France Opens Intelligence Investigation After Pro-Russian Hackers Claim Responsibility for Christmas Postal Service Cyberattack

Breached Company

Breached Company

11 min read
France Opens Intelligence Investigation After Pro-Russian Hackers Claim Responsibility for Christmas Postal Service Cyberattack

France's domestic intelligence agency has taken over the investigation into a massive cyberattack that crippled the country's national postal service during the critical Christmas delivery period, after pro-Russian hacktivist group NoName057(16) claimed responsibility for the coordinated campaign targeting French critical infrastructure.

DGSI Takes Lead in National Security Investigation

The General Directorate for Internal Security (DGSI), France's counter-espionage agency, assumed control of the probe on Tuesday following NoName057(16)'s claim of responsibility for the distributed denial-of-service (DDoS) attack that began Monday, December 23, 2024. The Paris prosecutors' office confirmed that La Poste filed a criminal complaint, triggering the investigation into charges of deliberately disrupting the functioning of a data service.

The timing proved particularly disruptive, as the attack struck during what Economy Minister Roland Lescure described as the busiest week of the year for postal operations. The minister told BFMTV/RMC that "the priority of all priorities" was ensuring parcels reached their destinations before Christmas.

The cyberattack severely disrupted multiple La Poste online services, including consumer banking operations through La Banque Postale, registered mail tracking systems, and digital identity verification platforms. While La Poste maintained that physical delivery operations continued, the company acknowledged on Tuesday that "the situation remains unstable" despite slight improvements from the previous day.

Read our initial coverage: France's La Poste and La Banque Postale Crippled by Massive Christmas DDoS Attack

Coordinated Campaign Beyond Postal Services

Security researchers quickly identified this incident as part of a coordinated campaign rather than an isolated attack. Within hours of the La Poste disruption, NoName057(16) posted screenshots of downed services on their Telegram channel along with check-host.net verification links proving their targets were offline.

The group's claims extended far beyond postal services. Using hashtags including #OpFrance, #TimeOfRetribution, and #F**kEastwood—a direct reference to the international law enforcement operation that targeted them in July 2024—the hacktivists announced attacks on:

  • Rennes Metro transit system
  • Angers Tramway services
  • Multiple French airports
  • The national road safety agency
  • Several portals belonging to EDF, France's primary energy company

Cybersecurity analyst John Carberry from Xcape noted the attack was "timed perfectly" to cause maximum disruption: "By crippling parcel tracking, digital services and mobile banking simultaneously, the attackers effectively choked the financial and logistical arteries of millions during the year's busiest period."

The Z-Pentest Alliance and Water Treatment Claims

Adding to the concern, a related group called Z-Pentest Alliance posted video evidence claiming they had accessed the control systems of two French water treatment plants. This escalation from DDoS attacks to potential operational technology (OT) intrusions represents a significant shift in targeting strategy, though the claims have not been independently verified.

Z-Pentest emerged in September 2024 as a hybrid alliance formed through the partnership between NoName057(16) and the Cyber Army of Russia Reborn (CARR). The group has previously claimed intrusions into operational technology assets in the United States and appears to be expanding their focus beyond traditional DDoS disruption.

NoName057(16): The Kremlin's Crowdsourced Cyber Army

NoName057(16), also referenced as 05716nnm or NoName05716, has emerged as one of the most active pro-Russian hacktivist groups since its formation in March 2022, coinciding with Russia's full-scale invasion of Ukraine. Intelligence assessments indicate the group originated as a covert project within Russia's Centre for the Study and Network Monitoring of the Youth Environment (CISM), a Kremlin-backed organization.

The group operates through its proprietary "DDoSia" platform, a sophisticated crowdsourced botnet that enables volunteers to participate in coordinated attacks using easy-to-use Go-based tools. Leadership within CISM reportedly provided the group with infrastructure development, target selection guidance, and operational direction.

Operational Profile and Attack Patterns

Analysis of NoName057(16)'s activity between July 2024 and July 2025 reveals an extraordinarily high operational tempo, with an average of 50 unique targets attacked daily. Activity patterns strongly correlate with standard Russian business hours, with new targets consistently added in two daily waves: a primary surge between 05:00 and 07:00 UTC and a secondary wave around 11:00 UTC.

