| Metric | Value |
| Analysis Period | January 5–11, 2026 |
| Total Attack Entries | 1,812 |
| Unique Domains Targeted | 86 |
| Unique IP Addresses | 87 |
| Primary Countries | United Kingdom (85.2%), Unknown (14.8%) |
| Most Targeted Port | 443 (HTTPS) – 70.3% of attacks |
| Threat Actor | NoName057(16) |
United Kingdom Under DDoS Siege: Weekly DDoS Threat Intelligence Analysis
Analysis Period: January 5–11, 2026
Between 5 and 11 January 2026, SOCRadar identified an intensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) and their project DDoSia. The campaign resulted in 1,812 recorded attack entries, targeting 86 unique domains and 87 unique IP addresses with an overwhelming concentration on United Kingdom infrastructure.
The activity focused almost exclusively on the United Kingdom, accounting for 85.2% of all attacks, with the remainder distributed across unidentified international domains. This represents one of the most focused single-country campaigns observed in recent NoName057(16) operations, demonstrating strategic concentration on NATO’s second-largest military power and one of Ukraine’s strongest supporters.
The majority of attacks targeted government infrastructure at both national and local levels (54.8%), complemented by significant targeting of critical infrastructure (8.4%) including major maritime ports and rail networks, and private sector organizations (31.2%) including financial services and telecommunications.
Executive Summary Table:
For a deeper breakdown of NoName057(16)’s operations, tooling, and long-term targeting patterns, explore our in-depth whitepaper on the DDoSia project. It provides detailed insights into the group’s evolution, attack coordination, and geopolitical motivations.
Campaign Analysis
Attack Volume and Scope
During the seven-day analysis period, the campaign demonstrated extraordinary concentration and tactical precision, with daily target list updates distributed through Telegram channels. The campaign’s narrow geographic focus represents a departure from previous multi-country targeting approaches, suggesting deliberate strategic prioritization of UK infrastructure.
- United Kingdom accounted for 85.2% of all attack entries (1,543 attacks)
- Unknown/International domains comprised 14.8%(269 attacks)
This distribution reflects a highly focused targeting strategy aimed at pressuring one of Europe’s most significant military powers and Ukraine’s most vocal supporters. The concentration exceeds even the Germany-focused campaign observed in late December 2025, indicating escalation in both strategic focus and operational intensity.
Geographic Distribution by Country:
- United Kingdom: 1,543 attacks (85.2%)
- Unknown/International: 269 attacks (14.8%)

Geographic Distribution
The sustained nature of attacks over seven consecutive days (January 5-11) with twelve distinct target list updates indicates coordinated operational planning and significant infrastructure resources. The timing in early January suggests exploitation of the post-holiday period when defensive staffing may still be returning to full capacity.
Targeted Sectors
The campaign demonstrated a comprehensive multi-sector targeting strategy affecting government, critical infrastructure, private sector, and educational institutions simultaneously:

Industry/Sector Distribution
Key targeted sectors included:
- Government Services (54.8%) – National agencies, municipal councils, digital authentication platforms, local government portals
- Private Sector Organizations (31.2%) – Financial services, telecommunications, maritime companies, business associations, commercial services
- Critical Infrastructure – Transportation (8.4%) – Major seaports (Felixstowe, Southampton), rail networks, vessel tracking systems
- Education (1.5%) – Research institutions, academic organizations
- Unknown (4.1%) – Unclassified targets and international services
The overwhelming focus on government infrastructure (54.8%) represents the highest government targeting percentage observed in recent NoName057(16) campaigns, demonstrating a deliberate strategy to disrupt public services and undermine confidence in government digital infrastructure.
The targeting of critical infrastructure, while representing a smaller percentage, includes some of the UK’s most strategically important assets:
- Port of Felixstowe – UK’s largest container port, handling 42% of UK containerized trade
- Southampton VTS – Vessel Traffic Services for one of UK’s busiest ports
- Rail infrastructure – Transportation networks critical to economic activity
The significant private sector targeting (31.2%) includes financial institutions (banks, building societies), demonstrating economic warfare objectives designed to create business disruption and undermine confidence in the UK’s position as a global financial center.
