Key Takeaways
- The U.K. National Cyber Security Centre (NCSC) has issued fresh guidance for local government and critical infrastructure operators to harden their denial-of-service (DoS) defences due to a rise in pro-Russia hacktivist activity.
- The guidance is in response to attacks from groups such as NoName057(16), which has been active since March 2022 and has targeted government and private sector entities in NATO member states and other European countries.
- The NCSC recommends that organisations review their cyber defences, strengthen resilience against attacks, and focus on denial-of-service protections, including understanding service architecture and identifying vulnerabilities.
- Organisations should also consider implementing upstream defences, such as working with service providers to absorb and mitigate resource exhaustion, and designing services to scale rapidly in response to attacks.
- The NCSC also emphasizes the importance of testing and visibility, including exercising defences to establish their capabilities and continuously monitoring for attacks.
Introduction to the Threat
The U.K. National Cyber Security Centre (NCSC) has issued fresh guidance calling on local government and critical infrastructure operators to harden their denial-of-service (DoS) defences following a rise in pro-Russia hacktivist activity targeting organisations. The hackers attempt to disrupt operations, take websites offline, and disable services. This is not an isolated incident, as the NCSC has previously warned about the activities of Russian-aligned groups targeting UK organisations. In December 2025, the NCSC co-sealed an advisory highlighting that pro-Russian hacktivists groups have been conducting worldwide cyber operations against numerous organisations and critical infrastructure sectors.
The NoName057(16) Group
The NoName057(16) group has been particularly active since March 2022, conducting attacks against government and private sector entities in NATO member states and other European countries that are perceived as hostile to Russian geopolitical interests. These attacks have included frequent DDoS attempts against UK local government. The group operates primarily through Telegram channels and uses GitHub (and other websites and repositories) to host the proprietary tool DDoSia and share tactics, techniques, and procedures (TTPs) with followers. This highlights the importance of monitoring and tracking the activities of such groups, as well as the need for organisations to be aware of the latest threats and vulnerabilities.
NCSC Recommendations
The NCSC is advising organisations to review their cyber defences and strengthen resilience against attacks from Russian-aligned groups. A particular focus is being placed on denial-of-service protections, beginning with a clear understanding of service architecture. Across most digital services, there are multiple points where attackers can attempt to overload or exhaust resources, disrupting access for legitimate users. These vulnerabilities must be identified, with responsibility clearly assigned to either the organisation itself or an external supplier in each case. The NCSC also recommends that organisations consider implementing upstream defences, such as working with service providers to absorb and mitigate resource exhaustion, and designing services to scale rapidly in response to attacks.
Upstream Defences
Upstream defences should start with ensuring service providers are prepared to absorb and mitigate resource exhaustion where they are best positioned to do so. This includes understanding what denial-of-service protections an ISP applies at the account level, evaluating the use of third-party DDoS mitigation services for traffic-based attacks, and considering content delivery networks for web-facing services. It also requires clarity on when and how providers may throttle or limit network access to protect other customers, and whether critical functions should be distributed across multiple service providers to reduce concentration risk. By implementing these measures, organisations can reduce the risk of successful DDoS attacks and minimize the impact of such attacks.
Service Design and Response Planning
The NCSC also emphasizes the importance of designing services to scale rapidly when attacks cannot be fully handled upstream or are only blocked after detection. This means enabling elastic scaling across applications and infrastructure. Cloud-native environments can automate this through provider APIs, while private data centres rely on modern virtualisation and sufficient spare hardware capacity to absorb sudden load. Equally important is defining a response plan that allows services to continue operating, even in a degraded state, during an attack. Effective plans account for graceful degradation, shifting attacker tactics, the ability to retain administrative access under pressure, and scalable fallback arrangements for essential services.
Testing and Visibility
Finally, the NCSC emphasizes the importance of testing and visibility, including exercising defences to establish the types and volumes of attacks they can withstand, while continuous monitoring is essential for detecting attacks as they begin and analysing performance while they unfold. This allows organisations to identify vulnerabilities and weaknesses in their defences and take corrective action to address them. By combining these measures, organisations can significantly improve their resilience to DDoS attacks and reduce the risk of successful attacks.
Conclusion
In conclusion, the NCSC’s guidance highlights the importance of organisations taking proactive steps to protect themselves against DDoS attacks from Russian-aligned groups. By reviewing their cyber defences, strengthening resilience, and implementing upstream defences, service design, and response planning, organisations can reduce the risk of successful attacks and minimize the impact of such attacks. The NCSC’s recommendations are timely and relevant, given the surge in cyberattacks against public administrations across the EU, with hacktivists increasingly relying on distributed denial-of-service (DDoS) campaigns. By following the NCSC’s guidance, organisations can help to protect themselves and their customers from these threats.