The group's targeting demonstrates clear geopolitical alignment:

Geographic Distribution:

  • Ukraine: 29.47% of attacks
  • France: 6.09%
  • Italy: 5.39%
  • Sweden: 5.29%
  • Germany: 4.60%

Industry Focus:

  • Government and public sectors: 41.09%
  • Transportation and logistics: 12.44%
  • Telecommunications: 10.19%
  • Financial services
  • Energy infrastructure

Technical Infrastructure and Tactics

The DDoSia platform employs a sophisticated two-stage communication protocol. Clients first authenticate with command-and-control servers via an HTTP POST to the /client/login endpoint, transmitting encrypted system information including operating system details, kernel version, and CPU specifications. Following successful authentication, clients retrieve target configurations via encrypted GET requests that specify target hosts, IP addresses, and attack protocol types.

Attack vectors include:

  • HTTP GET floods
  • SYN floods
  • Slow Loris-style connection exhaustion
  • Resource exhaustion attacks targeting web services on ports 80 and 443

The operational infrastructure uses a resilient multi-tiered architecture designed to evade detection. Tier 1 command-and-control servers, which have an average lifespan of just nine days, communicate exclusively with Tier 2 servers secured via access control lists (ACLs). This layered approach complicates takedown efforts by law enforcement and ensures operational resilience even when surface servers are identified and blocked.

Gamification and Volunteer Recruitment

NoName057(16) distinguishes itself through sophisticated recruitment tactics that leverage gamification to build a volunteer army estimated at over 4,000 supporters. Participants are:

  • Rewarded with cryptocurrency payments
  • Ranked on public leaderboards
  • Recognized through regular shout-outs
  • Awarded digital badges for participation
  • Given status recognition within the community

This approach lowers the technical barrier to entry while providing emotional reinforcement through narratives of defending Russia or avenging perceived geopolitical slights. The gamified manipulation particularly targets younger individuals who may lack sophisticated understanding of the criminal liability they incur through participation.

Operation Eastwood: July 2024 Law Enforcement Response

In a major international law enforcement operation dubbed "Operation Eastwood," authorities attempted to disrupt NoName057(16)'s operations between July 14-17, 2024. The coordinated effort involved law enforcement and judicial authorities from more than a dozen countries:

Participating Nations: Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States

Supporting Organizations: European Union Agency for Cybersecurity (ENISA), Belgium, Canada, Estonia, Denmark, Latvia, Romania, Ukraine, ShadowServer, and abuse.ch

Operation Results:

Infrastructure Impact:

  • Disrupted over 100 computer systems worldwide
  • Took a major part of the group's central server infrastructure offline
  • Disabled key coordination and communication capabilities

Arrests and Warrants:

  • 2 arrests (1 in France, 1 in Spain)
  • 7 international arrest warrants issued (6 by Germany, 1 by Spain)
  • 24 house searches conducted
  • 13 individuals questioned
  • 5 suspects added to EU Most Wanted list

Outreach Campaign:

  • Over 1,000 supporters contacted via messaging apps
  • 15 identified as administrators
  • Warned of criminal liability under national legislation

Germany issued six arrest warrants for Russian nationals, including two suspected of being the main instigators responsible for NoName057(16)'s activities. However, with core leadership believed to be located within the Russian Federation, the practical impact of these warrants remains limited.

Post-Eastwood: Defiant and Resilient

Despite the international disruption effort, NoName057(16) dismissed Operation Eastwood's impact on their Telegram channel and reaffirmed their commitment to continuing information operations in support of Russian interests. The group's continued activity—including the December 2024 attacks on France—demonstrates their ability to rebuild infrastructure and maintain operational capabilities.

Cybersecurity researcher Baptiste Robert urged caution regarding the "late" claim of responsibility for the La Poste attack, noting on X (formerly Twitter) that "it is usual to see opportunistic claims" by groups seeking media attention. However, the coordinated nature of the attacks across multiple French infrastructure targets aligns with NoName057(16)'s established operational patterns.

Historical Targeting of French Infrastructure

This latest attack represents an escalation in an ongoing campaign against France. Prior notable incidents include:

March 2024: Approximately 2,000 French government websites attacked, including the Ministry of Justice, Ministry of Culture, and Treasury, in what Prime Minister Gabriel Attal described as having "unprecedented intensity."

