Denmark, Greenland, and Ukraine Under DDoS Assault: Weekly DDoS Threat Intelligence Analysis

Analysis Period: February 23 – March 1, 2026

Between February 23 and March 1, 2026, SOCRadar identified a sustained, coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 6,649 recorded attack entries, targeting 126 unique domains and 135 unique IP addresses, with a deliberate multi-country focus spanning Denmark, Greenland, and Ukraine.

The campaign concentrated primarily on Denmark, accounting for 41.4% of all attacks (2,754 entries), followed by Ukraine at 22.8% (1,518 attacks), Greenland at 19.3% (1,284 attacks), and international commercial domains at 16.4% (1,093 attacks). The simultaneous and equally weighted targeting of all three territories is strategically significant: Denmark is a NATO founding member and strong Ukraine supporter; Greenland is an autonomous Danish territory that has become the subject of intense Arctic sovereignty debates in early 2026; and Ukraine remains the primary front in Russia’s ongoing military conflict.

The majority of attacks targeted government infrastructure across all administrative levels (approximately 44% of all attack entries), complemented by significant targeting of Ukrainian defense industry companies (10.7%), tourism and travel infrastructure (11.1%) — particularly across Greenland’s Arctic economy — and critical transportation infrastructure (9.5%).

Executive Summary Table:

For comprehensive, real-time DDoS threat intelligence covering ongoing campaigns across Europe, explore SOCRadar’s free DDoS intelligence dashboard where we continuously analyze and showcase actionable threat data.

Campaign Analysis

During the seven-day analysis period, the campaign demonstrated high operational tempo and geographic breadth, with target list updates distributed multiple times per day through Telegram channels. The campaign generated 23 distinct target list updates over seven days — averaging more than three updates per day — with notably concentrated burst activity on February 26–27, when six separate updates were published within a 24-hour window.

Geographic Distribution:

1. Denmark accounted for 41.4% of all attack entries (2,754 attacks)
2. Ukraine accounted for 22.8% of all attack entries (1,518 attacks)
3. Greenland accounted for 19.3% of all attack entries (1,284 attacks)
4. International (.com / .net / .company) accounted for 16.4% (1,093 attacks)

Attack Count by Target Country / TLD

This distribution reflects a three-pronged strategic targeting posture unique among recent NoName057(16) campaigns. Rather than the concentrated single-country pressure seen in earlier operations against Poland (67.1%) or Czechia (74.6%), this campaign distributes attack volume more evenly across three geopolitically interconnected territories. The inclusion of Greenland — a territory not previously featured prominently in DDoSia campaigns — alongside Denmark and Ukraine signals that the threat actor is actively tracking and responding to real-time geopolitical developments, including the Arctic sovereignty discourse that intensified in early 2026.

The intra-day burst activity on February 26–27 (six target list updates) suggests reactive targeting behavior — potentially adjusting lists in response to targets coming back online or incorporating newly identified infrastructure.

Targeted Sectors

The campaign demonstrated a comprehensive, multi-sector targeting strategy affecting government, critical infrastructure, defense industry, media, education, and tourism entities simultaneously across three countries and multiple international commercial targets.

Attack Distribution by Industry

Key targeted sectors included:

• Government – Federal/National (16.2%) — Danish national ministries, courts, the prosecution service, Greenland’s government portals and statistics bureau
• Government – Regional (12.3%) — Ukrainian oblast administrations in active conflict zones (Zaporizhzhia, Luhansk, Dnipropetrovsk, Poltava, Vinnytsia, Sumy) and Denmark’s North Jutland region
• Government – Municipal (12.2%) — Danish municipalities across the country (Horsens, Gentofte, Rudersdal, Næstved, Hillerød, Roskilde and others)
• Tourism & Travel (11.1%) — Greenlandic Arctic tourism operators, visit portals, expedition services, and Air Greenland
• Defense Industry — Ukraine (10.7%) — Ukrainian military-industrial suppliers, drone manufacturers, vehicle producers, and defense-related private sector companies
• Critical Infrastructure – Transportation (9.5%) — Danish State Railways (DSB), Midtjyllands Airport, Danish Ports, Port of Kalundborg, Greenland Pilot Service, Diskoline ferry operator, Sikuki Nuuk Harbour
• Media & Broadcasting (5.8%) — Danish Broadcasting Corporation (DR), Greenland’s national broadcaster KNR, Nanoq Media
• Critical Infrastructure – Telecom (5.0%) — BWS broadband, NTG Telecom, Systemtm
• Education (3.1%) — University of Southern Denmark (SDU), Aarhus University, Aalborg University
• E-commerce & Retail (3.9%) — DBA.dk, PostNord Denmark, Arla Foods, and online retail platforms
• Political Parties (0.9%) — Danish political party websites (SF, Conservative Party, Radical Left)
• Critical Infrastructure – Energy (0.9%) — Energinet (Denmark’s national electricity grid operator), Ørsted