Attack Techniques and Methods
NoName057(16) employed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks to increase complexity and bypass single-layer defensive measures.

Attack methods
Most common methods observed:
- TCP SYN Flood attacks (25.3% – 458 attacks)
- HTTP GET Flood attacks (23.0% – 417 attacks)
- TCP ACK Flood attacks (15.8% – 286 attacks)
- HTTP POST-based attacks (13.4% – 242 attacks)
- TCP SYN-ACK Flood (10.4% – 188 attacks)
- UDP Flood (7.1% – 128 attacks)
- PING/ICMP Flood (2.0% – 36 attacks)
- Other methods (2.9% – 57 attacks)
The dominant focus on TCP SYN floods (25.3%) demonstrates continued reliance on this classic attack method that exploits the TCP three-way handshake to exhaust server connection resources and fill state tables. Combined with ACK and SYN-ACK floods (total 51.5%), the majority of attacks targeted the transport layer infrastructure.
The significant presence of HTTP GET and POST attacks (36.4% combined) indicates sophisticated application-layer targeting designed to exhaust web server resources through computationally expensive request processing. This dual-layer approach – combining volumetric network attacks with resource-exhaustion application attacks – significantly complicates defensive efforts.
The overwhelming concentration on port 443 (HTTPS) (70.3% of all attacks – 1,273 attacks) indicates deliberate targeting of encrypted web services, including:
- Government citizen portals and authentication systems
- Banking and financial services platforms
- Critical infrastructure management systems
- Business services and commercial platforms
Additional targeting of port 80 (HTTP) (21.6% – 391 attacks) suggests attacks against both modern HTTPS services and legacy HTTP infrastructure still in operation.
Attack Types Distribution:

Attack Types
- TCP-layer attacks: 969 attacks (53.5%)
- HTTP/2 attacks: 360 attacks (19.9%)
- HTTP/1.1 attacks: 286 attacks (15.8%)
- Application-layer attacks (nginx_loris): 182 attacks (10.0%)
- HTTP/3 attacks: 12 attacks (0.7%)
- UDP attacks: 3 attacks (0.2%)
This distribution demonstrates a layered attack methodology, combining volumetric network-layer floods (TCP: 53.5%) with sophisticated application-layer attacks (HTTP/2: 19.9%, nginx_loris: 10.0%) designed to bypass rate-limiting defenses and exhaust server resources efficiently.
The significant nginx_loris component (10.0%) demonstrates the DDoSia botnet‘s capability to execute specialized attacks exploiting specific server software vulnerabilities. Nginx_loris attacks are designed to keep connections open with minimal data transmission, slowly exhausting server connection pools.
Most Targeted Organizations
The campaign targeted a strategically selected mix of government services, critical infrastructure, financial institutions, and commercial platforms across the United Kingdom. The selection demonstrates intelligence gathering and tactical planning rather than opportunistic targeting.
