Germany & Israel Under DDoS Attacks: Weekly DDoS Threat Intelligence Analysis

Analysis Period: March 2–8, 2026

Between March 2 and 8, 2026, SOCRadar identified a sustained, coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 7,512 recorded attack entries, targeting 169 unique domains and 153 unique IP addresses, with Germany as the dominant primary target and Israel as a significant secondary front.

The campaign concentrated overwhelmingly on Germany, accounting for 65.6% of all attack entries (4,928 targets across .de domains), complemented by a substantial Israeli component at 19.7% (1,476 entries), international commercial targets at 13.7% (1,028 entries), and a small remainder across other domains (1.1%). The dual-country targeting strategy is geopolitically deliberate: Germany is NATO’s largest European economy and one of Ukraine’s primary military and financial supporters; Israel has emerged as a target of Russian-aligned operations given its Western partnerships, defence export relationships, and strategic posture in the Middle East.

The most analytically significant feature of this campaign is its unprecedented, systematic targeting of Germany’s entire public procurement ecosystem — with at least 17 separate German procurement portals attacked for a combined 974 entries (13.0% of all attack traffic). No prior NoName057(16) campaign has concentrated this volume of attack resources against a single functional category of government infrastructure. On the Israeli side, the campaign simultaneously struck defence industry, financial institutions, telecom providers, and municipal governments — a comprehensive cross-sector pressure campaign.

Executive Summary Table:

For comprehensive, real-time DDoS threat intelligence covering ongoing campaigns across Europe and beyond, explore SOCRadar’s free DDoS intelligence dashboard where we continuously analyze and showcase actionable threat data.

Campaign Analysis

During the seven-day analysis period, the campaign demonstrated high and sustained operational tempo, with 27 distinct target list updates distributed across the week via Telegram channels — an average of 3.9 updates per day. Activity peaked sharply on March 3, which alone produced 2,059 entries (27.4% of the weekly total) across 6 separate update files — including three updates published within a 35-minute window between 12:35 and 13:10, and a fourth update at 16:25. March 5 also saw 7 update files in a single day, confirming a pattern of concentrated burst activity followed by sustained lower-tempo operations.

This burst pattern is consistent with reactive re-targeting behavior — updating lists in real time as targeted organisations recover, new infrastructure is identified, or geopolitical events prompt fresh target selection.

Geographic Distribution:

1. Germany (.de) accounted for 65.6% of all attack entries (4,928 attacks)
2. Israel (.il) accounted for 19.7% of all attack entries (1,476 attacks)
3. International (.com / .net) accounted for 13.7% (1,028 attacks)
4. Other (.org / .co) accounted for 1.1% (80 attacks)

This distribution reflects a concentrated dual-front campaign more focused than the immediately preceding Denmark/Greenland/Ukraine operation (which distributed attacks more evenly across three territories), but with greater breadth in sector targeting than earlier single-country campaigns. The 65.6% concentration on Germany aligns with prior NoName057(16) operations where Germany served as primary target — notably the December 2025 New Year campaign (88%) and the February 2–8 Italy/Germany campaign (29.5% in a shared-primary scenario) — but the simultaneous depth of the Israeli targeting cluster distinguishes this week as one of the group’s most strategically layered campaigns to date.

The intra-week daily breakdown reveals a clear operational rhythm: a high-intensity burst on March 3 (2,059 entries), a reduced day on March 4 (661 entries), a second burst on March 5 (1,233 entries), elevated activity on March 6 (1,536 entries), then decreasing tempo through March 7–8 (547 and 650 entries respectively). This pattern may reflect volunteer workforce cycles and coordination windows across time zones.

Targeted Sectors

The campaign demonstrated a comprehensive, multi-sector targeting strategy spanning government at all administrative levels, financial infrastructure, defence industry, procurement systems, public transit, cultural institutions, and private sector entities simultaneously across Germany and Israel.

Top Targeted Industries

Key targeted sectors included:

