): County administrations (powiat krakowski, powiat zgierski, powiat tarnowski) that provide essential citizen services
  • Federal Government (8.4%): Strategic targets like the Polish Defence Industry portal (polishdefenceindustry.gov.pl), demonstrating intent to disrupt military-industrial coordination
  • Municipal Services: City portals and local government services across Poland

The significant private sector targeting includes critical economic infrastructure:

  • Financial Systems: BLIK payment platform (www.blik.com) – used by millions of Poles for instant mobile payments
  • Transportation: MPK Poznań public transportation serving major urban areas
  • Manufacturing: Industrial companies critical to Poland’s economy
  • Retail: E-commerce platforms and commercial services

Attack Techniques and Methods

NoName057(16) employed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks to increase complexity and bypass single-layer defensive measures.

Most common methods observed:

  • TCP SYN Flood attacks (33.7% – 1,379 attacks)
  • HTTP GET Flood attacks (22.7% – 929 attacks)
  • TCP ACK Flood attacks (11.9% – 485 attacks)
  • TCP SYN-ACK Flood (11.0% – 451 attacks)
  • UDP Flood (8.4% – 344 attacks)
  • HTTP POST-based attacks (6.7% – 273 attacks)
  • PING/ICMP Flood (4.6% – 186 attacks)
  • Other methods (1.0% – 40 attacks)
Attack methods chart

Attack methods chart

The dominant focus on TCP SYN floods (33.7%) demonstrates continued heavy reliance on this classic attack method that exploits the TCP three-way handshake to exhaust server connection resources. Combined with ACK and SYN-ACK floods (total 56.6%), the majority of attacks targeted the transport layer infrastructure.

Top attack types

Top attack types

The significant presence of HTTP GET and POST attacks (29.4% combined) indicates sophisticated application-layer targeting designed to exhaust web server resources through computationally expensive request processing. This dual-layer approach—combining volumetric network attacks with resource-exhaustion application attacks—significantly complicates defensive efforts.

The overwhelming concentration on port 443 (HTTPS) (61.3% of all attacks – 2,506 attacks) indicates deliberate targeting of encrypted web services, including:

  • Government citizen portals and authentication systems
  • Banking and financial services platforms (BLIK payment system)
  • Critical infrastructure management systems
  • Business services and e-commerce platforms

Additional targeting of port 80 (HTTP) (19.7% – 805 attacks) suggests attacks against both modern HTTPS services and legacy HTTP infrastructure still in operation.

Attack Types Distribution:

  • TCP-layer attacks: 2,501 attacks (61.2%)
  • HTTP/2 attacks: 589 attacks (14.4%)
  • HTTP/1.1 attacks: 580 attacks (14.2%)
  • Application-layer attacks (nginx_loris): 368 attacks (9.0%)
  • HTTP/3 attacks: 39 attacks (1.0%)
  • UDP attacks: 10 attacks (0.2%)

This distribution demonstrates a heavily layered attack methodology, with dominant volumetric network-layer floods (TCP: 61.2%) combined with sophisticated application-layer attacks (HTTP/2: 14.4%, HTTP/1.1: 14.2%, nginx_loris: 9.0%) designed to bypass rate-limiting defenses and exhaust server resources efficiently.

The significant nginx_loris component (9.0%) demonstrates the DDoSia botnet’s capability to execute specialized attacks exploiting specific server software vulnerabilities. Nginx_loris attacks are designed to keep connections open with minimal data transmission, slowly exhausting server connection pools—particularly effective against inadequately configured web servers.

Most Targeted Organizations

The campaign targeted a strategically selected mix of government services, critical infrastructure, financial institutions, and commercial platforms across Poland and Ukraine. The selection demonstrates intelligence gathering and tactical planning rather than opportunistic targeting.

Poland

Top 10 Most Targeted Polish Hosts:

