| Metric | Value |
| Analysis Period | March 17 – 23, 2026 |
| Total Attack Entries | 13,716 |
| Unique Domains Targeted | 148 |
| Unique IP Addresses | 134 |
| Primary Countries | Romania (64.5%), International (16.5%), Israel (15.5%), Denmark (2.3%), Greenland (0.7%), EU (0.4%) |
| Most Targeted Port | 443 (HTTPS) — 93.2% of all attacks |
| Threat Actor | NoName057(16) |
| Attack Tool / Project | DDoSia |
| Threat Classification | Critical ≥ 100 attacks · High ≥ 42 attacks · Medium < 42 attacks |
Mar 25, 2026
14 Mins Read
Romania Under DDoS Attacks: Weekly DDoS Threat Intelligence Analysis
Analysis Period: March 17 – 23, 2026
Between March 17 and 23, 2026, SOCRadar identified an extensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 13,716 recorded attack entries, targeting 148 unique domains and 134 unique IP addresses across multiple countries, representing a dramatic strategic pivot toward Romania as the week’s primary target.
This campaign marks a complete geographic shift from the previous week’s Cyprus-primary operations. Romania now accounts for 64.5% of all attacks (8,852 targets), with the group striking simultaneously across Romanian finance, transportation, energy, and government sectors. Israel maintained sustained secondary pressure (15.5%), while Denmark and Greenland emerged as new targets for the first time in this campaign cycle. The week’s most notable development is the continued escalation in targeting of Israeli defense-industrial entities, with Magam Safety rising to the single most-attacked host across the entire dataset at 460 attack instances.
For comprehensive, real-time DDoS threat intelligence covering ongoing campaigns, explore SOCRadar’s free DDoS intelligence dashboard where we continuously analyze and publish actionable threat data sourced directly from DDoSia Telegram channels.
1. Campaign Analysis
Attack Volume and Scope
During the seven-day analysis period, the campaign demonstrated a significant surge in operational intensity compared to the previous week. Total attack instances more than doubled — from 5,828 last week to 13,716 this week — driven primarily by a massive concentration on Romanian infrastructure. A total of 50 JSON target files were recovered, with March 20 alone accounting for 16 separate update cycles, the highest single-day cadence recorded in this campaign series to date.
The geographic pivot from Cyprus (last week’s primary at 52.5%) to Romania (this week at 64.5%) is the most dramatic week-over-week shift observed in the current NoName057(16) campaign cycle:
- Romania accounted for 64.5% of all attack entries (8,852 attacks) across 68 unique targets
- International / Commercial domains (primarily Romanian, Israeli, and Danish entities on .com/.org TLDs) comprised 16.5% (2,257 attacks) across 28 unique targets
- Israel received 15.5% of attacks (2,129 attacks) across 35 unique targets
- Denmark received 2.3% of attacks (322 attacks) across 14 unique targets — appearing for the first time in this campaign cycle
- Greenland received 0.7% (96 attacks) across 7 unique targets — a new addition targeting aviation and maritime infrastructure
- European Union (.eu TLD) received 0.4% (60 attacks) across 1 unique target
Distribution by Country (SOCRadar DDoS Threat Intelligence)
The sudden concentration on Romania reflects a deliberate strategic decision rather than a gradual shift. Romania’s role as a NATO eastern flank member bordering Ukraine — hosting NATO air defense assets and serving as a primary logistics corridor for Western military aid — makes it a high-value recurring messaging target for NoName057(16). The group last targeted Romania as a secondary target the previous week; this week it became the dominant focus with a 17x increase in attack volume.
The emergence of Denmark and Greenland as new targets is geopolitically significant. Denmark is a NATO member with active military commitments in Europe, and Greenland has been at the center of heightened geopolitical attention following renewed discussions about its strategic Arctic status. NoName057(16)’s addition of Greenlandic infrastructure (airports, ferries, tourism) to its target list signals awareness of and responsiveness to this broader geopolitical conversation.
Targeted Sectors
The campaign demonstrated a broad multi-sector targeting strategy with particularly intense focus on the Romanian financial system and transportation network, while sustaining Israeli defense-industrial targeting for the second consecutive week.
