Cyber Incident Victim: Children's Parliament
Date:
Mar 2023
Location:
France
Summary
A pro-Kremlin hacktivist group, NoName057(16), executed a DDoS attack against the French National Assembly, rendering its website inaccessible for several hours. The attack was carried out in retaliation for France's support of Ukraine and also targeted the French Senate and Children's Parliament. While the Senate's website remained online, the Children's Parliament site was successfully taken down. The group claimed responsibility for the incident via a message on its Telegram channel.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 29, 2023, the website of the French National Assembly, the lower house of the French Parliament, became inaccessible to users. The website displayed a message indicating it was “under maintenance” for a period of several hours. This outage was the result of a distributed denial-of-service (DDoS) attack executed by the pro-Russian hacktivist collective known as NoName057(16). The group publicly claimed responsibility for this attack on its Telegram channel, posting a message in Russian. The message stated the attack was a response to French President Emmanuel Macron’s support for Ukraine, accusing him of serving “Ukrainian neo-Nazis” and ignoring the French people amidst ongoing domestic protests. This cyber incident was part of a broader campaign targeting French governmental institutions in retaliation for the nation's foreign policy stance.
Simultaneously, the attackers targeted two other French parliamentary bodies: the French Senate and the Children’s Parliament. The DDoS attack against the Senate was unsuccessful, and its website remained online and accessible. However, the attack against the Children’s Parliament was successful, rendering its website inaccessible for a time. The technical nature of a DDoS attack involves overwhelming a target server with a flood of internet traffic, typically from a network of hijacked computers often referred to as a botnet or ‘zombie’ computers. This bombardment of requests consumes server resources, making the targeted website slow to respond or completely unreachable for legitimate users. Such attacks are generally considered a nuisance tactic designed to cause temporary disruption and send a political message rather than inflict permanent damage or enable data theft.
Following the disruptions to the government websites, French authorities launched an investigation into the three separate attacks. The investigation aimed to ascertain the full scope of the incident, confirm the threat actor's claims, and understand the technical vectors used in the attacks. The pro-Russian alignment of the threat group was explicitly stated in their communications and identified by external cybersecurity analysts. The group NoName057(16) formed approximately one year prior to this incident and had rapidly become a notable pro-Russian threat actor. According to cybersecurity firm Radware, the group is known for launching DDoS and defacement attacks and is considered one of the most active Russian-aligned threat groups targeting Western organizations.
The incident had clear political motivations, directly linked to France's support for Ukraine following the Russian invasion. The attackers sought to exploit existing societal divisions within France, specifically referencing the widespread protests that were ongoing at the time due to the government's planned pension reform, which would raise the retirement age. Russian hacker groups have a documented history of supporting anti-government demonstrations and populist movements in France and other Western democracies, which Moscow perceives as a vulnerability to be exploited to undermine support for Ukraine. The attack on the French National Assembly and the Children’s Parliament was a direct tool of cyber-enabled influence operations, intended to harass and send a message to the French government and its leadership.
The immediate impact of the incident was the temporary unavailability of two parliamentary websites, causing a disruption to the public-facing digital services of these democratic institutions. While the Senate's defenses held, the National Assembly and Children’s Parliament websites were forced offline for several hours. The primary consequence was a temporary loss of service and the symbolic act of disrupting government operations. There was no indication in the reporting of any data breach, data exfiltration, or permanent damage to the affected IT systems. The restoration of service involved mitigating the flood of malicious traffic, a process that likely required coordination with internet service providers and the implementation of DDoS mitigation services.
The threat group NoName057(16) has a history of targeting entities across Europe that are perceived as supporting Ukraine or opposing Russian interests. Prior targets, as reported by cybersecurity analysts, have included the Czech presidential candidates, Polish e-government websites, Denmark’s financial institutions, Lithuanian businesses, and the parliament website of Finland. This pattern of activity establishes the group as a persistent threat to NATO member states and allies of Ukraine, using relatively low-sophistication but high-visibility attacks to achieve its objectives. The attack on French institutions fits squarely within this established pattern of behavior, representing another chapter in the ongoing cyber conflict surrounding the war in Ukraine. The incident underscores the use of hacktivist groups as proxies to project power and conduct harassment campaigns below the threshold of armed conflict.