The heavy targeting of Ukrainian regional and military administrations (particularly front-line oblasts) reflects the group’s ongoing parallel pressure on Ukraine’s wartime governance capacity. The targeting of Greenland’s entire tourism economy — from the national visit portal down to individual water taxi operators and expedition companies — demonstrates systematic cataloging of a small territory’s complete digital infrastructure.

Attack Techniques and Methods

NoName057(16) employed a sophisticated multi-vector attack strategy, combining transport-layer volumetric floods with application-layer exhaustion techniques to increase complexity and bypass single-layer defenses.

Attack Methods Distribution

Most common methods observed:

• HTTP GET Flood attacks (31.6% — 2,103 attacks)
• TCP SYN Flood attacks (22.0% — 1,465 attacks)
• UDP Flood attacks (8.8% — 583 attacks)
• TCP ACK Flood attacks (11.0% — 730 attacks)
• HTTP POST attacks (8.5% — 568 attacks)
• PING / ICMP attacks (7.2% — 482 attacks)
• TCP SYN-ACK Flood (10.0% — 668 attacks)

The dominant use of HTTP GET floods (31.6%) signals a deliberate focus on overwhelming web application layers — the layer most directly experienced by citizens attempting to access government portals, information services, and online tools. Combined with HTTP POST attacks (8.5%), application-layer methods accounted for over 40% of all attack entries.

Transport-layer attacks (SYN, ACK, SYN-ACK, UDP combined) comprised approximately 51.8% of all entries, demonstrating the DDoSia framework’s capability to pursue simultaneous multi-layer pressure. The balanced split between application-layer and network-layer vectors significantly increases the complexity of defensive response, requiring organizations to maintain both network-perimeter and application-layer protections simultaneously.

Attack Types Distribution:

Attack Types Distribution

• TCP-layer attacks: 3,345 entries (50.3%)
• HTTP/2 attacks: 1,768 entries (26.6%)
• Nginx Loris (slow-connection) attacks: 614 entries (9.2%)
• HTTP/1.1 attacks: 775 entries (11.7%)
• HTTP/3 attacks: 132 entries (2.0%)
• UDP attacks: 15 entries (0.2%)

The nginx_loris component (9.2%) is particularly notable. Nginx loris attacks keep connections to the server open with minimal data transfer, progressively exhausting connection pools rather than overwhelming bandwidth. These attacks are especially effective against inadequately tuned web servers and can cause outages with relatively few attacking machines, making them resource-efficient for the DDoSia botnet.

The presence of HTTP/3 attacks (2.0%), while minor in volume, indicates the group’s ongoing adaptation to emerging protocols and the willingness to probe cutting-edge infrastructure vectors.

Port Targeting:

• Port 443 (HTTPS): 4,715 attacks — 70.9% of all entries
• Port 80 (HTTP): 1,426 attacks — 21.4%
• Port 22 (SSH): 114 attacks — 1.7%
• Port 21 (FTP): 70 attacks — 1.1%
• Other ports: 324 attacks — 4.9%

The overwhelming concentration on port 443 (HTTPS) confirms the campaign’s primary objective of disrupting encrypted citizen-facing web services — government portals, e-services platforms, and authentication systems — rather than targeting underlying infrastructure. The secondary SSH and FTP targeting (2.8% combined) suggests opportunistic probing alongside the primary DDoS campaign.