Distribution by Industry (SOCRadar DDoS Threat Intelligence)
Key targeted sectors included:
- Private Sector — Other (45.1%) — Legal associations, trade registries, travel companies, and general commercial entities primarily in Romania and Israel
- Finance & Insurance (17.6%) — Romanian banks (BCR, Eximbank, IFB Finwest, IBR-RBI, Groupama, BRCI), insurance providers, broker networks, and stock exchange; Israeli insurance and investment entities
- Transportation & Logistics (15.3%) — Romanian rail operators (CFR Calatori, GFR, Tim Rail Cargo, e-prail, DB Cargo Romania), Bucharest Metro, Baneasa Airport; Greenland airports and Air Greenland
- Government (10.7%) — Romanian ministries (Defence, Finance, Justice, SMEs), parliament (Senate, Chamber of Deputies), supreme courts, and financial regulators
- Energy & Industrial (6.5%) — Romanian refineries (RAFO), aluminium producers (Alro), energy companies (Engie, Electroputere), oil terminal operators, Danish energy grid operator (Energinet)
- Defense Industry (3.6%) — Magam Safety (Israeli defense, #1 most attacked host overall), Elbit Systems (Israeli defense contractor)
- Media (1.1%) — Hotnews.ro (Romania’s leading news portal), Jerusalem Post, Sting TV Israel
- Telecommunications (0.1%) — Israeli mobile operators
The financial sector’s 17.6% share is a notable increase from last week’s 8.6%, driven by a coordinated sweep of Romania’s banking and insurance ecosystem. Six Romanian financial institutions were targeted simultaneously — a pattern consistent with maximizing economic uncertainty and testing the collective resilience of Romania’s financial digital infrastructure rather than focusing on any single institution.
The sustained Defense Industry targeting (3.6%) — with Magam Safety now the single most-attacked host in the dataset at 460 instances — confirms that NoName057(16)’s targeting of Israeli defense entities, first observed last week, has intensified rather than been a one-off selection.
Attack Techniques and Methods
NoName057(16) employed a multi-vector attack strategy consistent with previous campaigns, maintaining application-layer dominance while slightly increasing TCP-layer deployment compared to last week.
Most common methods observed:
- HTTP GET Flood attacks (55.3% — 7,579 attacks)
- HTTP POST-based attacks (34.1% — 4,679 attacks)
- TCP SYN Flood attacks (10.6% — 1,448 attacks)
- UDP Flood attacks (0.1% — 10 attacks)
Attack Methods Distribution (SOCRadar DDoS Threat Intelligence)
HTTP GET (55.3%) and POST (34.1%) floods together account for 89.4% of all attack methods — an even higher application-layer (L7) proportion than last week’s already-record 82.4%. This continued shift away from TCP-layer volumetric flooding toward pure L7 application exhaustion suggests the DDoSia tool configuration for this target set is optimized for HTTPS web application flooding, reflecting the prevalence of CDN-protected infrastructure among Romanian financial and government targets.
TCP SYN floods (10.6%) dropped from last week’s 16.7%, deployed mainly against Romanian energy and logistics targets where direct TCP-layer attacks remain effective. Port targeting remained heavily HTTPS-concentrated: Port 443 received 12,786 attacks (93.2% of all traffic). Port 80 received 930 attacks (6.8%), notably higher than last week’s 2.5% — reflecting the greater number of Romanian legacy infrastructure targets (government sub-portals, trade registries, legal databases) still operating on unencrypted HTTP.
Attack types distribution:
- HTTP/1.1 application-layer attacks: 6,827 attacks (49.8%)
- HTTP/2 application-layer attacks: 4,819 attacks (35.1%)
- TCP-layer attacks: 1,448 attacks (10.6%)
- HTTP/3 application-layer attacks: 612 attacks (4.5%)
- Application-layer (nginx_loris / UDP): 10 attacks (0.1%)
Attack Types Distribution (SOCRadar DDoS Threat Intelligence)
HTTP/1.1 (49.8%) and HTTP/2 (35.1%) together account for 84.9% of all attack traffic, confirming the L7-dominant signature as a deliberate, sustained tactical approach rather than a one-week anomaly. The HTTP/3 component (4.5%) is essentially unchanged from last week (4.6%), maintaining a stable QUIC-protocol attack capability across consecutive campaigns.
