Italy and Germany Under DDoS Assault: Weekly DDoS Threat Intelligence Analysis
Analysis Period: February 2–8, 2026
Between February 2 and 8, 2026, SOCRadar identified an extensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 8,101 recorded attack entries, targeting 160 unique domains and 186 unique IP addresses across multiple countries, with an overwhelming concentration on Italy and Germany.
The activity focused primarily on Italy, accounting for 42.9% of all attacks (3,475 targets), complemented by significant attacks against Germany (29.5%), Austria (2.2%), and numerous commercial and international domains (25.4%). This represents one of the most geographically diverse campaigns observed in recent NoName057(16) operations, demonstrating strategic expansion across multiple NATO member states and EU countries simultaneously.
The majority of attacks targeted government infrastructure at all administrative levels (38%), complemented by significant targeting of sports and Olympic organizations (24%), and critical infrastructure (18%) including metropolitan transit systems, water utilities, and transportation networks.
Executive Summary Table:
| Analysis Period | February 2–8, 2026 |
| Total Attack Entries | 8,101 |
| Unique Domains Targeted | 160 |
| Unique IP Addresses | 186 |
| Primary Countries | Italy (42.9%), Germany (29.5%), Austria (2.2%), Finland (1.7%) |
| Most Targeted Port | 443 (HTTPS) – 69.1% of attacks |
| Threat Actor | NoName057(16) |
| Attack Tool/Project | DDoSia |
For comprehensive, real-time DDoS threat intelligence covering ongoing campaigns across Europe, explore SOCRadar’s free DDoS intelligence dashboard where we continuously analyze and showcase actionable threat data.
Campaign Analysis
During the seven-day analysis period, the campaign demonstrated unprecedented geographic diversity and operational intensity, with daily target list updates distributed through Telegram channels. The campaign’s multi-national focus represents an evolution in NoName057(16)’s strategy from concentrated single-country pressure campaigns to simultaneous multi-country operations designed to maximize strain on defensive resources across NATO’s alliance structure.
Geographic Distribution:
- Italy accounted for 42.9% of all attack entries (3,475 attacks)
- Germany comprised 29.5% (2,391 attacks)
- Commercial/International domains comprised 15.8% (1,278 attacks)
- Austria received 2.2% of attacks (176 attacks)
- Ukraine received 1.9% of attacks (155 attacks)
- Finland received 1.7% of attacks (136 attacks)
- Other European domains received 6.0% of attacks (484 attacks)

Distribution by Country (SOCRadar DDoS Threat Intelligence)
This distribution reflects a highly diversified targeting strategy aimed primarily at multiple NATO member states simultaneously. The concentration on Italian and German infrastructure (72.4% combined) establishes them as primary targets, while maintaining pressure on Austria, Finland, and Ukraine demonstrates capability to sustain high-volume attacks across diverse geographic and organizational targets.
The sustained nature of attacks over seven consecutive days (February 2-8) with twenty-four distinct target list updates indicates highly coordinated operational planning and substantial infrastructure resources. The timing suggests strategic coordination with broader geopolitical developments affecting NATO cohesion and Ukraine support commitments.
Targeted Sectors
The campaign demonstrated a comprehensive multi-sector targeting strategy affecting government, critical infrastructure, sports organizations, and private sector institutions simultaneously across multiple countries.

Distribution by Industry (SOCRadar DDoS Threat Intelligence)
Key targeted sectors included:
- Government & Public Sector (38%) – Federal/national agencies, regional authorities, municipal councils (particularly 74+ municipalities in Valle d’Aosta, Italy)
- Sports & Olympic Organizations (24%) – National Olympic committees (Finland, Germany, Austria), sports confederations
- Critical Infrastructure – Transportation (12%) – Metropolitan transit systems (Munich MVG, Dortmund), rail information services
- Private Sector – Hospitality (8%) – Hotels in strategic tourism areas (Cortina d’Ampezzo alpine region)
- Critical Infrastructure – Water (5%) – Municipal water services across regions
- Private Sector – Other (7%) – Business services, technology providers, commercial entities
- Other Services (6%) – Information portals, cultural organizations, miscellaneous
The targeting of government services (38%) represents a deliberate strategy to disrupt public services at multiple administrative levels simultaneously – from national federal ministries down to small municipal councils serving populations under 5,000. This demonstrates systematic cataloging of government infrastructure across entire regions.
