Anti-DoS tactics

The NCSC is encouraging any organisations that may be at risk to take ample precautions against disruptive hacktivist attacks.

This includes working with upstream internet service providers to establish what denial of service mitigations they may already have in place to protect you and what they are allowed to do to limit your organisation to protect their other customers should you come under attack.

It is also worth looking into third party distributed denial of service (DDoS) mitigation services and content delivery networks (CDNs) for any web-based services.

Organisations can also prepare in advance to deal with attacks that upstream providers cannot handle by building their applications and services to scale rapidly, and making sure there is adequate spare hardware capacity to deal with the additional loads.

It is also important to prepare and define a response plan so that you have a fighting chance of keeping your services operational should the worst happen. In the NCSC’s playbook, these plans should include graceful degradation of systems and services, the ability to deal with changing threat actor tactics, ensuring you can retain admin access during an attack, and having a scalable fallback plan for essential services.

It should go without saying that these defences should be regularly tested so that security teams can spot attacks starting and guard against them.

“Modern supply chains and critical infrastructure are deeply interconnected, making disruption easier than ever. Hacktivists have successfully targeted essential services across Europe for years, and with rising geopolitical tensions in 2026, these attacks are likely to escalate,” said Gary Barlet, Illumio public sector chief technology officer.

“Downtime is the driving force not just behind hacktivist activity, but behind most cyber-criminal campaigns. We need a new way of dealing with DoS attacks. For too long, we have focused solely on prevention, and this approach has not worked.

“The NCSC’s advice signals a change by recommending that plans include retaining administrative access and implementing full-scale backup plans. However, there needs to be an entire mindset shift within critical infrastructure organisations to focus on prioritising impact mitigation and maintaining service and operational uptime.”

Key actors

Last month the NCSC co-sealed a separate advisory on hacktivist activity alongside partner agencies from Australia, Czechia, France, Germany, Italy, Latvia, Lithuania, New Zealand, Romania, Spain, Sweden and the US.

This advisory highlighted the nefarious activities of several Russia-aligned hacktivist operations, most infamously NoName057(16), which operates a proprietary distributed denial of service (DDoS) tool called DDoSIA and was the subject of a major Europol enforcement action in July 2025.

The agencies said NoName057(16) was likely part of the Center for the Study and Network Monitoring of the Youth Environment (CISM) – a Kremlin-backed ‘NGO’ – and accused the organisation’s senior operatives and employees of funding the group and assisting with malware development and admin tasks.

According to the previous advisory, NoName057(16) has also been collaborating with other hacktivist operations, including members of the Cyber Army of Russia Reborn (CARR), an also-ran group that may have fallen out with its backers.

In late 2024, the two groups jointly formed another collective known as Z-Pentest, which is said to specialise in targeting operational technology (OT) within CNI organisations and so-called hack-and-leak attacks and website defacements. Z-Pentest largely steers clear of DDoS activities.

Another group, formed about 12 months ago, is Sector16 – described by the NCSC and its partners as “novices”. Working alongside Z-Pentest, this operation is relatively noisy online, and operates a public Telegram channel where it boasts of its exploits and claims cyber attacks on US infrastructure. The agencies said Sector165 may be receiving indirect support from the Russian government in exchange for running attacks that align with Moscow’s geopolitical goals.