Most Targeted Organizations

The campaign targeted a strategically selected cross-section of government, critical infrastructure, defense, and economic entities across three countries. The selection demonstrates organized intelligence gathering and deliberate prioritization rather than random or opportunistic targeting.

Top 10 Targeted IP Addresses — Attack Count

Denmark (Primary Target — 41.4%)

Danish targets spanned the full administrative hierarchy from national government and courts down to individual municipalities, encompassing justice, defense, transport, energy, media, education, and retail sectors.

Top Most Targeted Danish Organizations:

1. www.dmi.dk (198 attacks) — Danish Meteorological Institute (Government – Federal/National)
   • Strategic Reason: The DMI provides national weather forecasting, marine weather services, and climate data critical to Denmark’s shipping sector and Arctic operations. Disruption of the DMI could impair maritime safety communications, particularly significant given Denmark’s role as a major shipping nation and Greenland’s weather-dependent transport network.
2. danskehavne.dk (140 attacks) — Danish Ports Association (Critical Infrastructure – Maritime)
   • Strategic Reason: The national association coordinating all Danish port operations represents a critical node in NATO’s Baltic Sea supply chain. Disruption affects port logistics at a time when Baltic Sea shipping corridors are of heightened strategic importance.
3. anklagemyndigheden.dk (130 attacks) — Danish Prosecution Service (Government – Federal/National)
   • Strategic Reason: Targeting the national public prosecution authority attacks the rule-of-law infrastructure of Danish society. The Prosecution Service oversees criminal cases including national security matters, making it a symbolically and operationally significant target.
4. horsens.dk (100 attacks) — Municipality of Horsens (Government – Municipal)
   • Strategic Reason: Part of a broad pattern of pressure on Danish municipal governments, demonstrating the threat actor’s comprehensive cataloging of Danish public sector web infrastructure at every administrative level.
5. www.sdu.dk (88 attacks) — University of Southern Denmark (Education)
   • Strategic Reason: Denmark’s second-largest university, targeting educational institutions signals intent to disrupt research collaboration and academic services that support Danish civil society and international knowledge partnerships.
6. www.dr.dk (84 attacks) — Danish Broadcasting Corporation / DR (Media – Public Broadcaster)
   • Strategic Reason: DR is Denmark’s primary public broadcaster and a key channel for emergency communications and public information. Disrupting the national broadcaster is a classic psychological warfare tactic designed to sow uncertainty and undermine the public’s access to authoritative news.
7. www.dsb.dk (22 attacks) — Danish State Railways (Critical Infrastructure – Transportation)
   • Strategic Reason: DSB operates Denmark’s national railway network. Disruption of online rail services, ticket booking, and passenger information has direct cascading effects on national mobility.
8. energinet.dk (7 attacks) — Energinet (Critical Infrastructure – Energy)
   • Strategic Reason: Energinet operates Denmark’s national electricity and gas transmission systems. Even low-frequency targeting of energy infrastructure operators carries strategic significance given the potential for reputational and operational disruption.

Additional notable Danish targets included: the Danish Ministry of Defence (www.forsvaret.dk), the Ministry of Transport (www.transportministeriet.dk), the Danish Bar and Law Society (advokatsamfundet.dk), immigration portals (nyidanmark.dk, workindenmark.dk), and Danish political party websites — collectively demonstrating a deliberate attempt to stress every layer of Danish public life simultaneously.

Greenland (Secondary Target — 19.3%)

Greenland’s targeting was uniquely comprehensive, effectively covering the entire digital footprint of an autonomous territory of approximately 56,000 people. The breadth and specificity of Greenlandic targets — from the government portal to individual water taxi operators — indicates prior reconnaissance and deliberate selection rather than bulk targeting.