The significant Olympic infrastructure targeting (24%) across three countries includes:
- Finnish Olympic Committee: 136 attacks – National sports authority
- German Olympic Sports Confederation (DOSB): 135 attacks – Federal sports organization
- Austrian Olympic Committee: 120 attacks – National Olympic body
This coordinated Olympic targeting (391 total attacks) suggests a themed campaign timed to maximize political messaging impact related to Russia’s ongoing sanctions and participation restrictions in international sporting events.
The targeting of critical transportation infrastructure (12%) includes:
- Munich MVG Transit: 135 attacks – Serving 1.5+ million daily passengers in Germany’s third-largest metro area
- Dortmund Municipal Services: 135 attacks – Integrated public transit coordination
- Rail Information Services: Multiple attacks on ticket booking and information platforms
This infrastructure selection reveals strategic understanding of cascading failure potential and psychological impact on civilian populations when essential services face disruption.
Attack Techniques and Methods
NoName057(16) employed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks to increase complexity and bypass single-layer defensive measures.

Attack Methods Distribution (SOCRadar DDoS Threat Intelligence)
Most common methods observed:
- HTTP GET Flood attacks (26.2% – 2,122 attacks)
- TCP SYN Flood attacks (25.2% – 2,040 attacks)
- TCP ACK Flood attacks (12.0% – 974 attacks)
- HTTP POST-based attacks (11.8% – 955 attacks)
- TCP SYN-ACK Flood (11.0% – 890 attacks)
- UDP Flood (7.3% – 593 attacks)
- PING/ICMP-based attacks (5.8% – 472 attacks)
- Other methods (0.7% – 55 attacks)
The near-equal distribution between HTTP GET floods (26.2%) and TCP SYN floods (25.2%) demonstrates a balanced dual-layer approach, combining application-layer resource exhaustion with transport-layer volumetric attacks. This strategic balance makes defensive efforts significantly more complex, requiring both network-layer and application-layer protections deployed simultaneously.
Combined with ACK and SYN-ACK floods, transport-layer attacks represented 54.5% of all methods, while application-layer HTTP attacks comprised 38.8%, indicating sophisticated understanding of how to maximize attack effectiveness against modern web infrastructure and DDoS mitigation services.
The overwhelming concentration on port 443 (HTTPS) (69.1% of all attacks – 5,597 attacks) indicates deliberate targeting of encrypted web services, including:
- Government citizen portals and authentication systems
- Critical infrastructure management systems
- Olympic committee registration and information platforms
- Municipal and regional service portals
- Hospitality booking and information systems
Additional targeting of port 80 (HTTP) (19.3% – 1,565 attacks) suggests attacks against both modern HTTPS services and legacy HTTP infrastructure still in operation, particularly affecting older government systems and smaller municipal websites with limited security resources.
Attack Types Distribution:

Attack Types Distribution (SOCRadar DDoS Threat Intelligence)
- TCP-layer attacks: 4,376 attacks (54.0%)
- HTTP/2 attacks: 1,638 attacks (20.2%)
- HTTP/1.1 attacks: 1,198 attacks (14.8%)
- Application-layer attacks (nginx_loris): 663 attacks (8.2%)
- HTTP/3 attacks: 221 attacks (2.7%)
- UDP attacks: 5 attacks (0.1%)
This distribution demonstrates a heavily layered attack methodology, with dominant volumetric network-layer floods (TCP: 54.0%) combined with sophisticated application-layer attacks (HTTP/1.1: 14.8%, HTTP/2: 20.2%, nginx_loris: 8.2%) designed to bypass rate-limiting defenses and exhaust server resources efficiently.
The significant nginx_loris component (8.2%) demonstrates the DDoSia botnet’s capability to execute specialized attacks exploiting specific server software vulnerabilities. Nginx_loris attacks are designed to keep connections open with minimal data transmission, slowly exhausting server connection pools, particularly effective against inadequately configured web servers.
