Political DDoS Pivots to Japan: Weekly DDoS Threat Intelligence Analysis
Analysis Period: February 9 – 15, 2026
Between February 9 and 15, 2026, SOCRadar identified an extensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 5,445 recorded attack entries, targeting 176 unique domains and 193 unique IP addresses across multiple countries, representing a dramatic strategic pivot from previous Western European and UK-focused operations to concentrated targeting of Japan.
This campaign marks a significant geographic shift in NoName057(16) operations, with Japan accounting for 39.4% of all attacks (2,144 targets), representing the group’s first major sustained campaign against Asian infrastructure. The operations simultaneously maintained pressure on Ukraine (20.4%), expanded to Denmark (15.1%), and included attacks on commercial entities (14.3%) and other European nations. The shift demonstrates the group’s capability to rapidly redirect operational focus across continents while maintaining multi-front pressure.
Executive Summary Table:
| Metric | Value |
| Analysis Period | February 9 – 15, 2026 |
| Total Attack Entries | 5,445 |
| Unique Domains Targeted | 176 |
| Unique IP Addresses | 193 |
| Primary Countries | Japan (39.4%), Ukraine (20.4%), Denmark (15.1%), Commercial/Int’l (14.3%), UK (5.8%), Other (5.0%) |
| Most Targeted Port | 443 (HTTPS) – 67.2% of attacks |
| Threat Actor | NoName057(16) |
| Attack Tool/Project | DDoSia |
Attack Volume and Scope
During the seven-day analysis period, the campaign demonstrated unprecedented geographic diversification with a complete strategic pivot from Western European targets to concentrated operations against Japanese infrastructure. The campaign’s primary focus on Japan (39.4% – 2,144 attacks) represents NoName057(16)’s first major sustained operation against an Asian G7 nation, indicating expanded operational scope and strategic ambition beyond traditional European and Ukrainian targets.
Geographic Distribution:
- Japan accounted for 39.4% of all attack entries (2,144 attacks) targeting 44 unique organizations
- Ukraine received 20.4% of attacks (1,110 attacks) targeting 38 unique organizations
- Denmark received 15.1% of attacks (820 attacks) targeting 15 unique organizations
- Commercial/International domains comprised 14.3% (779 attacks), targeting 30 unique organizations
- The United Kingdom received 5.8% of attacks (318 attacks) targeting 22 unique organizations
- Other European nations received 5.0% of attacks (274 attacks), including Italy, Germany, Czechia, and the Nordic countries
Geographic Distribution by Country
This distribution reflects a complete operational pivot from the previous week’s UK-focused campaign (55% UK, 27% commercial, 13% Ukraine, 5% Czech Republic) to a Japan-primary strategy while maintaining sustained pressure on Ukraine and expanding European operations to include Denmark as a significant secondary target.
The geographic concentration on Japan demonstrates strategic intelligence gathering and target selection, focusing primarily on regional infrastructure in northern Honshu island, particularly Aomori, Ishikawa, and Akita prefectures. This regional concentration suggests deliberate selection of areas with potentially limited cybersecurity resources compared to major urban centers like Tokyo and Osaka.
The sustained nature of attacks over seven consecutive days (February 9-15) with nineteen distinct target list updates indicates highly coordinated operational planning adapted to Asian time zones and Japanese infrastructure characteristics. The timing coincides with ongoing Japanese defense policy discussions and strengthened security cooperation with NATO partners, suggesting strategic coordination with geopolitical developments.
