Pro-Russian Hacktivists Target Belgian Government Websites in Retaliatory DDoS Campaign

Belgian government portals, including the citizen services platform MyGov.be and the Walloon Parliament website, experienced service disruptions on March 12, 2025, following distributed denial-of-service (DDoS) attacks claimed by the pro-Russian group NoName057(16). The attacks coincided with Ukrainian President Volodymyr Zelensky’s visit to Brussels, where Belgium pledged €1 billion in military aid to Ukraine^[1].

Attack Timeline and Technical Impact

The Belgian Cybersecurity Centre (CCB) confirmed the attacks peaked at 1.5 million requests per second, temporarily overwhelming servers hosting MyGov.be—a critical platform for accessing tax documents, identity records, and municipal services. The Walloon Parliament’s site remained inaccessible for approximately 90 minutes before mitigation measures were implemented. Cloudflare’s DDoS protection services and redundant server architectures minimized prolonged downtime^[2].

NoName057(16) employed a multi-vector approach combining volumetric attacks with targeted HTTP/S request floods. Forensic analysis revealed the use of hijacked IoT devices and compromised Belgian business servers as traffic amplifiers. The CCB’s incident report noted similarities with October 2023 and 2024 attacks, which followed Belgium’s commitments to supply F-16 jets and Caesar artillery systems to Ukraine^[3].

Geopolitical Context and Hybrid Warfare Tactics

Parallel to the cyberattacks, NoName057(16) recruited Belgian nationals via Telegram to distribute anti-NATO propaganda in Brussels, offering payments in cryptocurrency. Investigative reports by VRT and Infobae documented at least 12 individuals receiving equivalent of €200-€500 in Tether (USDT) for placing physical flyers near government buildings^[4].

The group’s operations align with Russia’s hybrid warfare doctrine, using non-attributable cyber activities to pressure NATO members supporting Ukraine. Cybersecurity analysts note NoName057(16)’s infrastructure overlaps with Russian-aligned groups like Z-Pentest, though direct Kremlin ties remain unproven^[5].

Mitigation and Response

The CCB activated its national cyber crisis plan within 30 minutes of detecting the attacks. Key measures included:

• Traffic rerouting through scrubbing centers operated by Proximus and Telenet
• Rate-limiting policies for API endpoints on MyGov.be
• Emergency patches for vulnerable middleware in parliamentary systems

Belgian Defense Minister Ludivine Dedonder announced enhanced cooperation with NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) to fortify critical infrastructure. The EU’s Cyber Rapid Response Team is conducting forensic analysis to identify potential legal pathways for sanctions against the perpetrators^[6].

Security Recommendations

Organizations managing government-facing web services should consider:

• Implementing geofencing for administrative interfaces based on CCB’s IoCs
• Deploying behavioral-based DDoS detection that analyzes request patterns rather than just volume
• Conducting stress tests simulating ≥2M requests/second for critical portals

The CCB has published technical indicators including IP ranges and HTTP User-Agent strings used in the attacks, available through their threat intelligence sharing platform CERT.be.

Conclusion

This incident demonstrates the evolving tactics of pro-Russian hacktivists, combining technical attacks with psychological operations. While the DDoS caused temporary disruptions, Belgium’s layered defenses prevented data breaches or persistent compromises. The pattern of cyber retaliation following military aid commitments suggests organizations should heighten monitoring during geopolitical events involving Ukraine support.