  1. powiat.krakow.pl (84 attacks) – Kraków County (Powiat Krakowski), regional government administration for the Kraków region (Government – Regional)
    • Strategic Reason: Disrupting local governance and administrative services in a major Polish region
  2. www.powiat.zgierz.pl (80 attacks) – Zgierz County (Powiat Zgierski), regional government administration in Łódź Voivodeship (Government – Regional)
    • Strategic Reason: Undermining local government operations and citizen services
  3. polishdefenceindustry.gov.pl (80 attacks) – Polish Defence Industry Portal, official government platform for Poland’s defense sector (Government – Federal)
    • Strategic Reason: Strategic targeting of defense infrastructure to weaken military-industrial coordination and intelligence gathering
  4. www.mpk.poznan.pl (75 attacks) – MPK Poznań, municipal public transportation company serving Poznań (Critical Infrastructure – Transportation)
    • Strategic Reason: Disrupting critical urban transportation infrastructure and daily commuter services affecting hundreds of thousands
  5. dezamet.com.pl (70 attacks) – Dezamet, Polish industrial manufacturing company (Private Sector – Manufacturing)
    • Strategic Reason: Economic disruption targeting industrial production and supply chains
  6. www.erzeszow.pl (70 attacks) – City of Rzeszów, municipal government portal for Rzeszów, southeastern Poland (Government – Municipal)
    • Strategic Reason: Disrupting local government services in a city critical to Poland’s military logistics supporting Ukraine
  7. sklep.stomil-bydgoszcz.pl (66 attacks) – Stomil Bydgoszcz online store, industrial products and materials (Private Sector – E-commerce)
    • Strategic Reason: Economic impact through disruption of commercial operations
  8. www.blik.com (65 attacks) – BLIK, major Polish mobile payment system used by millions for instant transfers (Private Sector – Finance)
    • Strategic Reason: High-value target to disrupt financial transactions, create economic chaos, and undermine confidence in digital payment infrastructure
  9. www.cenzin.com (63 attacks) – Cenzin, Polish business services company (Private Sector – Services)
    • Strategic Reason: Economic disruption targeting business operations and commercial services
  10. www.powiat.tarnow.pl (60 attacks) – Tarnów County (Powiat Tarnowski), regional government administration in Lesser Poland (Government – Regional)
    • Strategic Reason: Undermining regional governance and administrative functions

Additional High-Profile Polish Targets:

  • www.powiat.zdunskowolski.pl (60 attacks) – Zduńska Wola County Council
  • www.pwsip.edu.pl (57 attacks) – Higher School of Criminology and Penitentiary Sciences
  • www.powiat.prudnik.pl (54 attacks) – Prudnik County Council
  • www.powiat.szydlowiecki.pl (54 attacks) – Szydłowiec County Council
  • www.powiatgryf.pl (54 attacks) – Gryfice County Council
  • www.sopot.pl (50 attacks) – City of Sopot municipal portal
  • Multiple additional county administrations (powiat) across Poland

Ukraine

Top Targeted Ukrainian Hosts:

While Poland dominated the targeting (67.1%), Ukraine received sustained attacks (13.3%) focused on:

  • Government services and portals
  • Military and defense-related infrastructure
  • Critical national infrastructure
  • Economic and financial systems

The dual-targeting of both Poland and Ukraine demonstrates NoName057(16)’s strategic objective of applying pressure simultaneously on NATO’s frontline supporter and Ukraine itself.

Threat Actor Overview: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and organized hacktivist actors conducting sustained DDoS campaigns against NATO member states, European Union countries, and nations supporting Ukraine.

Threat actor card of NoName057(16)

Threat actor card of NoName057(16)

The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram channels. This operational model provides several advantages: distributed attack infrastructure difficult to attribute and disrupt, plausible deniability for state involvement, and ability to mobilize thousands of volunteer participants incentivized through gamification, cryptocurrency rewards, and ideological motivation.

DDoSia Framework

The technical infrastructure supporting NoName057(16) operations centers on the DDoSia attack tool, which:

  • Provides a user-friendly interface for non-technical participants
  • Receives centralized target lists updated multiple times daily
  • Implements multiple attack vectors (TCP floods, HTTP floods, application-layer attacks)
  • Includes evasion techniques to bypass basic DDoS protections
  • Reports attack metrics back to central infrastructure for performance tracking
  • Coordinates distributed attacks across thousands of volunteer participants

Geopolitical Alignment

NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting prioritizing:

  • NATO member states, particularly Poland, Baltic states, and strong Ukraine supporters
  • European Union institutions and member states
  • Countries providing military, financial, or political support to Ukraine
  • Ukrainian government services and critical infrastructure
  • Private sector entities in targeted countries to create economic pressure

The group has demonstrated exceptional operational persistence with:

  • Regular target list updates multiple times per day (16 updates during this analysis period)
  • Sustained campaigns over weeks and months
  • Strategic coordination timed to geopolitical events and diplomatic developments
  • Rapid adaptation to defensive measures
  • Continuous recruitment of new participants through Telegram channels

Recent Activity Patterns

The Poland-focused campaign represents a strategic continuation of NoName057(16)’s pattern of rotating geographic focus to maximize pressure on multiple NATO members. Recent campaigns have shown:

  • December 15-21: Denmark focus (67.9% of attacks)
  • December 22-28: Multi-country (Finland, France, International)
  • December 29 – January 4: Germany focus (87.98% of attacks)
  • January 5-11: United Kingdom focus (85.2% of attacks – 1,812 attacks)
  • January 12-18: Poland focus (67.1% of attacks – 4,087 attacks)

This pattern suggests rotating geographic focus with escalating intensity, preventing defensive adaptation through predictable patterns while demonstrating capability to sustain high-volume attacks.