Top Most Targeted Greenlandic Organizations:

1. isg.gl (147 attacks) — Greenland Self-Government Digital Services Portal (Government – Federal)
   • Strategic Reason: The primary gateway for Greenlandic government services, isg.gl serves as the digital front door to Greenland’s autonomous government. Given heightened geopolitical discourse about Greenland’s sovereignty in early 2026, targeting its central government portal carries significant symbolic and practical weight.
2. www.stamps.gl (105 attacks) — Greenland Post / Stamps (Government – Postal Services)
   • Strategic Reason: Greenland Post operates the territory’s postal and logistics network, with physical delivery being particularly critical in remote communities. Digital disruption of its services affects administrative and commercial communications across the territory.
3. www.knr.gl (105 attacks) — Kalaallit Nunaata Radioa / KNR (Media – National Broadcaster)
   • Strategic Reason: KNR is Greenland’s only national broadcaster, serving as the primary source of news, public information, and emergency communications across all settlements, including remote areas accessible only by air or sea. Disrupting it mirrors the targeting of DR in Denmark — attacking the information backbone of public life.
4. www.ral.gl / ral.gl (126 attacks combined) — Royal Arctic Line (Critical Infrastructure – Maritime Shipping)
   • Strategic Reason: Royal Arctic Line operates the only year-round container shipping service to Greenland, connecting the island with Denmark and international supply chains. Disruption of this logistics operator has direct supply security implications for the territory.
5. www.banken.gl (98 attacks) — Bank of Greenland (Finance)
   • Strategic Reason: The Bank of Greenland is the primary financial institution serving the territory. Disrupting banking services in a territory with limited alternative financial infrastructure causes disproportionate societal impact.
6. govmin.gl (91 attacks) — Greenland Government Ministries Portal (Government – Federal)
   • Strategic Reason: The central portal for Greenland’s ministerial functions. Combined with the isg.gl targeting, this constitutes a coordinated attempt to disrupt Greenland’s governmental digital presence at multiple access points.
7. www.airports.gl (48 attacks) — Greenland Airports (Critical Infrastructure – Transportation)
   • Strategic Reason: In a territory where air transport is the primary means of inter-community connection, disrupting the national airports authority directly affects mobility, emergency response logistics, and supply chains to remote settlements.
8. Air Greenland (airgreenland.com + e-commerce.airgreenland.com, 65 combined attacks) — National Airline (Critical Infrastructure – Aviation)
   • Strategic Reason: Air Greenland is Greenland’s sole domestic airline, operating essential connections to remote communities with no road or sea alternatives during winter months.

The full scope of Greenlandic targets also included tourism operators (traveltrade.visitgreenland.com, visitgreenland.com, arcticexcursions.com, eastgreenland.com, expeditionsgreenland.gl), the Nuuk Water Taxi service, Diskoline ferry operator, Greenland’s statistics bureau (stat.gl), Nanoq Media news portal, and the Greenlandic maritime pilot service — demonstrating a systematic attempt to simultaneously disrupt governance, communications, logistics, financial services, and economic activity across the entire territory.

Ukraine (Parallel Target — 22.8%)

Ukrainian targets were concentrated in active conflict zones, with the campaign primarily focusing on regional and local military administrations along or near the front line. This targeting pattern is consistent with NoName057(16)’s established strategy of applying parallel digital pressure on Ukrainian governmental capacity during active hostilities.

Top Most Targeted Ukrainian Organizations:

