Rising Cyber Tensions: NoName057(16)’s hacktivist activities reach the Netherlands

The geopolitical landscape has undeniably shifted since the Russian invasion of Ukraine on February 24, 2022. This invasion not only underscored the unsettling reality that peace in Europe can no longer be taken for granted, but also validated earlier assessments—circulating among Dutch intelligence services, cyber communities, and various governmental bodies—that the conflict would accelerate a growing trend known as hacktivism, a form of cybercrime driven by political or ideological motives.[1]

Although the aliases NoName057(16), 05716mm or Nnm05716, were already known within different European investigation services, which led in the summer of 2024 to the arrest of three members of this hacktivist group in Spain[2], this group wasn’t widely known by the broader Dutch public. However, that changed over the past year, especially following the preparations of the NATO Summit 2025 hosted in The Hague. Since then, pro-Russian hacktivist groups have become increasingly active, targeting Dutch public and private entities in politically motivated cyber operations.

In this evolving threat landscape, organizations and businesses in the Netherlands are being forced to adopt a more proactive stance in strengthening their digital resilience. Beyond traditional cybercrime, they must now also consider the motives and tactics of politically driven adversaries such as Killnet and NoName057(16), two prominent pro-Russian hacktivist groups. While NoName057(16) is known for its persistent and disruptive DDoS attacks targeting Western entities, Killnet has gained notoriety for high-profile operations aimed at destabilizing European infrastructure and spreading pro-Kremlin propaganda.[3] These groups represent a new and emerging category of threat: ideologically driven cyber actors operating in the grey area between state-sponsored and non-state activities. In the context of so-called "hacktivism", the group NoName057(16) has recently focused its activities on Dutch public institutions and private companies that support the Ukrainian cause, either directly or indirectly.

Countering the activities of NoName057(16) requires an understanding of both the group's specific ideological motivations and objectives, as well as their distinct modus operandi. In our Country Threat Profile on the Russian Federation, we explore the motivations and strategic objectives driving Russian threat actors. While the operational behavior of NoName057(16) aligns with one of Russia's broader strategic aims of disruption - particularly in its efforts to undermine Western influence[4] - their hacktivist campaign warrants further analysis. Therefore, gaining insight into this evolving threat landscape is essential, especially for Dutch cybersecurity operators who have the responsibility to support public and private sectors. 

Driven by strong beliefs

NoName057(16) is known for hampering continuity and for attacks interrupting business and organizations perceived as hostile to Russian interests, especially in the context of the Russia-Ukraine war. Their ideological motivation is rooted in strong nationalist sentiments and support for the Russian government. They primarily target Western countries, NATO members, and Ukrainian allies. Driven by pro-Russian nationalism, the hacktivist group is primarily politically motivated. While clearly ideologically aligned with Russia, there’s no hard evidence that NoName057(16) is formally part of the Russian state apparatus, a state sponsored APT group, or that it collaborates with other threat actors. Therefore, various cyber experts label them as a patriotic “lone wolf”.[5] Russia's invasion of Ukraine intensified NoName057(16)'s efforts to disrupt support for Ukraine and their manifesto further underscored their antagonism towards NATO member states. Since the war began in 2022, Russian cyberattacks on Ukraine have surged, rising nearly 70% in 2024.[6] This surge could be seen as the perfect reflection of ‘hybrid warfare’ where conventional and unconventional forces become intertwined.  