December 2024: Multiple waves of attacks as part of the "Holy League" alliance campaign, including:

  • Over 50 separate DDoS attacks between December 7-10
  • Attacks on the Ministry of Foreign Affairs
  • Targeting of the French Directorate-General for External Security (DGSE)
  • Disruption of the French National Cybersecurity Agency (ANSSI)
  • Attacks on major financial corporation AXA

Recent incidents in 2024:

France has experienced a dramatic 15% increase in cybersecurity events in 2024 compared to the previous year, according to France's National Cybersecurity Agency (ANSSI), which handled 4,386 security events during the year, including 3,004 reports and 1,361 confirmed incidents.

The Holy League Alliance

In December 2024, NoName057(16) emerged as a prominent member of the "Holy League," a newly formed hacktivist alliance consisting of approximately 70 groups sworn to attack NATO, Europe, Ukraine, and Israel. This coalition brings together ideologically diverse actors including pro-Russian, pro-Islamic, and pro-Palestinian groups.

The alliance launched its coordinated campaign against France immediately after December 4, 2024, when Prime Minister Michel Barnier was ousted through a no-confidence vote. Researchers at Cyble Research & Intelligence Labs (CRIL) identified this timing as deliberate, designed to exploit political instability and maximize disruption during a period of governmental transition.

According to Cyble's analysis, between January and March 2025, researchers monitored 845 mentions of activities targeting France across underground communications channels, with DDoS attacks accounting for 73% of incidents and Industrial Control Systems (ICS) breaches comprising 27%.

Broader Context: Russian Hybrid Warfare

NoName057(16)'s activities fit within Russia's broader hybrid warfare strategy against Western nations supporting Ukraine. According to Dr. Seth Jones of the Center for Strategic and International Studies (CSIS), Russian hybrid attacks in Europe nearly tripled between 2023 and 2024, after quadrupling between 2022 and 2023.

These hybrid tactics extend beyond cyberspace to include:

  • Plotting assassinations
  • Planting explosives on cargo planes
  • Arson attacks on warehouses
  • Disinformation campaigns
  • Election interference operations

U.S. cybersecurity firm Mandiant reported that Russian cyberattacks surged dramatically since 2021, with NATO countries experiencing a 300% increase in Russian-linked attacks in 2022 compared to 2020. The European Union similarly reported that hacktivist attacks against European infrastructure—many linked to Moscow—doubled from the fourth quarter of 2023 to the first quarter of 2024.

European intelligence agencies now report that investigations into Russian interference consume as much time and resources as terrorist threat monitoring, reflecting the scale of the challenge facing Western security services.

Denmark's Formal Attribution

The international community's response has grown increasingly direct. Just days before the French campaign began, the Danish government formally attributed cyberattacks on their infrastructure to NoName057(16), explicitly calling it "hybrid warfare." This marked one of the first instances of a NATO member state officially attributing hacktivist attacks to a specific pro-Russian group as part of state-sponsored hybrid operations.

Motivations and Strategic Objectives

NoName057(16)'s operations pursue clear strategic objectives rather than financial gain:

Primary Goals:

  1. Punishment Campaign: Retaliate against countries supporting Ukraine militarily and economically
  2. Confidence Erosion: Undermine public trust in government's ability to protect essential services
  3. Disruption Maximization: Create instability through attacks timed for maximum visibility and impact
  4. Information Warfare: Support pro-Russian narratives and demonstrate Western vulnerability

Note: These attacks complement broader Russian cyber espionage operations conducted by military intelligence units like APT28 (Fancy Bear), which targets French governmental and diplomatic entities for intelligence gathering rather than disruptive attacks.

The group's tactical timing demonstrates sophisticated understanding of impact maximization:

  • Attacking Danish websites during municipal elections
  • Disrupting Romanian government sites during presidential campaigns
  • Hitting France's postal service at peak holiday shipping season
  • Targeting Swiss infrastructure during Ukrainian peace summits

As cybersecurity analyst at SC Media observed: "The attackers understand something that defenders sometimes forget. Data theft and ransom aren't the goal here. The attackers aim to erode trust. Erode confidence. Erode the sense that the systems we rely on will run properly when we need them."

The Ongoing Investigation

The DGSI's assumption of investigative authority signals French authorities' recognition of this incident as a national security matter rather than conventional cybercrime. The intelligence agency's involvement enables access to broader surveillance capabilities and international intelligence partnerships essential for attribution and response planning.

