UK NCSC Warning on Pro-Russian Hacktivist DDoS Threat to Local Government and Critical Infrastructure
The UK’s National Cyber Security Centre (NCSC) issued a renewed warning that Russian-aligned hacktivist groups continue to target UK local authorities and critical national infrastructure (CNI) with disruptive denial-of-service (DoS/DDoS) activity intended to take public-facing websites and online services offline. The alert emphasizes that while these attacks are often technically simple, they can still create significant operational disruption and recovery costs, and the NCSC urged organizations—especially those providing essential services—to review and implement its publicly available DoS resilience guidance.
The NCSC highlighted the ongoing activity of NoName057(16), an ideologically motivated pro-Russian actor associated with the DDoSia crowdsourced DDoS platform, noting that prior international law-enforcement disruption (including server takedowns and arrests under Operation Eastwood) did not eliminate the threat and the group has resumed operations. The warning also aligns with broader international advisories that have named additional pro-Russian hacktivist groups (including Cyber Army of Russia Reborn (CARR), Z-Pentest, and Sector16) as part of the wider DoS threat to Western organizations and critical services.
Timeline
Jan 21, 2026
U.K. announces Government Cyber Action Plan funding
By 2026-01-21, reporting on the NCSC warning noted that the U.K. government had announced a Government Cyber Action Plan to improve the security and resilience of online public services. The plan was backed by £210 million in funding.
Jan 19, 2026
NCSC publishes mitigation guidance for DDoS and OT risks
Alongside its January 2026 warning, the NCSC urged organizations to improve resilience through upstream DDoS protections, scalable infrastructure, tested response plans, monitoring, and review of OT and remote-access exposures. The guidance emphasized that pro-Russian hacktivists are increasingly targeting systems underpinning critical services and may affect operational technology environments.
Jan 19, 2026
NCSC issues alert on ongoing attacks against U.K. organizations
On 2026-01-19, the U.K. National Cyber Security Centre warned that Russian-aligned hacktivists continued to target U.K. local authorities, critical national infrastructure, and other organizations with disruptive DoS and DDoS attacks. The agency highlighted NoName057(16) as a persistent threat and said even low-sophistication attacks can cause significant operational and financial disruption.
Dec 1, 2025
International advisory attributes attacks to pro-Russian hacktivists
In December 2025, the U.K. co-signed an international advisory warning that pro-Russian hacktivist groups were conducting cyber operations worldwide against government, private-sector, and critical infrastructure organizations. The advisory named groups including Cyber Army of Russia Reborn, Z-Pentest, Sector16, and NoName057(16).
Jul 1, 2025
Operation Eastwood disrupts NoName057(16) infrastructure
An international law enforcement action known as Operation Eastwood disrupted NoName057(16) in July 2025. Despite the disruption, the group later resumed activity because key operators were believed to remain in Russia and outside investigators' reach.
Mar 1, 2022
NoName057(16) begins pro-Russian DDoS operations
The pro-Russian hacktivist group NoName057(16) became active in March 2022, launching ideologically motivated DDoS campaigns against organizations in NATO countries and other states viewed as hostile to Russia.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
4 more from sources like security online info, securityaffairs, bleeping computer and register security
Related Stories
Pro-Russia Hacktivist Attacks on Critical Infrastructure via Exposed VNC and OT Systems
Pro-Russia hacktivist groups, including Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16, have escalated their operations from DDoS attacks to targeting operational technology (OT) systems in critical infrastructure sectors such as water, food, agriculture, and energy. These groups exploit exposed Virtual Network Computing (VNC) connections with weak security, using tools like Nmap and brute-force attacks to gain access to human-machine interfaces (HMIs). Once inside, they manipulate system parameters, disable alarms, and cause operational disruptions, often publicizing their actions for propaganda purposes. The U.S. and international cybersecurity agencies have issued joint advisories detailing these tactics, highlighting the opportunistic nature of these attacks and the use of MITRE ATT&CK techniques ranging from reconnaissance to impact, including "loss of view" scenarios that force manual intervention. Recent U.S. government indictments and sanctions confirm that CARR was founded and directed by Russian military intelligence (GRU) as a means to conduct unattributable disruptive operations. Notable incidents attributed to these groups include attacks on public drinking water systems, resulting in water spills, and a Los Angeles meat processing facility, which suffered spoiled products and an ammonia leak. While the technical sophistication of these actors is limited, their ability to cause downtime, remediation costs, and occasional physical damage underscores the persistent risk posed by exposed OT systems and weak remote access protections in critical infrastructure environments.
1 months ago
NoName057(16) DDoSia Campaigns Targeting Belgium and NATO Entities
Pro-Russian hacktivist group NoName057(16) conducted a large-scale distributed denial-of-service (DDoS) campaign between December 8 and 14, 2025, primarily targeting organizations in Belgium and Ukraine. The campaign, orchestrated using the group's proprietary DDoSia tool, resulted in over 4,400 recorded attacks against 155 unique domains and 144 IP addresses, affecting both private sector infrastructure—such as telecommunications, utilities, and industrial organizations—and high-value government and defense-related services. The attacks also impacted European Union institutions and international organizations, highlighting the group's broad targeting scope and operational reach. NoName057(16) is a pro-Russian hacktivist collective with origins linked to the Kremlin-backed Centre for the Study and Network Monitoring of the Youth Environment (CISM). The group leverages Telegram for coordination and GitHub for tool distribution, and has expanded its influence through collaborations with other pro-Russian groups, including the Cyber Army of Russia Reborn (CARR). Their operations have increasingly focused on NATO member states and adversaries of Russian geopolitical interests, with the DDoSia tool serving as a central component in mobilizing and executing attacks against critical infrastructure and government entities across Europe.
1 months ago
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
1 months ago