%20(1).webp?w=1600&resize=1600,900&ssl=1)
A coordinated distributed denial-of-service (DDoS) campaign targeted critical Spanish administrative and international cooperation portals on March 5, 2025, with pro-Russian hacktivist collective NoName claiming responsibility.
The attacks disrupted at least 10 entities, including the Donostia City Council, Zaragoza City Council, and the Spanish Agency for International Development Cooperation (AECID), through application-layer HTTP/HTTPS flood techniques.
Technical Mechanism
The assault leveraged botnets of compromised IoT devices and cloud servers to generate 2.3 terabits per second of encrypted HTTPS traffic, overwhelming victim networks with repeated GET/POST requests.
By saturating TLS 1.3 sessions, attackers exhausted server CPU/RAM allocations—a hallmark of NoName’s “low-and-slow” strategies designed to bypass traditional rate-limiting defenses.
Notably, the group employed AI-generated traffic patterns mimicking legitimate user behavior, complicating real-time anomaly detection.
This evolution aligns with tactics documented in their 2024 “Holy League” operations against NATO states.
Geopolitical Context
NoName’s Telegram channel attributed the strikes to Spain’s “unwavering Russophobia,” specifically citing Madrid’s €1 billion military aid package to Ukraine, which includes Leopard 2A4 tanks and HAWK air defense systems.
The group has targeted Spain 317 times in 2025 alone, cementing its status as the third-most attacked NATO member.
This campaign follows the July 2024 retaliatory attacks after Spanish authorities arrested three alleged NoName operatives, highlighting the collective’s reactive posture to geopolitical developments.
Operational Impact
- Municipal Services: Zaragoza’s tram scheduling systems and Gipuzkoa’s citizen portal suffered 78–92% uptime reductions during peak attack windows.
- Diplomatic Infrastructure: AECID’s global development coordination portal experienced intermittent outages, temporarily hindering aid distribution workflows.
- Escalating Pattern: Spain’s National Cybersecurity Institute (INCIBE) confirmed this as the 14th major DDoS incident in 2025 targeting democratic memory institutions, including the Ministry of Territorial Policy.
Mitigation Response
Spain’s National Cybersecurity Framework activated RFC 8903-compliant mitigation protocols within 47 seconds of attack onset.
Key measures included:
| Tactic | Implementation |
|---|---|
| Traffic Scrubbing | Malicious flows redirected to cloud-based filtering nodes |
| BGP Flow-Spec Updates | Real-time propagation of malicious IP prefixes via ASNs |
| TLS Session Resumption | Maintained encrypted channels for legitimate users |
Collaboration with EU CERT and private partners restored 94% of services within 82 minutes, though sporadic disruptions persisted for CIMSA’s industrial supply chain portal.
Persistent Threat Landscape
NoName’s operations now integrate financial incentives through “Project DDoSia,” which rewards contributors for successful attacks.
Orange Cyberdefense’s 2025 Threat Intelligence Index notes a 40% success rate for the group’s campaigns, particularly against transport (25% of targets) and banking sectors.
José Luis Escrivá, Spain’s Digital Transformation Minister, emphasized resilience: “Our layered architecture neutralized 82% of malicious packets pre-filtering.
However, AI-driven adversarial traffic requires continuous protocol updates”.
Security analysts warn that these attacks aim to erode public trust in institutions rather than cause permanent damage—a psychological warfare tactic amplified through Telegram disinformation channels.
With EU elections approaching, Spanish authorities urge the adoption of zero-trust network segmentation and AI-enhanced intrusion detection systems.
Ongoing Monitoring: INCIBE has issued a Stage 2 alert under Spain’s National Cyber Incident Response Plan, prioritizing critical infrastructure hardening ahead of projected retaliatory strikes linked to upcoming EU sanctions debates.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Alleged Shell Access for Sale in the Telecommunications Sector")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Unveiling the Shadows: The World of Malware & Hacking Tools")
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1 "Telegram Channel Leaks 80+ RATs & Hacking Tools!")
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The%20attacks%20disrupted%20at%20least%2010%20entities,%20including%20the%20Donostia%20City%20Council,%20Zaragoza%20City%20Council,%20and%20the%20Spanish%20AECID.){kind=link}