The presence of HTTP/3 attacks (2.7%), while minor in volume, indicates the threat actor’s capability to exploit cutting-edge protocols, demonstrating technical sophistication and ability to adapt attack vectors to emerging technologies.
Most Targeted Organizations
The campaign targeted a strategically selected mix of government services, critical infrastructure, Olympic organizations, and hospitality sector entities across Italy, Germany, Austria, and Finland. The selection demonstrates intelligence gathering and tactical planning rather than opportunistic targeting.

Top Targeted Hosts and IP Addresses (SOCRadar DDoS Threat Intelligence)
Italy (Primary Target – 42.9%)
Top 10 Most Targeted Italian Organizations:
- www.hotelambracortina.it (176 attacks) – Hotel Ambra Cortina, luxury hotel in Cortina d’Ampezzo (Private Sector – Hospitality)
- Strategic Reason: Disrupting tourism infrastructure in strategic alpine region creates economic impact in winter sports destination. Cortina hosts 2026 Winter Olympics venues.
- www.hotelcortina.com (168 attacks) – Hotel Cortina, luxury hotel in Cortina d’Ampezzo (Private Sector – Hospitality)
- Strategic Reason: Concentrated attacks on Cortina hospitality sector (344 combined attacks) suggests economic warfare targeting tourism-dependent alpine regions ahead of 2026 Olympics.
- www.consiglio.vda.it (117 attacks) – Regional Council of Valle d’Aosta (Government – Regional)
- Strategic Reason: Regional governance in the autonomous Italian region near French and Swiss borders. Disrupting the regional council undermines administrative coordination across 74 municipalities.
- www.comune.courmayeur.ao.it (101 attacks) – Municipality of Courmayeur, Valle d’Aosta (Government – Municipal)
- Strategic Reason: Major alpine tourism center at Mont Blanc base. Economic impact through disruption during peak winter tourism season.
- www.comune.chatillon.ao.it (91 attacks) – Municipality of Châtillon, Valle d’Aosta (Government – Municipal)
- Strategic Reason: Part of systematic targeting of Valle d’Aosta municipalities, demonstrating comprehensive cataloging of regional government infrastructure.
- www.comune.aosta.it (90 attacks) – Municipality of Aosta, regional capital (Government – Municipal)
- Strategic Reason: Capital city of autonomous region. Disruption affects regional administrative hubs and citizen services for 34,000+ residents.
- www.comune.morgex.ao.it (88 attacks) – Municipality of Morgex, Valle d’Aosta (Government – Municipal)
- Strategic Reason: Small alpine municipality (2,100 residents). Demonstrates targeting of vulnerable communities with minimal IT resources.
- www.comune.issogne.ao.it (87 attacks) – Municipality of Issogne, Valle d’Aosta (Government – Municipal)
- Strategic Reason: Continuing pattern of systematic Valle d’Aosta municipal targeting.
- regione.vda.it (85 attacks) – Valle d’Aosta Regional Government Portal (Government – Regional)
- Strategic Reason: Primary regional government services portal serving all 74 municipalities across autonomous region.
- www.comune.valpelline.ao.it (85 attacks) – Municipality of Valpelline, Valle d’Aosta (Government – Municipal)
- Strategic Reason: Small mountain community (650 residents), demonstrating reach across the entire administrative hierarchy.
Additional High-Profile Italian Targets:
Valle d’Aosta represents the most concentrated targeting within Italy, with 74 separate municipality websites attacked, including municipalities ranging from regional capital Aosta (34,000 residents) down to small alpine villages (under 500 residents). This systematic targeting demonstrates:
- Comprehensive reconnaissance and cataloging of regional government infrastructure
- Intent to overwhelm entire regional administrative structures
- Exploitation of smaller municipalities with limited cybersecurity resources
- Strategic focus on autonomous regions near international borders (France, Switzerland)
Germany (Secondary Target – 29.5%)
Top 10 Most Targeted German Organizations:
- www.limbach-oberfrohna.de (171 attacks) – Municipality of Limbach-Oberfrohna, Saxony (Government – Municipal)
- Strategic Reason: Small municipal government (24,000 residents) with limited IT security resources. Demonstrates systematic targeting to overwhelm local government capabilities.