• Government – Municipal (Germany) (24.9%, 1,869 attacks) — Municipalities across Saxony-Anhalt, Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Thuringia, and Baden-Württemberg; including Magdeburg (state capital), Limbach-Oberfrohna, Gladbeck, Zwickau, Erfurt, Kaiserslautern, Dortmund, Ludwigshafen, Salzwedel, and many others
• Government – Procurement Portals (Germany) (13.0%, 974 attacks) — A systematic attack on Germany’s public procurement ecosystem: DTVP, eVergabe-Online, eVergabe-MV, eVergabe-NRW, Vergabemarktplatz Brandenburg, auftraege.bayern.de, bescha.bund.de, vergabe24.de, it-ausschreibung.de, oeffentlichevergabe.de, deutsches-ausschreibungsblatt.de, vergabe.rlp.de, bayvebe.bayern.de, and others
• B2B Trade & Procurement Platforms (9.1%, 686 attacks) — International procurement intelligence platforms (globaltenders.com, biddetail.com, tendersinfo.com, epicos.com), German trade and customs services (customs-broker.de, tradegatebsx.com), and related business platforms
• Government – Federal / State (Germany) (8.7%, 653 attacks) — Saxony-Anhalt State Parliament, Saxony-Anhalt State Government and Premier Reiner Haseloff’s portal, Hessen State civic participation and digital services portals, Federal Procurement Office (bescha.bund.de), Fraunhofer Institute, BaFin (Federal Financial Supervisory Authority), CDU and SPD party websites, Bundesanzeiger
• Government – Tax & Revenue (Germany) (8.5%, 635 attacks) — Hessen tax authority portal (finanzamt.hessen.de), multiple Bavarian district tax offices (Schweinfurt, Obernburg, Zeil, Würzburg, Lohr, Kitzingen, Bad Neustadt, Bad Kissingen, Aschaffenburg), and the ELSTER national tax filing portal
• Finance & Capital Markets (7.1%, 534 attacks) — German stock exchanges (Deutsche Börse, Boerse Düsseldorf, Boerse Hannover, BÖAG/Boersenag, Quotrix), Israeli banking institutions (Bank Leumi multilingual portals, Mizrahi-Tefahot, First International Bank of Israel/FIBI, Bank of Israel, Delek Group, CFI Capital)
• Other / NGO / Religious (Israel) (7.1%, 532 attacks) — A diverse cluster of Israeli civil society, religious political, agricultural, and commercial entities; including PTI, SHAS party portal, Zionut Datit, MVHR, RAF-AL, agricultural cooperatives, and regional business organisations
• Defense & Aerospace (5.5%, 410 attacks) — Elbit Systems, Rafael Advanced Defence Systems, Israel Aerospace Industries (IAI), Camtek, Aeronautics, Tadir-Gan/Tadirantele, Urban Aeronautics, Fraunhofer Institute, and Elron Ventures (defence technology investment)
• Critical Infrastructure – Transport (4.3%, 325 attacks) — Berlin public transit (Stern und Kreis ticketing shop), Hannover S-Bahn (including the frontend API endpoint), MDV Verbundgebiet ticketing portal, Israeli transit operators (Kavim, Electra Afikim, Israel Railways)
• Israeli Municipalities (4.1%, 309 attacks) — Rosh HaAyin, Eilat, Akko, Abugosh, Efrat, Lod, Arraba, Ariel
• Government – Digital Services (Israel) (3.8%, 282 attacks) — Israeli e-government portal (ecom.gov.il), MyBenefits welfare portal, Galil regional digital services (go.galil.gov.il), TazKirim memorial portal, Civil Aviation Authority (CAA/IAA), Israel Space Agency, and eCourts
• Culture & Media (3.8%, 282 attacks) — Moritzburg Art Museum Foundation (Halle, Saxony-Anhalt), Jerusalem Post, Maariv, Sting TV, Besheva, Kul Al-Arab, and PTI cultural portal
• Telecom (1.7%, 125 attacks) — Bezeq International (Israeli national telecoms), Cellcom, HOT Mobile, 018, We-Com
• Energy & Water (Israel) (1.5%, 110 attacks) — Israel Electric Corporation (IEC), Mekorot (national water company), Bazan Group (oil refining), Cargal

Attack Techniques and Methods

The campaign employed a multi-vector attack strategy combining network-layer volumetric floods with application-layer techniques, consistent with the DDoSia toolset’s documented capabilities.

Attack Types Distribution:

• GET Flood: 1,751 entries (23.3%)
• SYN Flood: 1,668 entries (22.2%)
• ACK Flood: 984 entries (13.1%)
• SYN-ACK Flood: 942 entries (12.5%)
• POST Flood: 933 entries (12.4%)
• UDP Flood: 727 entries (9.7%)
• PING / ICMP Flood: 474 entries (6.3%)
• Other / Unclassified: 33 entries (0.4%)

Port Targeting Distribution:

• Port 443 (HTTPS): 5,473 attacks (72.9%) — dominant target
• Port 80 (HTTP): 1,500 attacks (20.0%)
• Port 21 (FTP): 105 attacks (1.4%)
• Port 53 (DNS): 69 attacks (0.9%)
• Port 22 (SSH): 63 attacks (0.8%)
• Ports 993, 995, 587, 3306, 110, 465, 25: remaining 1.3% combined

The attack profile reveals several notable characteristics. The near-equal split between GET floods (23.3%) and SYN floods (22.2%) is a hallmark DDoSia dual-layer approach — maintaining simultaneous pressure at both the network infrastructure and web application layers. The elevated POST flood share (12.4%) — higher than in the preceding Denmark/Greenland/Ukraine campaign — reflects the high proportion of form-based targets in this campaign, particularly procurement portals, government citizen service portals, and authenticated tax filing platforms where POST-heavy request patterns can overwhelm application logic and session management.

