A sophisticated distributed denial-of-service (DDoS) campaign targeted critical Spanish administrative and transportation infrastructure on March 5, 2025, with pro-Russian hacktivist collective NoName claiming responsibility for disrupting at least 10 government portals.
The attacks overwhelmed web servers hosting services for the Donostia City Council, Irun City Council, Provincial Council of Gipuzkoa, Hondarribia City Council, Zaragoza City Council, Trams of Zaragoza, Provincial Council of Huesca, Government of Castile-La Mancha, Dipualba (Provincial Council of Albacete), and Girona Provincial Council.
Technical Mechanism and Geopolitical Context
According to the post from FalconFeedsio, the attacks employed high-volume HTTP/HTTPS flood techniques, leveraging botnets comprising compromised IoT devices and servers to generate over 2.3 terabits per second of malicious traffic.
By saturating application-layer resources through repeated GET/POST requests, NoName exhausted server CPU and RAM allocations—a signature tactic documented in their 2024 operations against Spanish defense contractors and transportation grids.
Spanish cybersecurity agency INCIBE confirmed the attacks aligned with NoName’s “Holy League” coalition strategy, first observed during their July 2024 retaliatory strikes following the arrest of three alleged operatives.
The group’s Telegram channel declared the strikes punishment for Spain’s “Russophobic” military support to Ukraine, referencing Madrid’s recent €1 billion pledge for Leopard tank deliveries.
Operational Impact and Mitigation Response
Critical municipal services including Zaragoza’s tram scheduling systems and Gipuzkoa’s citizen portal experienced uptime reductions of 78-92% during peak attack windows.
Adaptive DDoS mitigation protocols implemented under Spain’s National Cybersecurity Framework redirected malicious traffic through scrubbing centers while maintaining TLS 1.3 encrypted sessions for legitimate users.
José Luis Escrivá, Spain’s Minister of Digital Transformation, stated: “Our layered defense architecture detected anomalous traffic patterns within 47 seconds of attack initiation.
Through collaborative filtering with EU CERT and private sector partners, we restored 94% of affected services within 82 minutes”.
Persistent Threat Landscape
The incident marks Spain’s 317th state-sponsored DDoS attack in 2025, maintaining its position as the third-most targeted NATO member according to Orange Cyberdefense’s Threat Intelligence Index.
Analysts note NoName’s evolving tactics now incorporate AI-generated traffic patterns mimicking legitimate user behavior, complicating traditional rate-limiting defenses.
As hybrid warfare intensifies, Spanish authorities urge municipal entities to adopt RFC 8903-compliant network architectures and implement real-time BGP flow-spec updates to neutralize malicious IP prefixes.
With EU cybersecurity directives mandating 150 Gbps mitigation capacity for critical infrastructure by Q2 2026, this attack underscores the escalating digital frontline in Europe’s geopolitical conflicts.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The attacks employed high-volume HTTP/HTTPS flood techniques, leveraging botnets comprising compromised IoT devices.){kind=link}