In contrast to activities such as espionage, the operations carried out by NoName057(16) are technically less sophisticated. This distinction is understandable given the differing objectives. For example, while espionage focuses on remaining undetected within a network for as long as possible, hacktivist groups like NoName057(16) prioritize disruption and chaos. Their intent is to attract attention and public recognition for their perceived “successful” operations. An example of NoName057(16)’s ideological motives can be found in Italy in 2025 when the hacktivist group had begun targeting various public institutions and private organizations. This new wave of cyberattacks coincided with the visit of Ukrainian President Zelensky to the country during the same month.[7] 

The Netherlands - confronted with NoName's DDoS attacks

Groups like NoName057(16) and Killnet have extended the Russia-Ukraine conflict online, targeting supply chains and pro-Ukraine governments globally. In the run-up to the NATO summit, various Dutch public entities were being confronted with the disruption of NoName’s DDoS attacks. This involves directing large volumes of traffic at a website or online service, causing it to slow down or crash. Just this week, as the NATO summit got underway in The Hague, a dozen Dutch organizations, including several municipalities, were impacted by DDoS attacks, for which NoName claimed responsibility.

This came after an earlier attack, on April 28th, which saw the group launch DDoS attacks against 19 municipal and provincial websites in the Netherlands. Among the targeted entities were the provinces of Groningen and Noord-Holland, as well as municipalities and cities such as Breda.[8] Although the official websites were offline for only a few hours and the overall impact of these attacks was relatively limited, the same cannot be said for a previous DDoS attack targeting Logius, the ICT administrator of the Dutch Ministry of Internal Affairs, a month earlier. This earlier incident led to a temporary shutdown of DigiD, the Dutch digital identity management platform. As a result, citizens were unable to log in to essential online services provided by agencies such as the Belastingdienst (Tax Administration) — particularly disruptive given the timing of the annual tax declaration — as well as the UWV (Employee Insurance Agency), DUO (Education Executive Agency), and various hospital patient portals.[9]  In a message posted on Telegram on May 1st, the group declared their intention to continue their cyber activities as long as the Netherlands maintains its military support for Ukraine. Given the recent announcement by the Dutch government that it will allocate an additional €3.5 billion in military aid in 2026,[10] the likelihood of further attacks by NoName057(16) against Dutch organizations is high.  

Creating a community and the role of DDoSia

What makes NoName057(16) an interesting ‘study-object’ is the fact that their primary communication channel is Telegram and the role of the DDoSia-project in this. The group uses Telegram as a platform to recruit hackers, claim responsibility for cyberattacks, and disseminate content. Their Telegram channel functions as an active community, offering technical support, educational materials, and memes. Based on NoName’s Telegram channel, it can be concluded that the group highly values public recognition of its attacks, including mentions in online sources such as Wikipedia.[11] To gain greater support for their activities and effectively mobilize their community, NoName strategically leverages DDoSia, a tool launched on Telegram in 2022. Rather than operating a traditional botnet, the group leverages a volunteer-based system, mobilizing supporters - referred to as “heroes” - via Telegram. These individuals install the DDoSia client on their personal devices to participate in coordinated DDoS attacks. Volunteers register through a Telegram bot, which provides them with a unique ID and a link to download the DDoSia software. Registration includes submitting a crypto wallet address, enabling participation in a performance-based reward system. Payouts, distributed in cryptocurrencies like Bitcoin, Ethereum, or Tether, are tied to daily attack activity, with a competitive leaderboard published on the Telegram channel. Top contributors can earn up to RUB 80,000 per day. [12]

This underlines the fact that Telegram plays a central role in NoName057(16)’s operations, serving as both a recruitment platform and a coordination hub. Unlike other cyber collectives, NoName does not solicit public donations, leaving the source of its funding unclear. For entities that fit the victim profile of NoName, the danger of DDoSia lies in increased attack scale and persistence, targeting critical infrastructure and public services; however, NoName’s reliance on volunteer botnets may expose the group's operations to infiltration and monitoring, offering intelligence opportunities. Nevertheless, given the escalating geopolitical tensions and their actions during this week's NATO summit, it is essential not to underestimate the capabilities of NoName057(16) or the level of threat they pose to both the Dutch public and private sector. 

How to strengthen your resilience against hacktivist groups like NoName057(16)? 