Key Characteristics

  • Operational Model: Volunteer-driven crowdsourced attacks via DDoSia botnet tool
  • Coordination: Telegram channels for target distribution and participant recruitment
  • Motivation: Pro-Russian hacktivist aligned with state geopolitical objectives
  • Technical Capability: Multi-vector attacks combining volumetric (TCP/UDP floods) and application-layer techniques (HTTP floods, nginx_loris)
  • Target Selection: Intelligence-driven, strategically prioritized targeting
  • Persistence: Continuous operations with sustained pressure over extended periods
  • Scale: 4,087 attacks in one week against 149 unique targets
  • Sophistication: Medium-to-high technical capability with evolving tactics
  • Attribution: Plausibly deniable connection to Russian state interests

Mitigation and Recommendations

Organizations within affected sectors, particularly those in Poland, Ukraine, and other NATO member states, should consider implementing or strengthening the following defensive measures:

Immediate Actions

  • Deploy cloud-based DDoS protection services – Implement Cloudflare, Akamai, AWS Shield, Azure DDoS Protection, or equivalent services to filter attack traffic before it reaches your infrastructure
  • Review and update Web Application Firewall (WAF) rules – Ensure WAF configurations can detect and block HTTP/HTTP2 flood patterns, particularly POST-based attacks and slowloris variants
  • Configure rate limiting – Implement rate limiting at multiple layers: web application, reverse proxy (nginx, Apache), load balancer, and network firewall
  • Enable SYN cookies and TCP hardening – Configure operating systems and network devices to use SYN cookies, reduce TCP timeout values, increase SYN backlog queues, and limit connection table sizes
  • Establish traffic baseline monitoring – Implement real-time traffic monitoring with automated alerting for anomalies in request rates, connection counts, and bandwidth utilization
  • Verify geographic redundancy – Ensure critical services have geographic distribution and failover capabilities to maintain availability during regional attacks
  • Review DNS configuration – Implement DNS-based DDoS protection (e.g., Cloudflare DNS protection) and ensure proper DNS caching configurations

Strategic Measures

  • Conduct comprehensive DDoS risk assessments – Identify all internet-facing services, assess current protections, and document vulnerabilities requiring remediation
  • Develop and test incident response plans – Create detailed response procedures for DDoS attacks, conduct tabletop exercises, and ensure 24/7 contact procedures are established
  • Allocate appropriate security budget – Budget for DDoS protection services, infrastructure redundancy, security personnel, and incident response capabilities
  • Implement defense-in-depth architecture – Design infrastructure with multiple defensive layers: network edge filtering, CDN protection, WAF rules, application hardening
  • Engage with national CERT/CSIRT – Participate in information sharing programs with CERT Polska (for Polish organizations), CERT-UA (for Ukrainian organizations), and sector-specific ISACs
  • Monitor threat intelligence feeds – Subscribe to threat intelligence services tracking NoName057(16) and DDoSia activity to receive early warning of targeting
  • Consider managed security services – For smaller organizations lacking in-house expertise, consider managed DDoS protection and SOC services
  • Train staff on incident recognition and response – Conduct regular training on recognizing DDoS attacks, following response procedures, and communicating during incidents

Conclusion

The NoName057(16) campaign observed between 12 and 18 January 2026 demonstrates an escalating, persistent, and technically sophisticated DDoS operation focused primarily on Polish infrastructure while maintaining pressure on Ukraine and other targets. With 4,087 attack entries distributed across 149 unique domains and 137 unique IP addresses, this campaign represents a significant escalation in scale compared to previous weeks’ operations.

Key Takeaways

  • Poland faces unprecedented DDoS campaign intensity from state-aligned threat actors, with 2,744 attacks (67.1%) representing the highest concentration of recent NoName057(16) operations
  • Government and private sector equally vulnerable, with county administrations, defense infrastructure, financial systems, and commercial services all under sustained attack
  • Multi-vector attacks require sophisticated defenses, combining network-layer (TCP: 61.2%) and application-layer (HTTP: 28.6%, nginx_loris: 9.0%) techniques to bypass single-layer protections
  • Strategic targeting demonstrates intelligence gathering, with defense industry portals, financial payment systems, and critical transportation infrastructure selected for maximum political, economic, and social impact
  • NATO member states face rotating but intensifying campaigns, with sequential focus on Denmark, Germany, UK, and Poland demonstrating coordinated strategy to pressure alliance members
  • DDoSia’s volunteer model enables sustained operations at scale, with 16 target list updates in one week demonstrating operational tempo difficult to counter

For a detailed breakdown of all 149 targeted domains, 137 IP addresses, and comprehensive technical indicators, organizations can access the full interactive threat intelligence dashboard. If you would like a more detailed breakdown for your organization or sector, you can reach out to us at [email protected].

Starting this week, SOCRadar has expanded our commitment to protecting European organizations with enhanced DDoS threat intelligence capabilities. We are now continuously analyzing and showcasing free DDoS threat intelligence through SOCRadar Labs, providing real-time visibility into ongoing campaigns targeting Europe.

Access Free DDoS Intelligence