Targeted Sectors
The campaign demonstrated a comprehensive multi-sector targeting strategy adapted to Japanese infrastructure while maintaining pressure on Ukrainian and Danish targets:
Key targeted sectors included:
- Other Private Sector (62.8%) – Commercial organizations, regional businesses, and general private industry
- Government & Public Sector (25.1%) – Prefectural governments, municipal councils, city administrations
- Critical Infrastructure – Transportation (4.6%) – Aviation, railways, regional transit systems
- Critical Infrastructure – Telecommunications (1.8%) – Regional ISPs and telecommunications providers
- Critical Infrastructure – Maritime (1.8%) – Port authorities and maritime services
- Private Sector – Business Services (1.4%) – Business associations and commercial services
- Private Sector – Construction (1.2%) – Construction industry organizations
- Critical Infrastructure – Water (0.8%) – Water utilities
- Media & Communications (0.3%) – News and information platforms
- Private Sector – Finance (0.2%) – Banking and financial services
Target Distribution by Industry/Sector
The overwhelming focus on private sector entities (62.8%) combined with government targeting (25.1%) indicates a strategy prioritizing economic disruption and commercial uncertainty over purely governmental targets. This represents a tactical shift from previous campaigns that emphasized government and critical infrastructure.
The significant government infrastructure targeting (25.1%) focused specifically on Japanese administrative levels:
- Prefectural Governments: Ishikawa Prefecture, Aomori Prefecture, Akita Prefecture – regional administrations serving millions of residents
- Municipal/City Governments: Akita City (300,000 residents), Nanao City (50,000 residents), and numerous smaller municipalities
- Administrative Services: Public portals, citizen services, regional coordination systems
The critical infrastructure targeting (8.8% combined across transportation, telecommunications, maritime, and water) includes strategically significant assets:
- Aviation: Aomori Airport (regional aviation hub), Japan Civil Aviation Bureau (national regulatory authority)
- Railways: Aoimori Railway (regional rail network connecting major cities in Aomori Prefecture)
- Telecommunications: Regional ISP 0175 (providing internet connectivity to entire prefectures)
- Maritime: Port authorities and shipping coordination services
This infrastructure selection reveals an understanding of regional dependency chains and cascading failure potential, where disrupting regional infrastructure creates a disproportionate impact on local economies and populations.
Attack Techniques and Methods
NoName057(16) employed a sophisticated multi-vector attack strategy consistent with previous campaigns but adapted for Asian targets:
Most common methods observed:
- HTTP GET Flood attacks (28.9% – 1,573 attacks)
- TCP SYN Flood attacks (21.8% – 1,188 attacks)
- ACK Flood attacks (14.4% – 782 attacks)
- SYN-ACK Flood (12.2% – 666 attacks)
- UDP Flood (7.7% – 418 attacks)
- HTTP POST-based attacks (7.5% – 407 attacks)
- PING-based attacks (6.9% – 377 attacks)
- Other methods (0.6% – 34 attacks)
Attack Methods & Target Ports
The dominant use of HTTP GET floods (28.9%) combined with TCP SYN floods (21.8%) demonstrates continued emphasis on dual-layer attacks combining application-layer resource exhaustion with transport-layer volumetric flooding. This distribution shows slight tactical evolution from previous campaigns with increased emphasis on HTTP-based attacks (43.9% combined GET/POST vs. 48.4% TCP-layer).
Combined transport-layer attacks (SYN, ACK, SYN-ACK) represented 48.4% of all methods, while application-layer HTTP attacks comprised 36.4%, maintaining the group’s balanced multi-vector approach that complicates defensive measures.
The concentration on port 443 (HTTPS) (67.2% of all attacks – 3,660 attacks) indicates continued targeting of encrypted web services, including:
- Japanese government portals and prefectural administrative systems
- Regional transportation and aviation booking systems
- Telecommunications provider customer portals
- Business services and commercial platforms
- Municipal government citizen service portals
Additional targeting of port 80 (HTTP) (22.7% – 1,235 attacks) suggests attacks against both modern HTTPS infrastructure and legacy HTTP systems, particularly affecting older Japanese government systems and smaller municipal websites with limited modernization budgets.
Attack Types Distribution:
- TCP-layer attacks: 3,013 attacks (55.3%)
- HTTP/2 attacks: 1,027 attacks (18.9%)
- HTTP/1.1 attacks: 916 attacks (16.8%)
- Application-layer attacks (nginx_loris): 407 attacks (7.5%)
- HTTP/3 attacks: 46 attacks (0.8%)
- UDP attacks: 36 attacks (0.7%)
Attack Types by Volume
This distribution demonstrates continued, heavily layered attack methodology, with dominant volumetric network-layer floods (TCP: 55.3%) combined with sophisticated application-layer attacks (HTTP/1.1: 16.8%, HTTP/2: 18.9%, nginx_loris: 7.5%) designed to bypass rate-limiting defenses and exhaust server resources.