2. Most Targeted Organizations
The campaign targeted a strategically curated set of Romanian financial institutions, transportation operators, energy companies, government bodies, Israeli defense entities, and Danish civic infrastructure. The Romanian target selection demonstrates particular depth — the group appears to have systematically covered Romania’s most economically significant digital assets across multiple sectors simultaneously.
Top Targeted Hosts and IP Addresses (SOCRadar DDoS Threat Intelligence)
Romania — Primary Target (64.5%)
Romania received 8,852 attack instances across 68 unique targets. The targeting profile is notable for its breadth across the Romanian economy: financial services, rail freight, oil and energy, government registries, legal institutions, and logistics all appear simultaneously. This suggests the group is attempting to create a nationwide perception of digital vulnerability rather than targeting a single high-profile symbolic entity.
Israel — Sustained Secondary Target (15.5%)
Israel received 2,129 attack instances across 35 unique targets — a significant increase from 739 last week despite Cyprus almost entirely dropping out. This confirms that Israeli targeting is independently motivated and runs as a persistent campaign thread parallel to the weekly geographic rotation, not simply a filler in the target list.
The most significant development is Magam Safety (magam-safety.com) rising to #1 most attacked host in the entire dataset at 460 instances — up from 69 attacks last week. Magam Safety is an Israeli safety and defense equipment manufacturer supplying protective gear and systems to security and military clients. Its position at the top of the attack frequency list — ahead of all Romanian financial and government targets — signals that NoName057(16) has identified Israeli defense-industrial entities as a priority targeting category in their own right.
Elbit Systems (elbitsystems.com) also reappears at 30 attacks. The Israeli municipal sweep continues: Rosh HaAyin (238), Ariel (150), Eilat (44), Modiin (44), Arraba (26), Lod (22), Abu Ghosh (46) — seven city portals across Israel’s geographic spread, consistent with the nationwide municipal targeting strategy maintained across both weeks.
Denmark — New Target (2.3%)
Denmark appears for the first time in this campaign cycle with 322 attacks across 14 unique targets. The Danish target list is notable for its political and judicial diversity: political parties (Konservative, Socialistisk Folkeparti, Radikale Venstre, Borgernes Parti), courts (district courts, commercial court, Director of Public Prosecutions), municipal authorities (Taarnby, Ringsted), and energy infrastructure (Energinet — Denmark’s national electricity and gas transmission operator).
This breadth is consistent with the group’s pattern of introductory shallow sweeps before intensifying — Denmark’s NATO membership and active Ukraine support posture likely drove its selection, and the current targeting level may be a precursor to a more concentrated campaign in subsequent weeks.
Greenland — New Target (0.7%)
The appearance of Greenlandic targets — Air Greenland (airgreenland.com, e-commerce.airgreenland.com), Greenland Airports (airports.gl), Diskoline ferry service (www.diskoline.gl), navigation services, and Greenland Travel — is the week’s most geopolitically distinctive element.
Greenland’s aviation and maritime infrastructure constitutes the island’s critical connectivity backbone given its geographic isolation. NoName057(16)’s inclusion of Greenlandic targets signals direct responsiveness to the renewed international geopolitical attention on Greenland’s strategic Arctic status — the group is using its target list as a barometer of Russian-aligned geopolitical grievances, and Greenland’s elevated strategic profile has now placed it within scope.
3. Threat Actor Overview: NoName057(16)
NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and operationally consistent hacktivist actors conducting sustained DDoS campaigns against NATO member states, EU countries, and nations perceived as supporting Ukraine.
Threat actor card of NoName057(16)
The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram. Target lists are updated multiple times daily, with this week’s 50 files across 7 days representing an average of 7 updates per day — significantly higher than last week’s 4 per day — and March 20 alone producing 16 separate update cycles.
