Listen to this Post
On March 5, 2025, a significant and disruptive cyberattack hit critical Spanish government portals. This assault, attributed to the pro-Russian hacktivist collective known as NoName, targeted vital administrative and international cooperation platforms, leading to widespread disruptions. The attack highlights an increasingly sophisticated form of digital warfare, driven by geopolitical tensions, particularly Spain’s involvement with Ukraine. This article examines the details of the attack, its operational impacts, and the steps taken by Spain to mitigate the disruption.
the Attack
On March 5, 2025, a coordinated Distributed Denial-of-Service (DDoS) campaign launched by the pro-Russian hacktivist collective NoName targeted several key Spanish entities. These included major municipal bodies like the Donostia City Council and Zaragoza City Council, as well as the Spanish Agency for International Development Cooperation (AECID). The attacks disrupted operations using advanced application-layer HTTP/HTTPS flood techniques.
The mechanism behind the attack was sophisticated, employing botnets of compromised IoT devices and cloud servers. These botnets generated an overwhelming 2.3 terabits per second of encrypted HTTPS traffic, flooding the target networks with excessive GET/POST requests. This strategy used a “low-and-slow” approach, designed to bypass traditional rate-limiting defenses. The attacks focused on exhausting server CPU/RAM allocations by saturating TLS 1.3 sessions.
In a notable evolution of their tactics, NoName utilized AI-generated traffic patterns to mimic legitimate user behavior. This made it difficult for security systems to detect the anomalies in real-time, further complicating defensive measures. This type of attack aligns with NoName’s previous tactics, as seen in their “Holy League” operations against NATO countries in 2024.
Geopolitically, the group linked the attacks to Spain’s “unwavering Russophobia,” referencing Spain’s support of Ukraine, including a €1 billion military aid package. NoName has launched a staggering 317 attacks on Spain in 2025 alone, marking Spain as the third-most attacked NATO member.
Operational impacts included significant disruptions in both municipal services and diplomatic infrastructure. In Zaragoza, tram scheduling systems and local citizen portals experienced major downtime, while AECID’s development coordination platform faced intermittent outages. Spain’s National Cybersecurity Institute (INCIBE) confirmed this as the 14th major DDoS incident in 2025 targeting key government institutions.
In response, Spain activated RFC 8903-compliant mitigation protocols within seconds, redirecting malicious traffic to cloud-based filters and updating BGP flow specifications in real-time. Although this resulted in a 94% recovery of services within 82 minutes, sporadic disruptions persisted, especially for CIMSA’s industrial supply chain portal.
NoName’s operations have evolved, now integrating financial incentives through “Project DDoSia,” which rewards contributors for successful attacks. Experts highlight that the group’s campaigns, particularly against transport and banking sectors, boast a 40% success rate. Spain has focused on bolstering its cybersecurity by using AI-enhanced intrusion detection systems and zero-trust network segmentation, as emphasized by Spain’s Digital Transformation Minister José Luis Escrivá.
What Undercode Says:
The March 2025 DDoS attack by NoName marks a significant escalation in the use of cyberattacks as a tool of geopolitical confrontation. It demonstrates a growing trend among hacktivist groups, particularly those with a pro-Russian agenda, to target key governmental and diplomatic infrastructures as part of broader political and military conflicts. The strategic aim is not necessarily to cause irreversible damage, but to undermine public trust in democratic institutions and sow chaos within a target nation’s operations.
The sophistication of the attack, employing botnets of IoT devices and leveraging AI-driven traffic to mimic legitimate user behavior, underscores the increasing complexity of modern cyber warfare. Traditional cybersecurity measures, which typically focus on rate-limiting and IP-blocking, are now inadequate against such well-orchestrated threats. In response, Spain’s reliance on advanced mitigation tactics, such as cloud-based traffic scrubbing and real-time BGP updates, has become essential.
Moreover, the economic dimension of NoName’s operations, particularly through “Project DDoSia,” highlights the growing commercialization of cyberattacks. This approach allows for greater participation and scalability in attacks, potentially leading to more frequent and disruptive operations. Spain’s response to these threats, while effective in restoring service continuity, reveals the persistent vulnerability of critical infrastructure to evolving attack methods.
In the broader context, Spain’s high number of DDoS incidents in 2025, along with the ongoing retaliation from NoName following Spanish law enforcement actions, reflects a volatile cybersecurity environment. The frequent targeting of governmental institutions—especially those related to international diplomacy and democratic governance—signals that cyberattacks are becoming an increasingly important tool in hybrid warfare, aimed at undermining national security.
Spain’s proactive stance, deploying AI-enhanced cybersecurity measures and implementing zero-trust architectures, illustrates the need for continuous innovation in defense strategies. As cyber adversaries continue to adopt more sophisticated tactics, the emphasis on resilience and agility in responding to attacks will become even more critical. However, the psychological aspect of these attacks—aimed at eroding public trust through disinformation—requires a broader approach that includes countering the narratives being spread through channels like Telegram.
Fact Checker Results:
- Accuracy of Attack Details: The reported 2.3 terabits per second of encrypted HTTPS traffic aligns with current DDoS attack capabilities, confirming the severity of the attack.
- Botnet Utilization: The use of botnets made up of compromised IoT devices is consistent with known cyberattack strategies, particularly for large-scale DDoS campaigns.
- Response Efficiency: Spain’s response, restoring 94% of services within 82 minutes, highlights the effectiveness of its mitigation measures, although full recovery was hindered for specific services.
References:
Reported By: https://cyberpress.org/ddos-attack-spanish-websites/
Extra Source Hub:
https://www.instagram.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2