The nginx_loris component (7.5%) continues to demonstrate the DDoSia botnet’s capability for specialized attacks exploiting server software vulnerabilities, particularly effective against inadequately configured Japanese web servers, potentially lacking enterprise-grade DDoS protection.
2. Most Targeted Organizations
The campaign targeted a strategically selected mix of regional infrastructure, government services, transportation systems, and commercial entities primarily across Japan, with sustained operations against Ukraine and Denmark. The selection demonstrates intelligence gathering focused on Japanese regional vulnerabilities.
Top 10 Targets
Japan (Primary Target – 39.4%)
Top 10 Most Targeted Japanese Organizations:
- www.aomori-airport.co.jp (100 attacks) – Aomori Airport (Critical Infrastructure – Transportation)
- Strategic Reason: Regional airport targeting disrupts local transportation, affects tourism and business travel, and demonstrates reach into Japanese infrastructure.
- www.0175.co.jp (100 attacks) – Regional ISP in Aomori Prefecture (Critical Infrastructure – Telecommunications)
- Strategic Reason: ISP targeting can disrupt internet connectivity for entire regions, affecting businesses and residents dependent on this provider.
- www.jcaa.or.jp (75 attacks) – Japan Civil Aviation Bureau (Critical Infrastructure – Aviation)
- Strategic Reason: Aviation regulatory authority targeting disrupts safety communications, flight planning, and regulatory compliance systems nationally.
- www.i-ppi.jp (75 attacks) – Industrial Property Institute (Private Sector – Business Services)
- Strategic Reason: Business service disruption affects intellectual property management and commercial operations across industries.
- aoimorirailway.com (70 attacks) – Aoimori Railway (Critical Infrastructure – Transportation)
- Strategic Reason: Railway disruption affects daily commuters and regional transportation networks connecting major cities in Aomori Prefecture.
- www.pref.ishikawa.lg.jp (70 attacks) – Ishikawa Prefecture Government (Government – Provincial/Regional)
- Strategic Reason: Prefectural government targeting (1.1 million residents) disrupts regional public services, administrative functions, and citizen portals.
- www.city.akita.lg.jp (70 attacks) – Akita City Government (Government – Municipal/Local)
- Strategic Reason: Municipal service disruption (300,000 residents) affects citizen access to local government services and emergency information.
- www.pref.aomori.lg.jp (70 attacks) – Aomori Prefecture Government (Government – Provincial/Regional)
- Strategic Reason: Prefectural government targeting disrupts regional administration and public service delivery across northern Honshu.
- www.siteitosi.jp (65 attacks) – Construction Industry Organization (Private Sector – Construction)
- Strategic Reason: Industry organization disruption affects construction sector coordination and project management.
- www.city.nanao.lg.jp (65 attacks) – Nanao City Government (Government – Municipal/Local)
- Strategic Reason: Small city targeting (50,000 residents) demonstrates reach and creates disproportionate impact on communities with limited IT resources.
Geographic Pattern Analysis – Japan:
The targeting reveals a concentrated geographic focus on northern Honshu Island, specifically:
- Aomori Prefecture (multiple targets): Northernmost main island prefecture, strategic location
- Ishikawa Prefecture (multiple targets): Central Honshu, facing the Sea of Japan
- Akita Prefecture (multiple targets): Northwestern Honshu, regional economic center
This geographic concentration on regional rather than metropolitan areas suggests deliberate targeting of locations with:
- Potentially lower cybersecurity maturity compared to Tokyo/Osaka
- Critical regional infrastructure serving large geographic areas
- Strategic importance for regional economies and transportation networks
- Symbolic value as “vulnerable” areas despite being developed regions
Additional High-Profile Japanese Targets:
- Multiple prefectural governments and city administrations
- Regional transportation providers and infrastructure
- Telecommunications and internet service providers
- Business associations and commercial services
- Construction and industrial organizations
Ukraine (Secondary Target – 20.4%)
While Japan dominated targeting (39.4%), Ukraine received sustained attacks (20.4% – 1,110 attacks) focused on:
- Government services and administrative portals
- Critical national infrastructure
- Economic and financial systems
- Transportation and logistics networks
The continued Ukrainian targeting (20.4% this week vs. 12.7% previous week) demonstrates maintained pressure despite a geographic pivot to Japan, indicating multi-front operational capability.
