Uncovering the Hacktivist Cyberattacks Targeting the EU Election

(image source: NoName057(16))

The 2024 European Parliament election took place from June 3 to June 9. On June 6, NoName057(16) announced a cyberattack campaign targeting the internet infrastructure in Europe. The group claimed an alliance of at least nine groups that would be performing cyberattacks targeting EU countries throughout the most important days of the elections.

Figure 1: NoName057(16) announcing a cyberattack campaign targeting the EU Elections (source: Telegram)

Below are my findings based on attack claims posted by the nine groups mentioned in the announcement for the period between June 6 and June 10. NoName057(16) referred to more groups that preferred to remain anonymous. However, given hacktivists’ primary objective is to draw attention to their cause, I doubt those unnamed contributors. Our records showed very little activity outside of five out of nine groups mentioned by NoName057(16).

Telegram Reach

Of the nine groups mentioned in the announcement, NoName057(16) has the most followers on Telegram. The Cyber Army of Russia, whose channel is called ‘Peoples Cyber Army,’ was the channel with the second most followers, only a few thousand less compared to NoName057(16). The Telegram channels of CyberDragon, HackNeT and 22C closed the ranks with about 1,000 members each.

Figure 2: Telegram channel member counts for participating groups (Source: Telegram)

DDoS Attacks Claimed on Telegram

Of the nine groups, only five claimed DDoS attacks between June 6 and June 10. NoName057(16), unsurprisingly, claimed the most attacks: 35. HackNeT claimed 18 attacks, CyberDragon 9, the Cyber Army of Russia 8 and Coup Team 1. Note that, as far as I know, HackNeT is not related to the similar-sounding group ‘XakNet Team’ (‘X’ in Russian is pronounced as ‘h’). XakNet Team conducts various threat activities, including DDoS attacks, in support of Russian interests and was identified by Google (Mandiant) as operating in coordination with Sandworm, the advanced persistent threat group operated by Military Unit 74455 of the GRU, the Russian military intelligence service. XakNet Team has been around since March 2022, shortly after Russia invaded Ukraine. HackNeT, in contrast, is a relatively new group that started posting on Telegram in February of this year.

Figure 3: Attacks claimed by actor (Source: Radware)

EU Election Voting Days

The EU election voting is spread over several days and not every country votes on the same day. Most countries in the European Union voted on Sunday, June 9. Estonia, however, was the first to start voting and kept the polling stations open from June 3 until June 9. The Netherlands voted on Thursday, June 6. Ireland voted on Friday, June 7. Czechia voted from Friday, June 7 till Saturday, June 8. Italy, Latvia, Slovakia, and Malta voted on Saturday, June 8.

Figure 4: When EU countries vote (source: POLITICO research)

DDoS Attacks Claimed per Day

Most DDoS attacks were claimed on Thursday, June 6, and Friday, June 7. All groups, except for Coup Team, contributed to attacks targeting primarily the Netherlands on Thursday and Ireland on Friday.

The attack activity by NoName057(16), HackNeT and Cyber Army of Russia on Monday, June 10, after the elections was not related to the EU election attack campaign. Come Monday, the patriotic hacktivist groups were back to business as usual, targeting countries that demonstrated support for Ukraine.

Figure 5: Attack count per day, by actor (Source: Radware)

Targeted Countries

On Thursday, the Netherlands, which voted on the same day, was the most targeted country, with attacks claimed on 13 websites, mostly government and transport related. Three attacks were claimed on targets in Luxembourg, two on targets in Romania and two on targets in Spain.

On Friday, Ireland, which voted on the same day, was the most targeted country with 11 claimed attacks, primarily targeting transport and government websites. France, Czechia and Luxembourg each had three attack claims targeting websites in the country. Czechia, however, was the only country of the latter three where polling stations were open on Friday.

Figure 6: Attack count per day, by country (Source: Radware)

On Saturday, June 8, Italy was the most targeted country, with three claimed attacks, while Czechia had two and Slovakia had one attack claim. All three countries had their polling stations open on Saturday. Uncharacteristic of the attack campaign, Coup Team, who performed only one attack during the whole campaign, targeted a social chat service hosted in the United States.

On Sunday, June 9, the last day of voting, when most countries were voting, Poland was the most targeted, with five claimed attacks, followed by Italy, which had two claims. Sweden, Denmark, Austria, Greece, France, Spain and Luxembourg were each targeted once on Sunday.

Figure 7: Number of attacks per country (Source: Radware)

Over the four voting days, the Netherlands was most targeted (16 claims), followed by Ireland (11 claims), Italy (8 claims), Luxembourg (7 claims), Poland (5 claims), Czechia (5 claims), France (4 claims) and Spain (3 claims).

Figure 8: Country/Actor heatmap (Source: Radware)

Most Targeted Web Categories

Overall, transport and travel was the most targeted web category (31 times), followed by government (19 times) and financial services (8 times).

Figure 9: Attacks claimed per web category (Source: Radware)

Transport and travel was the most targeted web category in Ireland while Noname057(16) was the most active attacker for the category. In Luxembourg, financial services websites were the most targeted category while government websites were the most targeted category in the Netherlands. HackNeT primarily attacked government and transport websites.

Figure 10: Web category heatmaps (Source: Radware)

Back to Business as Usual

After the elections, NoName057(16) and its companions got back to targeting countries based on their support of Ukraine, not mentioning the EU elections anymore.

Figure 11: NoName057(16) claiming attacks targeting Italy on June 10 and Germany on June 11 (Source: Telegram)

Pascal Geenens

As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center