United Kingdom
Top 10 Most Targeted UK Hosts:
- buckfastleigh.gov.uk (60 attacks) – Buckfastleigh Town Council, small municipal government in Devon (Government – Municipal)
- www.mossley-council.co.uk (44 attacks) – Mossley Town Council, Greater Manchester (Government – Municipal)
- www.eelga.gov.uk (40 attacks) – East of England Local Government Association, regional coordination body (Government – Regional)
- www.rail.co.uk (40 attacks) – National rail information services (Critical Infrastructure – Transportation)
- swcouncils.gov.uk (39 attacks) – South West Councils, regional local government association (Government – Regional)
- www.port-of-felixstowe.co.uk (39 attacks) – Port of Felixstowe, UK’s largest container port (Critical Infrastructure – Maritime)
- www.southamptonvts.co.uk (39 attacks) – Southampton Vessel Traffic Services, major port operations (Critical Infrastructure – Maritime)
- www.harwich-society.co.uk (39 attacks) – Harwich Society, community organization (Private Sector)
- youraccount.salford.gov.uk (36 attacks) – Salford Council digital authentication platform (Government – Digital Services)
- www.wymetro.com (36 attacks) – West Yorkshire Metro, regional transportation (Critical Infrastructure – Transportation)
Additional High-Profile Targets:
- www.blackburn.gov.uk (36 attacks) – Blackburn with Darwen Borough Council
- www.kent.gov.uk (36 attacks) – Kent County Council, major county authority
- www.britishchambers.org.uk (36 attacks) – British Chambers of Commerce, business organization
- www.workingtontowncouncil.gov.uk (36 attacks) – Workington Town Council, Cumbria
- www.poferries.com (34 attacks) – P&O Ferries, major cross-channel ferry operator
- www.theaccessbankukltd.co.uk (33 attacks) – Access Bank UK, financial institution
- www.westsussex.gov.uk (33 attacks) – West Sussex County Council
- www.salford.gov.uk (30 attacks) – Salford City Council
- oneonline.bradford.gov.uk (30 attacks) – Bradford Council digital services
- www.askthe.police.uk (21 attacks) – Police public engagement platform
- www.scotland.police.uk (21 attacks) – Police Scotland
- www.nationwide.co.uk (9 attacks) – Nationwide Building Society, major financial institution
- www.rbs.co.uk (16 attacks) – Royal Bank of Scotland
Threat Actor Overview: NoName057(16)
NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and organized hacktivist actors conducting sustained DDoS campaigns against NATO member states, European Union countries, and nations supporting Ukraine.

The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram channels. This operational model provides several advantages: distributed attack infrastructure difficult to attribute and disrupt, plausible deniability for state involvement, and ability to mobilize thousands of volunteer participants incentivized through gamification, cryptocurrency rewards, and ideological motivation.
DDoSia Framework: The technical infrastructure supporting NoName057(16) operations centers on the DDoSia attack tool, which:
- Provides a user-friendly interface for non-technical participants
- Receives centralized target lists updated multiple times daily
- Implements multiple attack vectors (TCP floods, HTTP floods, application-layer attacks)
- Includes evasion techniques to bypass basic DDoS protections
- Reports attack metrics back to central infrastructure for performance tracking
NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting prioritizing:
- NATO member states, particularly recent additions and strong Ukraine supporters
- European Union institutions and member states
- Countries providing military, financial, or political support to Ukraine
- Ukrainian government services and critical infrastructure
- Private sector entities in targeted countries to create economic pressure
The group has demonstrated exceptional operational persistence with:
- Regular target list updates multiple times per day
- Sustained campaigns over weeks and months
- Strategic coordination timed to geopolitical events and diplomatic developments
- Rapid adaptation to defensive measures
- Continuous recruitment of new participants
Recent Activity Patterns:
The UK-focused campaign represents a strategic shift from previous multi-country operations. Recent NoName057(16) campaigns have shown:
- December 15-21: Denmark focus (67.9% of attacks)
- December 22-28: Multi-country (Finland, France, International)
- December 29 – January 4: Germany focus (87.98% of attacks)
- January 5-11: United Kingdom focus (85.2% of attacks)
This pattern suggests rotating geographic focus to maximize pressure on multiple NATO members while preventing defensive adaptation through predictable patterns.
