Cyber Incident Victim: NoName057(16)

On May 4 2025, a Sunday, users attempting to access several Romanian government and candidate websites encountered errors and were unable to load the pages. The National Directorate for Cyber Security (DNSC) confirmed that a distributed denial‑of‑service (DDoS) attack was underway and that the pro‑Russian hacker group NoName057(16) had officially claimed responsibility in a post on its Telegram channel. According to the group’s message, they had successfully sent “DDoS surprises” to the sites of the Ministry of Interior and the Ministry of Justice. Throughout the morning the affected services remained inaccessible, prompting users to see various error messages. By 14:00 the same day the DNSC announced that all previously mentioned web portals had been restored and were fully operational again.

The DNSC identified a range of domains that were targeted, including the official sites of the Ministry of Interior, the Ministry of Justice, the candidacy page of Crin Antonescu, and additional government and media domains such as banumuscel.ro, ccr.ro, gov.ro, just.ro, mae.ro, nicusordan.ro, senat.ro, and silviupredoiu.ro. The disruption prevented citizens from accessing information and services normally provided by these online platforms during the presidential election day. The response involved the DNSC monitoring the traffic, issuing public updates about the status of the sites, and coordinating mitigation efforts that resulted in the services being brought back online by the early afternoon. No further downtime was reported after the restoration announcement.

NoName057(16) first appeared in March 2022 when it claimed a series of DDoS attacks against Ukrainian publications such as Zaxid and Fakty UA, aiming to block access to material it deemed anti‑Russian. The group describes itself as a pro‑Russian collective without direct ties to the Kremlin, operating as a loose network of digital activists whose objective is to attract attention and disseminate a pro‑Kremlin narrative in Western cyberspace. Its activities have since expanded to include attacks on governmental, media, and private sector targets across Ukraine, the United States, and several European nations.

The group’s tactics rely heavily on Telegram for communication, where it announces attacks, issues threats, mocks victims, and shares propaganda content. It also utilizes the DDOSIA tool—a software designed to generate continuous requests that overwhelm target servers—which is hosted and distributed via GitHub repositories associated with the collective. Through these methods NoName057(16) seeks to disrupt digital communications and advance its ideological agenda, as demonstrated by the May 4 2025 DDoS campaign against Romanian online services.