At this stage, prosecutors are investigating the crime of deliberately disrupting the functioning of an automated data processing system. However, the national security implications could lead to additional charges or diplomatic responses as the investigation progresses.

La Poste employs more than 200,000 people and operates critical infrastructure extending beyond postal services to include banking operations and digital identity verification platforms. The attack's impact on such a significant target—during a period when millions depend on these services—underscores the vulnerability of even large, well-resourced organizations to coordinated DDoS campaigns.

Implications for Critical Infrastructure Protection

This incident reinforces several critical lessons for organizations operating essential services:

Immediate Requirements:

  • DDoS mitigation has become baseline protection rather than optional security measure
  • Multi-provider architectures and routing redundancy essential for resilience
  • Organizations at infrastructure intersections (logistics converging with payments, identity, and public services) face mandatory investment in always-on mitigation

Strategic Considerations:

  • Remote access to operational technology systems requires proper segmentation and monitoring
  • Industrial control systems designed for reliability rather than security present attractive targets
  • Geopolitical decisions create targeting lists within hours through adversary monitoring of public channels

Intelligence Integration:

  • Organizations should monitor threat actor Telegram channels and underground communications
  • Threat intelligence should incorporate geopolitical event tracking
  • Security strategies must assume disruption is inevitable rather than preventable

Financial services experienced attack volume increases of 117-154% during 2024 and 2025, with logistics and e-commerce nodes increasingly targeted during seasonal peaks when disruption maximizes economic damage. The attack on La Poste follows similar patterns observed in the November 2024 strike on Russian-operated Donbas Post and echoes the 2023 Royal Mail ransomware incident, suggesting coordinated exploration of postal system vulnerabilities across geopolitical fault lines.

For broader context on the global escalation of DDoS attacks, see our analysis: The DDoS Arms Race: How 2025 Became the Year of Record-Breaking Cyber Assaults.

Looking Ahead: An Enduring Threat

Security experts uniformly assess that NoName057(16)'s operations will continue despite international law enforcement efforts. As Rafa López, security engineer at Check Point, noted: "While the recent international crackdown on the NoName057(16) group has disrupted their operations, it is unlikely to mark the end of their activities."

The group's decentralized structure, with thousands of volunteers and constantly rotating infrastructure, provides resilience against law enforcement action. With core leadership believed to operate from within Russian territory—beyond the reach of Western law enforcement—the practical constraints on continuing operations remain minimal.

For French organizations and those operating in NATO member states supporting Ukraine, this represents a long-term threat requiring sustained investment in defensive capabilities and intelligence monitoring. As one SC Media analyst concluded: "The sobering news for defenders: These continued attacks won't stop when the Christmas packages finally arrive."

France has experienced multiple December incidents beyond La Poste, including Interior Ministry email breaches and coordinated attacks on municipal infrastructure, raising questions about whether these represent isolated opportunistic actions or elements of a coordinated hybrid warfare campaign designed to destabilize French society during a period of political transition.

The investigation continues, with DGSI agents working to determine the full scope of the attack, identify all compromised systems, and develop attribution intelligence that could support diplomatic or legal responses. However, with NoName057(16) already claiming new targets on their Telegram channels, the immediate focus for defenders remains maintaining operational resilience in the face of persistent, ideologically motivated attacks that show no signs of subsiding.

This is a developing story. Updates will be provided as more information becomes available from French authorities and security researchers monitoring NoName057(16)'s activities.

French Cybersecurity Crisis:

Russian Cyber Operations:

DDoS Attack Context:

About NoName057(16)

Also known as: 05716nnm, Nnm05716, NoName057, NoName05716

Active since: March 2022

Primary attack method: Distributed Denial-of-Service (DDoS) via DDoSia platform

Estimated supporters: 4,000+ volunteers

Attribution: Linked to Russia's Centre for the Study and Network Monitoring of the Youth Environment (CISM)

Motivation: Pro-Russian geopolitical objectives, particularly opposition to Western support for Ukraine

Target profile: Government entities, financial institutions, transportation infrastructure, energy companies, telecommunications providers in NATO member states and Ukraine

Notable characteristics: Crowdsourced botnet model, gamification of attacks, cryptocurrency rewards, high operational tempo (average 50 targets daily), infrastructure resilience through multi-tiered architecture

Read more