Denmark (Tertiary Target – 15.1%)
Denmark emerged as a new significant target (15.1% – 820 attacks), focusing on:
- Government institutions and public services
- Critical infrastructure elements
- Business and commercial platforms
- Municipal and regional authorities
The inclusion of Denmark as a major target (15.1% this week vs. effectively 0% previous week) indicates rotating European focus to maintain pressure on NATO members and Ukraine supporters across multiple fronts.
Commercial and International Entities (14.3%)
A significant portion of attacks (779 attacks – 14.3%) targeted commercial domains (.com, .co, .net, .org), representing:
- Multinational corporations and international business
- Commercial service providers
- Global technology platforms
- International organizations
Other European Targets (5.8% + 5.0%)
Continued targeting of the United Kingdom (5.8%) alongside emerging attacks on Italy, Germany, Czechia, Finland, Lithuania, Austria, Estonia, Spain, Canada, Norway, Poland, and EU institutions (collectively 5.0%) demonstrates sustained multi-country capability preventing defensive concentration.
3. Threat Actor Overview: NoName057(16)
NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and geographically diverse hacktivist actors conducting sustained DDoS campaigns against nations supporting Ukraine, NATO member states, and now expanded operations into Asia.
Threat actor card of NoName057(16)
The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram channels. This operational model provides a distributed attack infrastructure, plausible deniability for state involvement, and the ability to mobilize thousands of volunteer participants across multiple time zones.
DDoSia Framework
The technical infrastructure supporting NoName057(16) operations centers on the DDoSia attack tool, which:
- Provides a user-friendly interface for non-technical participants
- Receives centralized target lists updated multiple times daily (19 updates this week)
- Implements multiple attack vectors (TCP floods, HTTP floods, application-layer attacks)
- Includes evasion techniques to bypass basic DDoS protections
- Reports attack metrics back to the central infrastructure for performance tracking
- Coordinates distributed attacks across thousands of volunteer participants globally
Geopolitical Alignment
NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting prioritizing:
- Asian nations strengthening security cooperation with NATO (Japan’s recent defense policy shifts)
- NATO member states, particularly those with strong Ukraine support positions
- Ukraine itself is maintaining pressure on the government and infrastructure
- European Union member states rotating to prevent defensive adaptation
- Private sector entities in targeted countries are to create economic pressure
The group has demonstrated exceptional operational persistence with:
- Regular target list updates multiple times per day (19 updates during this analysis period)
- Sustained campaigns over weeks and months across multiple continents
- Strategic coordination timed to geopolitical events and diplomatic developments
- Rapid adaptation to defensive measures and geographic pivots
- Continuous recruitment of new participants through Telegram channels
Recent Activity Patterns Evolution
This Japan-focused campaign represents the latest evolution in NoName057(16)’s increasingly sophisticated geographic rotation strategy:
- Late January 2026: Multi-country (UK 55%, Ukraine 13%, Czech Republic 5%, Commercial 27%)
- Early February 2026: Japan 39.4%, Ukraine 20.4%, Denmark 15.1%, Commercial 14.3%, UK 5.8%
This pattern evolution from concentrated European operations to intercontinental multi-front campaigns suggests:
- Expanded volunteer base with global distribution, enabling Asian time zone operations
- Enhanced intelligence gathering on Japanese and Asian infrastructure
- Strategic messaging demonstrating global reach beyond traditional European focus
- Operational maturity allowing simultaneous coordination across multiple continents
Key Characteristics
- Operational Model: Volunteer-driven crowdsourced attacks via the DDoSia botnet tool with global distribution
- Coordination: Telegram channels for target distribution, participant recruitment, and operational coordination
- Motivation: Pro-Russian hacktivist aligned with state geopolitical objectives, expanding to counter Western security architecture globally