To defend against DDoS attacks like those carried out by NoName057(16), we advise organizations to establish a layered security strategy. Using cloud-based DDoS mitigation services, such as Cloudflare or AWS Shield, to route traffic through their global infrastructure, and inspect and filter it, so that only clean traffic is forwarded. Through this scrubbing process (large volumes of) malicious traffic are absorbed and filtered before they reach critical systems of organizations. 

This can be complemented with a Web Application Firewall (WAF) to block malicious requests at the application layer, where web applications, APIs, and user-facing services operate (such as loading a website, submitting a form, or calling an API endpoint). DDoS attacks at this layer are often designed to overwhelm application logic rather than saturate network bandwidth, as they can more easily bypass traditional firewalls because the requests look like normal user behavior.

Furthermore, it is always advisable to implement rate limiting and geo-blocking to filter out suspicious or unnecessary traffic early. This can further reduce exposure at the application layer. However, recent attacks indicate a trend in which NoName is successfully circumventing this mitigation measure; using IP addresses within a country to ensure geo-filtering doesn’t work anymore. To tackle this, it is advisable to use dynamic, real-time threat feeds to identify IPs, ASNs, or domains linked to malicious activity and to combine this with internal historical data to build an adaptive blocklist that goes beyond simple geofencing.

Companies and organizations should also implement real-time traffic monitoring and automated anomaly detection systems that can instantly identify unusual traffic spikes or patterns. While DDoS attacks typically strike without warning, early recognition (even within the first few seconds) can help trigger automated mitigation mechanisms before the attack fully disrupts services. In parallel, having a rehearsed DDoS incident response plan ensures that teams can act quickly when an attack does occur, minimizing downtime and therefore impact.  

In a time when politically motivated DDoS attacks are increasingly common, being unprepared is no longer an option: resilience starts with readiness. With the right defenses in place, their impact can be controlled. The best defense against disruption is preparation, and in the case of DDoS, every second counts.

References

1. https://www.ncsc.nl/documenten/publicaties/2023/februari/21/vier-cybersecuritylessen-uit-een-jaar-oorlog-in-oekraine
2. https://therecord.media/spain-arrest-NoName-russia-hackers
3. https://www.cyfirma.com/research/evolution-of-killnet-from-hacktivism-to-private-hackers-company-and-the-role-of-sub-groups/
4. https://www.huntandhackett.com/members/countries/russia
5. https://therecord.media/noname-hacking-group-targets-ukraine-and-allies
6. https://cybelangel.com/unmasking-NoName05716/
7. https://securityaffairs.com/177312/hacktivism/pro-russia-hacktivist-group-NoName05716-is-targeting-dutch-organizations.html
8. https://securityaffairs.com/177312/hacktivism/pro-russia-hacktivist-group-NoName05716-is-targeting-dutch-organizations.html
9. https://nos.nl/artikel/2560424-digid-opnieuw-tijdelijk-onbereikbaar-geweest-door-ddos-aanval
10. https://www.bleepingcomputer.com/news/security/pro-russia-hacktivists-bombard-dutch-public-orgs-with-ddos-attacks/
11. https://www.sentinelone.com/labs/NoName05716-the-pro-russian-hacktivist-group-targeting-nato/
12. https://www.ncsc.admin.ch/ncsc/en/home/dokumentation/berichte/fachberichte/ddos-bericht-6-2023.html

Learn more about Russian threat actors

Explore the origins, motivations, and tradecraft of Russia’s top advanced persistent threats. Our in-depth threat profiles reveal how these actors operate, the attacks they’ve carried out, and the structures that support and fund them behind the scenes. Request access to our Members’ Portal to unlock full insights.

APT29

APT29 is a stealthy and adaptive threat actor linked to major intrusions, including the notorious SolarWinds supply chain attack.

Read more

Sandworm

Sandworm specializes in disruptive attacks on critical infrastructure, with a history of bold, destructive operations.

Read more

APT28

APT28 (Fancy Bear) is a prolific espionage group known for high-impact campaigns like the 2016 DNC hack.

Read more