Attack Summary: DDoS Attack Targeting a Romanian Government Entity
On June 9, 2026, at 14:32 UTC, our Threat Protection platform detected and mitigated Application Layer (L7) Distributed Denial-of-Service (DDoS) attack targeting a Romanian government entity. The objective of the attack was to disrupt the availability of one of the customer’s primary websites. Technical analysis of the attack data and traffic revealed behavioral signatures and origin indicators closely associated with Russian-based origin. The attack was fully absorbed using intelligence-driven and automated DDoS defenses, resulting in no disruption or downtime for the customer.
This incident closely mirrors the current DDoS threat landscape across Western countries in 2026. Recently, there has been a documented rise in DDoS attacks where public sector agencies and government infrastructure have increasingly become primary targets for geopolitical hacktivism and sophisticated botnet campaigns. Threat actors are frequently employing distributed, global networks to execute rapid "hit-and-run" strikes that challenge the response times of traditional security perimeters.The characteristics of this specific event align with these broader trends. The malicious traffic was highly disruptive, originating from several hundreds of IP addresses spread across 165 autonomous systems in 54 countries. The highest volumes of attack traffic originated from the United States, Italy, Finland, Brazil, Germany, Indonesia, the Netherlands, Lithuania, Thailand, and France with a substantial portion of the malicious traffic routed through anonymization proxies, highlighting the necessity for defenses that analyze real-time behavior rather than relying solely on static defenses.During the attack window, the targeted website received approximately 515k attack requests and 713k total packets. The assault followed a distinct behavioral pattern: it initiated with a large flood of HTTP requests in the first few seconds, transitioned into a sustained attack for one minute, and concluded with a one-minute wind-down period with negligible attack traffic. At its peak, the attack reached a request rate of 17k requests per second and a data throughput of 510 Mb/s. Throughout the sustained phase, the average rate leveled out at 7.6k requests per second and 64 Mb/s. Individual source IPs generated an average of 800 requests per second, with the most aggressive sources peaking at 1.5k requests per second.
Fig: Attacking traffic request/s
Through the immediate application of automated mitigation, the platform successfully isolated and filtered the malicious requests, preserving the stability and performance of the customer's web services without manual intervention.
Threat Landscape Assessment: A recent DDoS Campaign Targeting Romanian Websites in March 2026
Introduction
In light of the attack mitigated by Threat Protection, a wider examination of recent malicious activity revealed a series of systematic DDoS attacks against Romania in March 2026 by the pro-Russian hacktivist group NoName057. The wider campaign, which included multiple European countries, disproportionately affected Romania, as over half of the total attack traffic was aimed at Romanian infrastructure.
Assessment
The March campaign reflects the continued, high volumes of Russia-aligned threat activity against states perceived to support Ukraine politically, militarily, or economically. It is likely that the DDoS attacks were intended primarily to create temporary disruption, generate publicity, and signal retaliation against NATO-aligned support structures, rather than produce lasting, destructive effects. However, without adequate protection, websites and applications are prone to suffering unwanted downtime resulting in operational failure, economic losses, or reputational damage.
Situational Context
The campaign coincided with a period of elevated tension tied to the Russia-Ukraine war, NATO activity in the Black Sea region, and domestic political turmoil. Romania is currently navigating a severe political crisis following the collapse of its governing coalition and the subsequent ousting of Prime Minister Ilie Bolojan in a parliamentary no-confidence vote on May 5, 2026. These types of events are known to attract hacktivist activity, whose attacks are often triggered by geopolitical developments rather than purely criminal incentives. They tend to prefer politically symbolic victims, especially in government, transport, finance, and infrastructure sectors, targeting public-facing services for maximum visibility.
All of NoName057’s attacks were launched through its infamous DDoSia project, a custom botnet of volunteers who offer their own infrastructure to participate in the hacker group’s DDoS activity. The campaign’s operational characteristics are consistent with known NoName057 tradecraft, which includes application-layer DDoS attacks focusing on HTTPS-facing services, with volume and breadth sufficient to produce visibility and potential disruption across multiple sectors. The attack towards Threat Protection’s Romanian customer does not appear to show NoName057’s technical fingerprints, nor has the group claimed to be responsible. While the observed attack signatures point to a Russian threat actor, other origins are fully plausible.
Target Sectors
The victimology of the March DDoS campaign towards Romanian web entities demonstrates how threat actors are eager to hit important services that cater to the general public. Targeting the public-, financial-, and transport sectors provides maximum media and social amplification. Even short-lived outages can be used by hacktivist actors to claim operational success and broadcast political narratives. By focusing on these sectors, threat actors can create uncertainty and reinforce a perception of vulnerability among both institutions and the public.
- Goverment: Romanian public-sector organizations were a major focus. This sector likely represented the most politically symbolic category of targets and is consistent with NoName057’s history of targeting state institutions in countries aligned against Russian interests.
- Financial Services: Banks, financial institutions, and insurance-related entities were also subject to attacks. These organizations are high-visibility targets whose disruption can create disproportionate public concern even when outages are temporary.
- Transportation and Logistics: Transport-related organizations, including rail and aviation-associated services, were targeted. These sectors are frequently chosen in hacktivist campaigns because they are both symbolically national and operationally visible.
- Energy and Utilities: Energy-linked organizations were included in the campaign. This aligns with broader hybrid pressure patterns, in which disruption of essential services is used to reinforce political messaging and perceived insecurity.
- Commercial Services: The campaign also touched industrial and commercial organizations, suggesting the activity was not limited strictly to state targets but extended to nationally relevant economic entities.
Future Outlook
The March campaign was likely part of Russia-aligned hybrid pressure rather than a standalone cybercrime event. As of now, it remains unclear whether the attack mitigated by Threat Protection was part of a larger, coordinated effort to take down Romanian web services, or an isolated incident by an unknown threat actor. Regardless, Romania remains at risk of future DDoS waves because it matches the targeting logic of pro-Russia hacktivist groups and sits at the key intersection of the Ukrainian border, the European Union and the Black Sea trade- and energy routes. Additionally, Romania currently allows the United States to deploy its military aircrafts for refuelling, surveillance and satellite communications at domestic air bases, to support the ongoing military operations in Iran. This has fuelled threat activity from Iran-nexus groups earlier in 2026 and adds yet another dimension to the already complex geopolitical situation.
Overall, the threat of DDoS remains persistent due to its scalability, visibility, political utility, and low technical threshold compared to many other cyber operations. While DDoS attacks perpetrated by hacktivists are easy to attribute due to their attention-seeking nature, the vast majority of harmful DDoS traffic originates from unknown sources, hiding behind spoofed IPs, vast botnets of compromised devices or deceptive proxy networks. The threat is therefore ever-present and not just limited to times of political turmoil and tension. DDoS represents one of the most accessible attack vectors and is often the tool-of-choice for both amateur hackers and professional cybercriminals. Application-layer attacks in particular can be highly disruptive, as they exploit the asymmetrical nature of web applications; it takes very little computational power for an attacker to send a request, but it takes a massive amount of power for the server to respond to it.
