In a dramatic success and a global pushback against Russia’s hybrid warfare operations, a mid-July joint international operation disrupted a massive Russian cybercrime network known as NoName057(16). Since 2022, this ideologically motivated hacktivist network has claimed responsibility for more than 1,500 distributed denial-of-service attacks (DDoS) against countries aligned with NATO. The group’s activity is a prime example of a broader and concerning trend: Moscow using hybrid warfare in an attempt to undermine support for Ukraine and destabilize the United States and its allies. This success is likely to be temporary—one round in an ongoing match that can only be definitively won by intensive cooperation among allies.
NoName057(16) and Operation Eastwood
NoName057(16) has been active since 2022, around the start of the full-scale invasion of Ukraine. With an estimated 4,000 volunteers, this cyber army initially focused on Ukraine, then expanded its targets to include countries that support Ukraine, including the United States and NATO allies like Czechia, Poland, and Spain. Its operations have included DDoS attacks against Swedish authorities and banking websites, more than 250 German companies and institutions, and organizations linked to the June 2025 NATO summit. NoName057(16) also participated in DDoS attacks against Japanese logistics and shipbuilding companies in 2024.
In response to the growing threat, Europol facilitated Operation Eastwood. The operation involved 19 countries, the European Union Agency for Cybersecurity (ENISA), and the Joint Cybercrime Action Taskforce (J-CAT), part of Europol’s European Cybercrime Centre (EC3). Operation Eastwood ultimately proved highly disruptive to the group’s operations, at least temporarily. It disrupted more than 100 of the group’s servers worldwide and took a significant part of the group’s central server infrastructure offline. Authorities also made two arrests (in France and Spain) and issued seven arrest warrants (six by Germany and one by Spain).
Groups like this tend to be fluid, however, and its remnants are likely to reconstitute and reengage in the near future. As such, international cooperation is critical. EC3 and J-CAT provide a promising model for collaborative, regional cyber threat intelligence sharing centers that could be expanded or replicated in other regions as Russian cyberactivity grows more aggressive.
Russian Cyber Activity: An Escalating Concern
NoName057(16)’s operations are only part of Russia’s escalating cyber campaign. Moscow has long been a dominant player in the cyber domain but has become more active since 2021, in the lead-up to the full-scale invasion of Ukraine. According to U.S. cybersecurity firm Mandiant, Russian cyberattacks have surged since 2021, with NATO countries experiencing a 300 percent increase in Russian-linked attacks in 2022 compared to 2020. Similarly, the European Union reported that the number of hacktivist attacks against European infrastructure, many linked to Moscow, doubled from the fourth quarter of 2023 to the first quarter of 2024. These operations have targeted and disrupted a wide range of entities, including government bodies, information technology companies, critical infrastructure providers, and humanitarian organizations.
Hacktivist groups similar to NoName057(16) are a key piece of Moscow’s complex network of cyber actors. These actors are nominally independent and conduct cyber operations in line with what they perceive as the Kremlin’s interests as a way of expressing patriotism for the Russian nation. For example, KillNet is a pro-Russian hacktivist group similarly known for conducting DDoS attacks against countries supporting Ukraine. According to Flashpoint.io, KillNet “has declared cyberwar on the governments of ten countries, including the US, UK, and Ukraine.” The group has already successfully targeted the United States: In December 2022, KillNet claimed responsibility for compromising a U.S. healthcare organization that supports U.S. military personnel.
These hacktivist groups play a key role in Russia’s cyber apparatus, conducting operations that support Moscow’s strategic goals while providing a layer of plausible deniability that obscures the full extent of the Kremlin’s involvement. This makes attribution and retaliation more difficult for the United States and its allies. Further, while Moscow officially maintains that it does not control these groups, it does not hide its appreciation for hacktivists. Cybersecurity researchers have also reported that some of these groups coordinate with state security and intelligence. For instance, Mandiant assesses with moderate confidence that hacktivist groups “XakNet Team,” “Infoccentr,” and CyberArmyofRussia_Reborn” are coordinating with Russia’s Main Intelligence Directorate (GRU).
Further, much like a Matryoshka doll, cyberattacks are one piece of a nested hybrid warfare strategy extending beyond cyberspace. Dr. Seth Jones notes that “Russian [hybrid] attacks in Europe nearly tripled between 2023 and 2024, after quadrupling between 2022 and 2023.” These hybrid tactics have included plotting killings, planting explosives on cargo planes, and setting fire to a warehouse, as well as the aforementioned significant uptick in cyberattacks. These actions underscore Moscow’s broader goal of destabilizing the United States and its European allies and show the increasing importance of cross-border intelligence sharing and joint operations.
Responding to Russian Cyber Activity
In response to Russia’s intensifying cyber campaign, building and expanding collaborative hubs for sharing cyber threat intelligence is essential. EC3 and its J-CAT have built their successful model over many years. EC3, housed within Europol, serves as a centralized expertise and cyber intelligence hub for the European Union. It supports national law enforcement agencies with operational coordination, strategic analysis, and training to enhance their capabilities and bolster their cyber defenses. Additionally, J-CAT, located within EC3, plays a particularly important role in enabling cross-border cybercrime operations. Composed of cyber liaison officers from 13 EU member states and 7 non-EU partners, including the United States, J-CAT facilitates “the joint identification, prioritization, preparation, initiation and execution of cross-border investigations and operations by its partners.” Its unique model brings cybercrime fighters from the 20 participating countries to live and work together in its headquarters in The Hague, Netherlands, enhancing relationship and trust building and improving operational coordination. Notably, J-CAT supported Operation Eastwood, highlighting its value as a potential model that can be further expanded to combat Russia’s growing hybrid warfare.
As Russian hybrid tactics become more aggressive and global, so too must the response. Operation Eastwood demonstrated the criticality of international collaboration and cyber intelligence sharing, but to sustain this momentum and further disrupt Russian cyber threats, allied countries must continue to invest in EC3 and J-CAT while replicating the model in new regions. These efforts should include key allies that have also experienced an increase in Russian cyber aggression but are not part of J-CAT, such as South Korea and Japan. Further, the cyber domain is global, so alliances against this activity must be global as well. Partners in Southeast Asia, like Singapore, and in east Africa, like Kenya, will play a vital role in beating back global cybercrime.
Julia Dickson is a research associate for the Intelligence, National Security, and Technology Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Emily Harding is director of the Intelligence, National Security, and Technology Program and vice president of the Defense and Security Department at CSIS.
Click Here For The Original Source.