- reiner-haseloff.de (161 attacks) – Personal website of Reiner Haseloff, Minister-President of Saxony-Anhalt (Government – Political Figure)
- Strategic Reason: Direct personal targeting of state-level political leadership represents intimidation tactics and demonstrates capability to research and target individual politicians.
- www.olympiakomitea.fi (136 attacks) – Finnish Olympic Committee (Sports Organization – Olympic)
- Note: While .fi domain, included in German section due to geographic clustering of Olympic targeting
- Strategic Reason: Part of coordinated Olympic infrastructure campaign across Finland, Germany, and Austria related to Russian athletics sanctions.
- www.dortmund.de (135 attacks) – City of Dortmund, major German city (Government – Municipal)
- Strategic Reason: Major industrial city (587,000 residents). Disrupting municipal services affects large population center and economic hub in North Rhine-Westphalia.
- www.dosb.de (135 attacks) – German Olympic Sports Confederation (Sports Organization – Olympic)
- Strategic Reason: Federal-level sports authority coordinating Olympic participation and athlete support. Targeting represents retaliation for German stance on Russian athletics bans.
- www.mvg.de (105 attacks) – Munich MVG Metropolitan Transit System (Critical Infrastructure – Transportation)
- Strategic Reason: Critical urban mobility infrastructure serving 1.5+ million daily passengers. Disruption causes cascading economic impacts and public inconvenience.
- www.reise-nach-italien.de (90 attacks) – Germany-Italy travel information portal (Private Sector – Tourism)
- Strategic Reason: Tourism sector targeting designed to disrupt travel between Germany and Italy, affecting economic ties and the tourist industry.
- www.bmi.bund.de (117 attacks) – German Federal Ministry of Interior and Community (Government – Federal)
- Strategic Reason: High-value federal target controlling domestic security, civil protection, and cybersecurity coordination. Disruption affects national-level security operations.
- Various municipal councils across Germany (Multiple targets, 30-100 attacks each)
- Including: Municipal governments in Saxony, North Rhine-Westphalia, Bavaria
- Strategic Reason: Widespread geographic distribution creates perception of nationwide vulnerability.
Additional High-Profile German Targets:
- Federal government ministries and agencies
- State-level political leadership websites
- Major metropolitan transit systems
- Municipal governments ranging from major cities to small towns
- Tourism and information services
Austria (Tertiary Target – 2.2%)
www.olympia.at (120 attacks) – Austrian Olympic Committee (Sports Organization – Olympic)
- Strategic Reason: Part of coordinated three-country Olympic infrastructure campaign. Targeting the Austrian Olympic Committee aligns with a broader pattern of symbolic attacks on sporting organizations where Russia faces sanctions.
Finland (Targeted Olympic Infrastructure – 1.7%)
www.olympiakomitea.fi (136 attacks) – Finnish Olympic Committee (Sports Organization – Olympic)
- Strategic Reason: Exclusively focused on Olympic organization. Represents symbolic targeting related to international sporting events where Russia faces participation bans and athlete restrictions.
Commercial and International Entities (15.8%)
A significant portion of attacks (1,278 attacks – 15.8%) targeted commercial domains (.com, .co, .net, .info) representing:
- Multinational hospitality brands
- International business services
- Global technology platforms
- Commercial service providers
This targeting demonstrates recognition that disrupting commercial entities creates economic pressure and affects international business confidence in addition to direct governmental targeting.
Threat Actor Overview: NoName057(16)
NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and organized hacktivist actors conducting sustained DDoS campaigns against NATO member states, European Union countries, and nations supporting Ukraine.

Threat actor card of NoName057(16)
The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram channels. This operational model provides several advantages: distributed attack infrastructure difficult to attribute and disrupt, plausible deniability for state involvement, and ability to mobilize thousands of volunteer participants incentivized through gamification, cryptocurrency rewards, and ideological motivation.