1. zp.gov.ua (171 attacks) — Zaporizhzhia Oblast State Administration (Government – Regional)
   • Strategic Reason: Zaporizhzhia Oblast is an active front-line region and home to the Zaporizhzhia Nuclear Power Plant, the largest in Europe. Disrupting the regional administration — which coordinates civilian evacuation, emergency response, and civil-military cooperation — carries direct operational significance.
2. mariupolrada.gov.ua (152 attacks) — Mariupol City Council (Government – Municipal)
   • Strategic Reason: Mariupol was captured by Russian forces in May 2022 and remains under occupation. The Ukrainian government-in-exile council for Mariupol maintains legal and symbolic continuity of Ukrainian governance over the city. Targeting it represents an attempt to delegitimize this continuity and erase Ukrainian institutional presence over occupied territory.
3. loga.gov.ua (144 attacks) — Luhansk Oblast Regional Administration (Government – Regional)
   • Strategic Reason: Luhansk Oblast is another front-line region, almost entirely under Russian occupation with continued armed conflict along its administrative borders. Targeting the administration-in-exile amplifies pressure on Ukrainian wartime governance.
4. www.vmr.gov.ua (135 attacks) — Vinnytsia Regional Military Administration (Government – Regional)
   • Strategic Reason: Vinnytsia, in central Ukraine, hosts critical military and civil defense coordination infrastructure. The city was the site of a major Russian missile strike in 2022 that killed civilians, and the regional military administration plays a key role in air defense and civil protection coordination.
5. smr.gov.ua (120 attacks) — Sumy Oblast Military Administration (Government – Regional)
   • Strategic Reason: Sumy Oblast shares a border directly with Russia and has been subject to cross-border incursions and shelling. Disrupting the local military administration during active border incidents has direct tactical implications beyond the symbolic.
6. adm.dp.gov.ua (117 attacks) — Dnipropetrovsk Oblast Administration (Government – Regional)
   • Strategic Reason: Dnipro is a major industrial and logistics hub for Ukraine’s war effort, hosting key defense industry facilities and serving as a rear-area military logistics center.
7. www.rada-poltava.gov.ua (112 attacks) — Poltava Regional Council (Government – Regional)
   • Strategic Reason: Poltava is a logistics and administrative hub in central Ukraine, and its regional council coordinates civilian governance and resource allocation that supports front-line communities.

The Ukrainian target set also included a substantial cluster of defense industry and security-related private sector companies: manufacturers of armored vehicles (www.autokraz.com.ua), drone and UAV components, telemetry systems, electronic warfare equipment, and defense-related IT services. This targeting of Ukraine’s military-industrial supply chain represents an effort to disrupt the production and coordination networks supporting Ukraine’s defense capacity — targeting the private sector companies that supply the Ukrainian military rather than military infrastructure directly.

Threat Actor Overview: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. Over the intervening years, the group has established itself as the most persistent and prolific hacktivist actor conducting coordinated DDoS campaigns against NATO member states, European Union institutions, and nations providing military, political, or financial support to Ukraine.

Threat actor card of NoName057(16)

The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework, distributed and coordinated via Telegram channels with tens of thousands of subscribers. This model provides significant operational advantages: a highly distributed attack infrastructure that is difficult to attribute and disrupt, plausible deniability for state involvement, and the ability to rapidly mobilize volunteer participants motivated by both ideological alignment and gamified incentive systems including cryptocurrency rewards and public leaderboards.

DDoSia Framework

The DDoSia tool serves as the technical backbone of NoName057(16) operations:

• Centralized target lists updated multiple times daily via Telegram distribution
• Implements multiple attack vectors simultaneously: TCP SYN/ACK floods, HTTP GET/POST floods, UDP floods, slow-connection (nginx_loris) attacks, and ICMP floods
• User-friendly deployment enabling non-technical volunteers to participate
• Evasion techniques designed to bypass standard rate-limiting and IP-based defenses
• Distributed attack coordination across thousands of volunteer endpoints globally
• Performance reporting and leaderboard gamification to sustain volunteer engagement

Geopolitical Alignment

NoName057(16) operations consistently and demonstrably align with Russian geopolitical objectives. Targeting priorities include NATO member states — particularly those providing significant military aid to Ukraine — European Union institutions, Ukrainian government and military infrastructure, and private sector entities in targeted countries designed to create economic pressure. The group has also demonstrated a pattern of themed campaigns coordinated with specific geopolitical moments: attacking Olympic committees around international sporting event announcements, targeting border regions during diplomatic negotiations, and intensifying pressure on countries immediately following high-profile military aid commitments.

This campaign’s inclusion of Greenland is particularly illustrative of this reactive, event-driven targeting logic. The early 2026 period saw significant public debate about Greenland’s geopolitical status and Arctic sovereignty, and NoName057(16)’s comprehensive targeting of Greenlandic infrastructure — spanning government, media, transport, finance, and tourism — is consistent with a deliberate effort to amplify pressure on Denmark-Greenland governance at a politically sensitive moment.