The week-over-week comparison demonstrates the group’s rapid geographic pivoting capability: Cyprus dominated last week at 52.5% but is almost absent this week, while Romania surged from 8.9% to 64.5%. This agility — sustained at high operational tempo across two consecutive weeks with a completely different primary target — confirms automated C2 infrastructure capable of rapid target list regeneration without operational pause.
4. Mitigation and Recommendations
Organizations in the affected sectors — particularly Romanian financial institutions, transportation operators, energy companies, government ministries, Israeli defense-industrial entities, and Danish civic infrastructure — should implement the following measures:
- Romanian Financial Sector: Prioritize L7 Protection Immediately. Six Romanian financial institutions were targeted simultaneously this week. Banking portals and insurance broker systems should activate CDN-backed WAF rules tuned for high-volume HTTPS GET and POST request floods. BCR, EximBank, and Groupama in particular should verify L7 DDoS mitigation is active at application ingress, not just at network perimeter.
- Rail and Logistics Operators: Harden Booking and API Endpoints. CFR Calatori (main site and ticket booking portal), GFR, Tim Rail Cargo, and e-prail were all targeted within the same campaign window. Rail operators should apply rate limiting specifically to booking and API endpoints, which are targeted with POST floods designed to exhaust backend processing capacity rather than network bandwidth.
- Energy Sector: Separate Public-Facing from Operational Infrastructure. RAFO, Alro, Electroputere, and Energinet (Denmark) were all targeted. Energy companies should ensure public-facing web infrastructure is architecturally isolated from operational technology (OT) and SCADA systems. DDoS attacks against public portals should have no pathway to industrial control systems.
- Defense-Industrial Entities: Elevate to Sustained Alert Posture. Magam Safety has now been the top-attacked host for two consecutive weeks with dramatically escalating frequency (69 attacks last week, 460 this week). Israeli defense contractors should treat this as a persistent, intensifying campaign thread and deploy dedicated DDoS mitigation for all externally-accessible web properties. Elbit Systems also reappears, confirming this category of targeting is structural.
- Danish and Greenlandic Organizations: Prepare for Potential Escalation. The appearance of Danish political parties, courts, and energy infrastructure, plus Greenlandic aviation and maritime assets, is consistent with the group’s pattern of introductory shallow sweeps before intensifying in subsequent weeks. Organizations in Denmark and Greenland should review current DDoS resilience postures now, before this potentially escalates into a primary campaign focus.
- Monitor SOCRadar DDoS Intelligence for Target List Updates. With 50 target list updates in 7 days and an accelerating update cadence, early warning is critical. SOCRadar continuously monitors DDoSia Telegram channels and provides pre-attack alerts when organizations appear on target lists, enabling preemptive defensive posture before attack traffic arrives.
5. Conclusion
Between March 17 and 23, 2026, NoName057(16) conducted its most intensive weekly DDoS campaign in the current cycle, generating 13,716 attack instances — more than double the previous week’s 5,828 — across 148 unique targets and 134 unique IP addresses. The complete geographic pivot from Cyprus to Romania as the primary target (64.5%) demonstrates the group’s operational agility and the automated C2 infrastructure enabling rapid, high-volume target list regeneration.
The Romanian campaign was notable for its economic breadth: six banks and insurers, multiple rail operators and logistics companies, refineries, industrial manufacturers, and government ministries were struck simultaneously — a strategy designed to create a nationwide perception of digital vulnerability across Romania’s most economically significant sectors at once.
The continued and intensifying Israeli defense-industrial targeting — with Magam Safety reaching 460 attack instances, the highest single-host frequency recorded in this campaign series — confirms that this thread is independently motivated and persistent. Combined with Elbit Systems’ continued presence, NoName057(16) is maintaining deliberate, sustained pressure on Israeli defense supply chain entities for the second consecutive week, consistent with the Russia-Iran strategic alignment context discussed in last week’s report.
SOCRadar continues our commitment to protecting organizations with enhanced DDoS threat intelligence capabilities. We are continuously analyzing and showcasing free DDoS threat intelligence through SOCRadar Labs, providing real-time visibility into ongoing campaigns.