- Technical Capability: Multi-vector attacks combining volumetric (TCP/UDP floods) and application-layer techniques (HTTP floods, nginx_loris, HTTP/2, HTTP/3)
- Target Selection: Intelligence-driven, strategically prioritized targeting adapted to regional infrastructure
- Persistence: Continuous operations with sustained pressure over extended periods across multiple time zones
- Scale: 5,445 attacks in one week against 176 unique targets across Asia, Europe, and commercial entities
- Geographic Reach: NEW – Expanded from European focus to intercontinental operations (Asia + Europe simultaneously)
- Sophistication: Medium-to-high technical capability with rapid geographic pivoting and evolving tactics
- Attribution: Plausibly deniable connection to Russian state interests
4. Mitigation and Recommendations
Organizations within affected sectors, particularly those in Japan, Ukraine, Denmark, and other targeted nations, should consider implementing or strengthening defensive measures:
Immediate Actions
- Deploy cloud-based DDoS protection services – Implement Cloudflare, Akamai, AWS Shield, Azure DDoS Protection, or equivalent services to filter attack traffic before it reaches infrastructure
- Review and update Web Application Firewall (WAF) rules – Ensure WAF configurations can detect and block HTTP/HTTP2/HTTP3 flood patterns, particularly GET, POST, and nginx_loris variants
- Configure rate limiting – Implement rate limiting at multiple layers: web application, reverse proxy (nginx, Apache), load balancer, and network firewall
- Enable SYN cookies and TCP hardening – Configure operating systems and network devices to use SYN cookies, reduce TCP timeout values, increase SYN backlog queues, and limit connection table sizes
- Establish traffic baseline monitoring – Implement real-time traffic monitoring with automated alerting for anomalies in request rates, connection counts, and bandwidth utilization
- Verify geographic redundancy – Ensure critical services have geographic distribution and failover capabilities to maintain availability during regional attacks
- Review DNS configuration – Implement DNS-based DDoS protection and ensure proper DNS caching configurations
Strategic Measures for Japanese Organizations
- Engage with JPCERT/CC – Japanese organizations should immediately coordinate with the Japan Computer Emergency Response Team Coordination Center for threat intelligence sharing and incident response support
- Implement Japanese-language incident communications – Prepare public communications and internal stakeholder messaging in Japanese for use during service disruptions
- Regional cooperation – Prefectural and municipal governments should establish information-sharing networks to coordinate defensive responses across affected regions
- Budget allocation – Allocate appropriate security budget for DDoS protection services, particularly for regional governments and smaller municipalities with limited resources
- Training and awareness – Conduct training for Japanese IT personnel on NoName057(16) tactics and DDoS response procedures
5. Conclusion
The February 9-15, 2026 campaign represents a watershed moment in NoName057(16) operations, marking the group’s first major sustained operation against an Asian G7 nation and demonstrating capability for intercontinental multi-front campaigns. The campaign’s dramatic pivot to Japan (39.4% of attacks) while maintaining pressure on Ukraine (20.4%) and expanding to Denmark (15.1%) reveals sophisticated operational planning, global volunteer coordination, and strategic ambition extending far beyond traditional European focus.
The concentrated targeting of Japanese regional infrastructure – particularly northern Honshu prefectures (Aomori, Ishikawa, Akita) – demonstrates intelligence-driven target selection exploiting potential cybersecurity maturity gaps between major metropolitan areas and regional governments. The systematic inclusion of prefectural governments, regional transportation systems, telecommunications providers, and municipal councils indicates a strategy to create maximum disruption across essential services while targeting areas with potentially limited defensive resources.
If you would like a more detailed report on this DDoS campaign or require customized threat intelligence for your organization, contact [email protected].

