Summary

In the wake of Spanish Authorities arresting three individuals associated with NoName057(16), the group declared a "holy war" on Spain. The call to arms encourages all pro-Russian hacker groups to join under the hashtag #FuckGuardiaCivil. Over the past two days, NETSCOUT observed a significant increase in claimed attacks on Spanish websites, coinciding with the call to arms in retaliation for the arrests made. Despite the surge in hacktivist targeting and claims of victory, the daily DDoS attacks manifest as a normal day for Spanish network operators.

Analysis

Since the hacktivist call to arms, the number of DDoS attacks against Spain have thus far been within the normal bounds of attacks seen against the country. In fact, they have been lower in July than at nearly any other time in 2024. As of the time of this writing, July 23 is on track to continue the upward trajectory started on the 22nd (Figure 1) and we may see the highest point of attacks in all of July, but still quite below surges seen earlier in the year. It’s almost certainly true that this most recent spike is a direct tie to the retaliation of NoName057(16) and other hacktivist groups. Should we see a dramatic increase in the number of attacks, we will amend this blog with additional details and characteristics of the attacks.

In the past two days, at least a dozen hacktivist groups converged on Spain, attacking more than fourteen industries with a specific focus on Government and Transportation (Figure 2 & 3). From July 1 to July 21, we only observed one public claim from a hacktivist against Spain. While Figure 1 (above) shows a common pattern of attacks and surges, they were not accompanied with public claims of outages by adversaries.

There are several groups targeting the same industries (Figure 4), but it’s most notable that NoName057(16) has a much larger set of websites and industries in configurations for active campaigns between July 22 and 23.

What's Next?

DDoS Hacktivists began surfacing in large numbers in early 2022 and their activity continues to increase. A notable trend, as seen with this attack campaign on Spain, is the forming of coalitions within the DDoS Hacktivist community. This is but one of many in recent weeks. CyberDragon, one of the participating groups attacking Spain, recently joined South Korea Company as noted in blogs we published on South Korean and Romanian DDoS attack campaigns. Many of these attacks take the form of common-place volumetric attacks, but where NoName057(16) is involved, expect to see http/s, http2, http3 attacks along with the TCP and UDP flooding. Organizations should prepare and plan to have a DDoS Protection Solution, like NETSCOUT’s Arbor DDoS, in place to properly defend against these waves of attacks.