Recent Activity Patterns

This campaign follows NoName057(16)’s recent trajectory of expanding geographic scope in individual operations. Previous campaigns in the January–February 2026 window targeted Czechia (74.6% concentration, 5,095 attacks over seven days) and a multi-country campaign covering Italy, Germany, Austria, and Finland (8,101 attacks, 24 target list updates). The Denmark/Greenland/Ukraine campaign represents a continuation of this high operational tempo, with the addition of Greenland as a novel target territory reflecting the group’s responsiveness to evolving geopolitical circumstances.

Mitigation and Recommendations

Organizations identified in this target list — or operating in sectors and countries consistent with NoName057(16) targeting patterns — should take the following defensive actions:

Immediate Mitigations:

• Activate DDoS mitigation services immediately for all web-facing properties, with priority on HTTPS (port 443) and HTTP (port 80) services, which account for 92.3% of attack port targeting in this campaign.
• Rate-limit and challenge HTTP GET and POST requests at the WAF layer, as GET and POST floods combined account for 40.1% of all attack methods observed.
• Enable TCP SYN flood protection at the network perimeter using SYN cookies or equivalent mechanisms; TCP SYN floods alone represent 22.0% of attack entries.
• Configure connection limits to counter nginx_loris slow-connection attacks, which accounted for 9.2% of attack type entries and are disproportionately effective against improperly tuned web servers.

Technical Countermeasures:

• Deploy CDN-based traffic scrubbing for all critical web properties to absorb volumetric floods before they reach origin infrastructure.
• Implement IP reputation filtering using known DDoSia botnet ranges; coordinated IOC sharing through national CERTs and sector ISACs is recommended.
• Consider anycast routing architecture to geographically distribute attack load and prevent single-point overwhelm.
• Ensure connection pool and timeout parameters are tuned to mitigate slow-connection attack effectiveness.

Notification and Coordination:

• Danish organizations should engage with CFCS (the Danish Centre for Cyber Security) and report targeting to the national incident coordination framework.
• Ukrainian organizations should engage with CERT-UA for incident reporting, threat intelligence sharing, and coordinated defensive response.
• Greenlandic organizations should coordinate with the Danish CFCS as Greenland’s digital infrastructure sits within the Danish cybersecurity governance framework.
• All targeted organizations should monitor the DDoSia Telegram channels through authorized threat intelligence platforms such as SOCRadar for updated target lists and campaign developments.

Conclusion

The February 23 – March 1, 2026 NoName057(16) DDoSia campaign represents a strategically sophisticated multi-country operation targeting three geopolitically interconnected territories simultaneously. The campaign’s scope — 6,649 attack entries across 126 unique domains, 23 target list updates over seven days — demonstrates the group’s sustained operational capacity and the continuing maturation of the DDoSia volunteer mobilization model.

The inclusion of Greenland as a primary target territory is the most analytically significant development in this campaign. Greenland’s comprehensive targeting — spanning governance, media, banking, aviation, maritime shipping, and tourism — reflects the threat actor’s active intelligence gathering and responsiveness to the Arctic geopolitical discourse of early 2026. Organizations across Greenland with limited dedicated cybersecurity resources face disproportionate exposure to DDoSia-scale attacks compared to better-resourced targets in mainland Denmark.

The parallel targeting of Ukrainian front-line military administrations and defense industry suppliers alongside Danish and Greenlandic government and critical infrastructure demonstrates NoName057(16)’s continued commitment to simultaneously pressuring both NATO member states and Ukraine’s wartime governance and defense production capacity.

If you would like a more detailed report on this DDoS campaign or require customized threat intelligence for your organization, contact [email protected].

SOCRadar continues our commitment to protecting European organizations with enhanced DDoS threat intelligence capabilities. We are continuously analyzing and showcasing free DDoS threat intelligence through SOCRadar Labs, providing real-time visibility into ongoing campaigns targeting Europe.

Access Free DDoS Intelligence