DDoSia Framework
The technical infrastructure supporting NoName057(16) operations centers on the DDoSia attack tool, which:
- Provides a user-friendly interface for non-technical participants
- Receives centralized target lists updated multiple times daily
- Implements multiple attack vectors (TCP floods, HTTP floods, application-layer attacks)
- Includes evasion techniques to bypass basic DDoS protections
- Reports attack metrics back to central infrastructure for performance tracking
- Coordinates distributed attacks across thousands of volunteer participants
Geopolitical Alignment
NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting prioritizing:
- NATO member states, particularly Italy, Germany, Poland, Baltic states, and strong Ukraine supporters
- European Union institutions and member states
- Countries providing military, financial, or political support to Ukraine
- Ukrainian government services and critical infrastructure
- Private sector entities in targeted countries to create economic pressure
- Olympic and sports organizations implementing Russian athlete restrictions
The group has demonstrated exceptional operational persistence with:
- Regular target list updates multiple times per day (24 updates during this analysis period)
- Sustained campaigns over weeks and months
- Strategic coordination timed to geopolitical events and diplomatic developments
- Rapid adaptation to defensive measures
- Continuous recruitment of new participants through Telegram channels
Recent Activity Patterns
This multi-country campaign represents the latest evolution in NoName057(16)’s pattern of sustained pressure against NATO and Ukraine supporters. Recent campaigns have shown:
- December 2025: Rotating focus across Denmark, France, Finland, Germany
- Early January 2026: United Kingdom focus (85.2% – concentrated single-country campaign)
- Mid-January 2026: Poland focus (67.1% – significant campaign)
- Late January 2026: Multi-country diversification (UK 55%, Ukraine 12.7%, Czechia 4.9%, Commercial 27.4%)
- February 2-8, 2026: Italy and Germany concentration (Italy 42.9%, Germany 29.5%, multi-sector expansion)
This pattern evolution from concentrated single-country campaigns to diversified multi-country operations with comprehensive sector targeting suggests tactical maturation and capability expansion. The simultaneous pressure on multiple nations prevents defensive resource concentration and demonstrates scalable operational capability.
Key Characteristics
- Operational Model: Volunteer-driven crowdsourced attacks via DDoSia botnet tool
- Coordination: Telegram channels for target distribution and participant recruitment
- Motivation: Pro-Russian hacktivist aligned with state geopolitical objectives
- Technical Capability: Multi-vector attacks combining volumetric (TCP/UDP floods) and application-layer techniques (HTTP floods, nginx_loris, HTTP/2, HTTP/3)
- Target Selection: Intelligence-driven, strategically prioritized targeting with comprehensive reconnaissance
- Persistence: Continuous operations with sustained pressure over extended periods
- Scale: 8,101 attacks in one week against 160 unique targets across multiple countries
- Sophistication: Medium-to-high technical capability with evolving tactics and modern protocol exploitation
- Attribution: Plausibly deniable connection to Russian state interests with perfect geopolitical alignment
Mitigation and Recommendations
Organizations within affected sectors, particularly those in Italy, Germany, Austria, Finland, and other NATO member states, should consider implementing or strengthening the following defensive measures:
Immediate Actions
- Deploy cloud-based DDoS protection services – Implement Cloudflare, Akamai, AWS Shield, Azure DDoS Protection, or equivalent services to filter attack traffic before it reaches your infrastructure
- Review and update Web Application Firewall (WAF) rules – Ensure WAF configurations can detect and block HTTP/HTTP2/HTTP3 flood patterns, particularly GET, POST, and nginx_loris variants
- Configure rate limiting – Implement rate limiting at multiple layers: web application, reverse proxy (nginx, Apache), load balancer, and network firewall
- Enable SYN cookies and TCP hardening – Configure operating systems and network devices to use SYN cookies, reduce TCP timeout values, increase SYN backlog queues, and limit connection table sizes
- Establish traffic baseline monitoring – Implement real-time traffic monitoring with automated alerting for anomalies in request rates, connection counts, and bandwidth utilization
- Verify geographic redundancy – Ensure critical services have geographic distribution and failover capabilities to maintain availability during regional attacks
- Review DNS configuration – Implement DNS-based DDoS protection and ensure proper DNS caching configurations
Strategic Measures
- Conduct comprehensive DDoS risk assessments – Identify all internet-facing services, assess current protections, and document vulnerabilities requiring remediation
- Develop and test incident response plans – Create detailed response procedures for DDoS attacks, conduct tabletop exercises, and ensure 24/7 contact procedures are established
- Allocate appropriate security budget – Budget for DDoS protection services, infrastructure redundancy, security personnel, and incident response capabilities
- Implement defense-in-depth architecture – Design infrastructure with multiple defensive layers: network edge filtering, CDN protection, WAF rules, application hardening
- Engage with national CERT/CSIRT – Participate in information sharing programs with national cybersecurity coordination centers (CERT-IT for Italian organizations, BSI for German organizations, etc.)