The nginx_loris component (9.6%) targets web servers with slow-connection attacks that exhaust connection pool limits without generating high bandwidth, making them harder to detect and mitigate via simple volumetric thresholds alone. The HTTPS dominance (72.9%) demonstrates the campaign’s deliberate focus on encrypted production services — these cannot simply be disabled as a mitigation measure without taking services fully offline, increasing the cost of defensive response.

Most Targeted Organizations

Germany

The German target set was geographically diverse but with notable concentration in Saxony-Anhalt — a pattern that appears in multiple NoName057(16) campaigns given the state’s symbolic significance (Premier Reiner Haseloff’s own website was targeted alongside the state parliament, state government portal, and 9+ municipalities within the state).

Top Targeted German Hosts:

The targeting of Magdeburg (136 entries) carries specific symbolic weight: the city was the site of the December 2024 Christmas market car attack. Its inclusion as a high-priority target appears designed to amplify the psychological and civic impact of an already traumatised community, by disrupting the official city portal’s availability during the ongoing period of recovery and political sensitivity.

The procurement ecosystem attack — 17 separate platforms hit with 974 combined entries — is unprecedented in scope for a single functional category. These platforms collectively handle a significant share of Germany’s annual government contracting volume across federal, state, and municipal levels. Simultaneous disruption of multiple platforms could delay tenders, stall public works contracts, and interrupt defence procurement processes across the country.

The Bavarian tax office cluster (6 district tax offices plus finanzamt.hessen.de and the ELSTER national portal — 447 combined entries) signals deliberate pressure on Germany’s revenue administration infrastructure, particularly during the March tax filing period.

Israel

The Israeli target set is structured around two strategic pressure points: defence production and financial stability.

Top Targeted Israeli Hosts:

The defence industry cluster — Elbit Systems (45), Rafael (18), IAI (24), Aeronautics (4), Tadirantele (30), Urban Aeronautics (18) — collectively represents four of Israel’s largest defence exporters and several emerging unmanned systems and electronics companies. Targeting these at the application layer disrupts investor relations portals, procurement interfaces, and public-facing communications during a period of elevated scrutiny of Israel’s defence export relationships.

The Bank of Israel (boi.org.il, 11 entries) is a strategically significant target: as the central bank and financial regulatory authority, its public availability signals institutional confidence. Combined attacks on Bank Leumi (multilingual portals: English, Arabic, Russian — 32 combined entries), Mizrahi-Tefahot (9), First International Bank/FIBI (7), and CFI Capital (6) represent a deliberate attempt to create visible disruption across Israel’s entire retail banking sector simultaneously.

The targeting of Arab-Israeli municipal portals — Um el-Fahm (56), Abugosh (46), Arraba (26) — alongside Jewish-Israeli municipalities (Eilat, Akko, Rosh HaAyin, Lod, Ariel) reflects comprehensive coverage across Israel’s demographic and geographic landscape, maximising the breadth of public-facing disruption.

Threat Actor Overview: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and organised hacktivist actors conducting sustained DDoS campaigns against NATO member states, European Union countries, and nations supporting Ukraine.

The group operates through a crowdsourced, volunteer-driven model using the custom DDoSiabotnet framework distributed via Telegram channels. This operational model provides distributed attack infrastructure that is difficult to attribute and disrupt, plausible deniability for state involvement, and the ability to mobilise thousands of volunteer participants incentivised through gamification, leaderboards, and cryptocurrency rewards. DDoSia clients operate on volunteer-owned hardware, generating a geographically dispersed attack surface that resists traditional IP-based blocking.

NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting that reflects real-time responsiveness to news events, political developments, and international relations — as demonstrated by this campaign’s timing alongside continued international discussions of arms supply to Ukraine and Germany’s leadership role in coordinating European defence support.

Campaign Evolution — Recent Context:

This sequence demonstrates a systematic geographic rotation strategy — maintaining persistent multi-front European operations while concentrating the majority of attack volume on a rotating primary target. The return to Germany as a dominant primary target (after the Dec 2025/Jan 2026 and Feb 2–8 campaigns) suggests either continuous standing interest in German infrastructure or reactive prioritisation based on German political developments — potentially linked to ongoing parliamentary debates around Ukraine support and arms supply commitments in February–March 2026.