Key Characteristics:
- Operational Model: Volunteer-driven crowdsourced attacks via DDoSia botnet tool
- Coordination: Telegram channels for target distribution and participant recruitment
- Motivation: Pro-Russian hacktivist aligned with state geopolitical objectives
- Technical Capability: Multi-vector attacks combining volumetric (TCP/UDP floods) and application-layer techniques (HTTP floods, nginx_loris)
- Target Selection: Intelligence-driven, strategically prioritized targeting
- Persistence: Continuous operations with sustained pressure over extended periods
- Sophistication: Medium-to-high technical capability with evolving tactics
- Attribution: Plausibly deniable connection to Russian state interests
Mitigation and Recommendations
Organizations within affected sectors, particularly those in the United Kingdom and other NATO member states, should consider implementing or strengthening the following defensive measures:
Immediate Actions:
- Deploy cloud-based DDoS protection services – Implement Cloudflare, Akamai, AWS Shield, Azure DDoS Protection, or equivalent services to filter attack traffic before it reaches your infrastructure
- Review and update Web Application Firewall (WAF) rules – Ensure WAF configurations can detect and block HTTP/HTTP2 flood patterns, particularly POST-based attacks
- Configure rate limiting – Implement rate limiting at multiple layers: web application, reverse proxy (nginx, Apache), load balancer, and network firewall
- Enable SYN cookies and TCP hardening – Configure operating systems and network devices to use SYN cookies, reduce TCP timeout values, and limit connection table sizes
- Establish traffic baseline monitoring – Implement real-time traffic monitoring with automated alerting for anomalies in request rates, connection counts, and bandwidth utilization
- Verify geographic redundancy – Ensure critical services have geographic distribution and failover capabilities to maintain availability during regional attacks
Strategic Measures:
- Conduct DDoS risk assessments – Identify critical services, assess current protections, and document vulnerabilities requiring remediation
- Develop business continuity plans – Create plans accounting for extended service disruptions, including alternative service delivery methods and communication strategies
- Budget appropriately for protection – Allocate sufficient budget for DDoS protection services, infrastructure redundancy, and security personnel
- Train staff on recognition and response – Conduct regular training on recognizing DDoS attacks, following response procedures, and communicating during incidents
- Engage with information sharing communities – Participate in national CERT/CSIRT programs (NCSC for UK), sector-specific ISACs, and peer organizations to share threat intelligence
- Monitor threat intelligence feeds – Subscribe to threat intelligence services tracking NoName057(16) and DDoSia activity to receive early warning of targeting
- Evaluate cyber insurance – Review cyber insurance policies to ensure adequate coverage for DDoS-related losses, business interruption, and incident response costs
- Consider managed security services – For smaller organizations lacking in-house expertise, consider managed DDoS protection and security operations center (SOC) services
Conclusion
The NoName057(16) campaign observed between 5 and 11 January 2026 demonstrates a strategically concentrated, persistent, and technically sophisticated DDoS operation overwhelmingly focused on United Kingdom infrastructure. With 1,812 attack entries distributed across 86 unique domains and 87 unique IP addresses, this campaign represents one of the most focused single-country targeting operations observed in recent NoName057(16) activity.
Key Takeaways:
- The UK faces sustained, organized DDoS campaigns from state-aligned threat actors
- Small municipal councils and local government are as vulnerable as national infrastructure
- Critical infrastructure sectors remain high-priority targets requiring enhanced protection
- Multi-vector attacks require sophisticated, multi-layered defenses across network and application layers
- NATO member states supporting Ukraine should expect continued and potentially intensifying targeting
- Organizations at all levels must prioritize DDoS resilience measures
Given NoName057(16)’s operational history and sustained capability, similar campaigns are expected to continue, particularly during:
- Periods of significant UK military aid announcements to Ukraine
- Major diplomatic developments related to the Ukrainian conflict
- NATO or EU summit meetings and policy decisions
- UK political events that may affect Ukraine support policies
- Symbolic dates or anniversaries related to the conflict
The pattern of rotating geographic focus observed across recent campaigns (Denmark → International → Germany → United Kingdom) suggests that while the UK may not face this level of concentrated targeting continuously, periodic intense campaigns should be anticipated as part of a broader strategy to pressure multiple NATO member states sequentially.
SOCRadar will continue monitoring NoName057(16) activity and provide updated intelligence as new campaigns emerge. The intensity and focus of this campaign suggest the UK will remain a priority target in coming weeks and months as long as UK support for Ukraine continues.
If you would like a more detailed breakdown for your organization or sector, you can reach out to us at [email protected].