- Monitor threat intelligence feeds – Subscribe to threat intelligence services tracking NoName057(16) and DDoSia activity to receive early warning of targeting
- Consider managed security services – For smaller organizations lacking in-house expertise, consider managed DDoS protection and SOC services
- Train staff on incident recognition and response – Conduct regular training exercises to ensure personnel can recognize DDoS attacks quickly and execute appropriate response procedures
- Establish communication protocols – Prepare pre-drafted public communications and internal stakeholder messaging for use during service disruptions
- Document lessons learned – After incidents, conduct thorough post-mortems to identify defensive gaps and implement improvements
Sector-Specific Guidance
Municipal and Regional Government:
- Small municipalities should consider shared regional DDoS protection services to achieve economies of scale
- Establish mutual aid agreements with neighboring municipalities for incident response support
- Coordinate with regional and national government cybersecurity authorities
- Maintain offline/manual procedures for essential citizen services during digital service disruptions
Transportation Infrastructure:
- Ensure strict segregation between public-facing information systems and operational control networks
- Implement redundant communication channels for schedule and service information
- Test manual/offline operational procedures regularly
- Coordinate with law enforcement regarding potential cascading impacts on public safety
Olympic and Sports Organizations:
- Anticipate potential attack timing around major events, qualifications, or governance decisions affecting Russian participation
- Implement enhanced protection during high-profile event periods and qualification windows
- Prepare alternative registration and information distribution channels
- Coordinate internationally with other national Olympic committees facing similar threats
Hospitality and Tourism:
- Ensure booking and reservation systems have adequate DDoS protection
- Implement backup communication channels for guest services during attacks
- Consider multi-channel customer communication (phone, email, social media) to maintain service during web disruptions
Conclusion
The February 2-8, 2026 campaign represents a significant tactical evolution in NoName057(16) operations, demonstrating expanded operational scope, multi-country coordination, and sophisticated sector-specific targeting. The campaign’s scale (8,101 attacks), geographic diversity (160 organizations across multiple countries), and technical execution (multi-vector attacks combining TCP floods, HTTP attacks, and application-layer techniques) demonstrate the group’s expanding operational capability and strategic ambition.
The concentration on Italy (42.9%) and Germany (29.5%), combined with systematic targeting of Olympic infrastructure across three countries and comprehensive municipal government targeting in Valle d’Aosta, reveals a coordinated strategy designed to:
- Maximize disruption across NATO’s major European powers
- Create economic impact through tourism and transportation sector targeting
- Send political messaging through Olympic organization attacks
- Demonstrate capability to overwhelm government services at all administrative levels
Key Takeaways:
- Italy and Germany face sustained, coordinated attacks as major EU economies and NATO members
- Small municipal councils and regional authorities are systematically targeted alongside national infrastructure
- Olympic infrastructure targeting represents thematic campaign component related to Russian athletics sanctions
- Multi-vector attacks require sophisticated, multi-layered defenses across network and application layers
- NATO member states supporting Ukraine should expect continued and potentially intensifying targeting
If you would like a more detailed report on this DDoS campaign or require customized threat intelligence for your organization, contact [email protected].
SOCRadar continues our commitment to protecting European organizations with enhanced DDoS threat intelligence capabilities. We are continuously analyzing and showcasing free DDoS threat intelligence through SOCRadar Labs, providing real-time visibility into ongoing campaigns targeting Europe.