The simultaneous addition of Israel as a significant secondary target (19.7%) is a notable development in the group’s operational pattern. This is one of the highest-proportion Israeli targeting shares observed in a NoName057(16) campaign and reflects the group’s expanding geopolitical scope beyond its traditional European NATO focus.

Mitigation and Recommendations

Organisations identified in this target list — or operating in sectors and countries consistent with NoName057(16) targeting patterns — should take the following defensive actions:

Immediate Actions:

Activate DDoS mitigation services immediately for all web-facing properties, prioritising HTTPS (port 443) and HTTP (port 80) services, which account for 92.9% of all attack port targeting in this campaign. Enable TCP SYN flood protection at the network perimeter. Deploy Web Application Firewall (WAF) rules specifically tuned for high-rate GET flood (23.3%) and POST flood (12.4%) patterns — the POST flood share in this campaign is notably elevated, reflecting the high proportion of form-based portal and authenticated service targets.

Procurement and Government Portal Operators:

German public procurement portals — which collectively received 974 attack entries across 17 separate platforms — should implement connection-rate throttling, CAPTCHA verification on authenticated endpoints, and session-based rate limits on form submissions. Operators should additionally coordinate with BSI to share infrastructure details and receive campaign-specific mitigation guidance. Consider temporary geographic IP filtering if attack traffic is coming from identifiable ranges.

Technical Countermeasures:

• Deploy CDN-based traffic scrubbing for all critical web properties to absorb volumetric GET/SYN floods upstream
• Tune server connection pool limits and timeout parameters to counter nginx_loris slow-connection attacks (9.6% of attack types), which exploit server connection exhaustion without triggering high bandwidth thresholds
• Enable IP reputation filtering using known DDoSia infrastructure and botnet ranges — SOCRadar’s IOC Radar provides continuously updated intelligence on DDoSia-associated IPs
• Consider anycast routing for critical domains to distribute volumetric attack load across geographic nodes
• For Israeli defence and financial institutions: prioritise application-layer WAF coverage on investor relations portals, authenticated banking sessions, and public procurement/tendering interfaces

Coordination and Notification:

German organisations should engage BSI (Bundesamt für Sicherheit in der Informationstechnik) for incident reporting, IOC sharing, and coordinated response. Israeli organisations should contact INCD (Israel National Cyber Directorate) and share incident details. Saxony-Anhalt state entities should additionally coordinate through the state CERT. Share indicators of compromise through relevant sector ISACs and information sharing partnerships.

Monitor NoName057(16)’s DDoSia Telegram channels through authorised threat intelligence platforms such as SOCRadar for updated target lists and campaign developments. Target lists are updated multiple times per day, and early awareness of new targets provides a critical window for proactive defensive preparation.

Conclusion

The March 2–8, 2026 NoName057(16) DDoSia campaign represents one of the group’s most operationally diverse and strategically layered operations in recent history. The campaign’s scale — 7,512 attack entries across 169 unique domains, 27 target list updates over seven days — demonstrates the group’s sustained and growing operational capacity.

The systematic targeting of Germany’s public procurement ecosystem — 17 separate platforms handling billions of euros in annual government contracting — is the most analytically significant development in this campaign and a novel escalation in the group’s infrastructure disruption strategy. No prior NoName057(16) operation has so comprehensively targeted a single functional category of government digital infrastructure across an entire country simultaneously.

The Israeli target cluster is the campaign’s second major analytical finding. The coordinated pressure on Elbit Systems, Rafael, IAI, and other defence exporters alongside Bank of Israel, Bank Leumi, and multiple retail banks represents a deliberate attempt to simultaneously degrade both Israel’s defence production communications and its financial sector’s public-facing availability. The breadth of Israeli municipal targeting — covering Arab-Israeli, mixed, and Jewish-Israeli cities — underscores comprehensive intelligence preparation ahead of the campaign.

As NoName057(16) continues its weekly campaign rotation, the March 2–8 operation reinforces that no single European or Western-aligned nation can consider itself a low-priority target for extended periods. Germany — which has now appeared as a primary or significant secondary target in at least four campaigns since December 2025 — represents a persistent strategic objective for the group, consistent with its role as NATO’s largest European economy and Ukraine’s leading continental military supporter.

This analysis is based on DDoSia target list data collected from public Telegram channels and processed by SOCRadar’s Threat Intel Team. All data is used for defensive cybersecurity intelligence purposes. For continuous monitoring, visit SOCRadar Labs DDoS Intelligence Dashboard.