Executive Summary

On December 22, 2025, the French national postal service, La Poste, and its banking arm, La Banque Postale, experienced a significant disruption due to a distributed denial of service (DDoS) cyberattack. The pro-Russian hacking group Noname057(16) publicly claimed responsibility for the attack, which rendered central computer systems offline, halted package tracking, and disrupted online payments during the peak Christmas delivery period. The French intelligence agency DGSI assumed control of the investigation following the group’s claim. As of December 24, 2025, the disruption remained unresolved. There is no evidence of customer data exfiltration or compromise; the attack focused on service availability. This incident is part of a broader pattern of Russian-linked hybrid warfare targeting European critical infrastructure, with law enforcement and intelligence agencies confirming the ongoing threat and resource strain. All information in this summary is directly supported by primary, date-verified sources (Euronews, ClickOnDetroit/AP, Devdiscourse).

Technical Information

The attack on La Poste was executed using a distributed denial of service (DDoS) methodology, which is a tactic designed to overwhelm targeted systems with excessive traffic, rendering them unavailable to legitimate users. In this case, the DDoS attack targeted the central computer systems responsible for package tracking and online payment processing at La Banque Postale. The attack began on Monday, December 22, 2025, and persisted through at least Wednesday, December 24, 2025, with full service restoration not confirmed by the time of reporting (Euronews, ClickOnDetroit/AP, Devdiscourse).

The pro-Russian group Noname057(16), which has a documented history of targeting European government and critical infrastructure, claimed responsibility for the attack via its Telegram channel. The group is known for leveraging the DDoSia tool, a Go-based malware client distributed to volunteers through Telegram. DDoSia operates by connecting to a command-and-control (C2) infrastructure, authenticating users, and distributing encrypted target lists. Attackers are incentivized with cryptocurrency rewards for participation. The malware supports multiple DDoS techniques, including TCP SYN floods, ACK floods, HTTP GET floods, and application-layer attacks such as Slow Loris (nginx_loris), primarily targeting web services on ports 80 (HTTP) and 443 (HTTPS) (Picus Security).

The attack’s technical characteristics align with the MITRE ATT&CK framework as follows: - Tactic: Impact (TA0040) - Technique: Network Denial of Service (T1498) - Sub-techniques: Direct Network Flood (T1498.001), Application Layer Flood (T1498.003)

No evidence has been found of lateral movement, privilege escalation, or data exfiltration. The attack was limited to service disruption, consistent with the group’s established tactics.

Noname057(16) has previously targeted government, transportation, and telecommunications sectors, with a focus on high-impact periods and critical infrastructure. The group’s operational tempo often increases during Russian business hours, and it updates its target lists daily. The group was the subject of Operation Eastwood in July 2025, a coordinated law enforcement action that resulted in arrests and server takedowns, but the group resumed operations within days (Euronews).

The attack on La Poste is part of a broader campaign of Russian-linked hybrid warfare, which includes sabotage, cyberattacks, and disinformation, aimed at undermining European support for Ukraine and straining law enforcement resources. French authorities, including the Paris prosecutor’s office and DGSI, have confirmed the investigation and the group’s involvement. The incident highlights the vulnerability of national infrastructure to DDoS attacks, especially during periods of peak demand.

Affected Versions & Timeline

The affected organization is La Poste, France’s national postal service, and its banking arm, La Banque Postale. The attack targeted central computer systems responsible for package tracking and online payments. There is no evidence that specific software versions or platforms were exploited; the attack was volumetric and application-layer DDoS, not an exploit of a software vulnerability.

The verified timeline is as follows: On Monday, December 22, 2025, La Poste’s central computer systems were knocked offline by a DDoS attack. By Wednesday, December 24, 2025, the attack remained unresolved, and Noname057(16) had claimed responsibility. The French intelligence agency DGSI took over the investigation on December 24, 2025. Multiple news agencies and official statements confirmed the ongoing disruption and investigation on this date (Euronews, ClickOnDetroit/AP, Devdiscourse).

No evidence has been reported of customer data compromise or exfiltration. The impact was limited to service availability.

Threat Activity

Noname057(16) is a pro-Russian hacktivist group active since March 2022, specializing in DDoS attacks against European and NATO-aligned targets. The group is known for its use of the DDoSia tool, which enables large-scale, coordinated DDoS attacks by distributing attack instructions to a volunteer network. The group’s activities are supported by the Kremlin-linked Centre for the Study and Network Monitoring of the Youth Environment (CISM) and often coincide with Russian political or military objectives.

The group’s previous targets include Ukrainian media, government and corporate sites in Poland, Sweden, Germany, and France, including the French Ministry of Justice and multiple prefectures. Noname057(16) was the subject of Operation Eastwood in July 2025, which involved law enforcement from 12 countries, resulting in arrests and server takedowns. Despite these actions, the group resumed operations within days and has remained active.

The attack on La Poste fits a broader pattern of Russian-linked hybrid warfare, which includes sabotage, cyberattacks, and disinformation campaigns. European intelligence agencies report that investigations into Russian interference now consume as much time as counterterrorism efforts (Euronews, ClickOnDetroit/AP). The group’s operational focus is on government, transportation, and telecommunications sectors, with a geographic emphasis on Ukraine, France, Italy, Sweden, and Germany.

The attack methods used in this incident included TCP SYN/ACK floods, HTTP GET floods, and application-layer attacks such as Slow Loris, all orchestrated via the DDoSia platform. The group’s tactics, techniques, and procedures (TTPs) are well-documented and align with the MITRE ATT&CK framework for network denial of service.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations operating critical infrastructure, especially in the government, logistics, and financial sectors, should immediately review and enhance their DDoS mitigation strategies. This includes deploying or updating DDoS protection appliances and services at network perimeters, ensuring that upstream providers have robust DDoS scrubbing capabilities, and confirming that incident response plans specifically address large-scale DDoS scenarios.

High: Security teams should monitor for indicators of DDoSia-related activity, including unusual traffic patterns on ports 80 and 443, and sudden surges in SYN, ACK, or HTTP GET requests. Network and application logs should be reviewed for evidence of resource exhaustion attacks such as Slow Loris. Collaboration with internet service providers (ISPs) and national computer emergency response teams (CERTs) is essential for coordinated response and traffic filtering.

Medium: Regularly test and update incident response and business continuity plans to ensure rapid recovery from service disruptions. Ensure that all critical services are protected by redundant infrastructure and that failover mechanisms are in place. Conduct tabletop exercises simulating DDoS attacks to validate readiness.

Low: Provide security awareness training to staff, emphasizing the importance of reporting service disruptions and suspicious network activity. Maintain up-to-date contact information for law enforcement and national CERTs to facilitate rapid escalation.

No evidence of data compromise has been reported, so immediate focus should remain on service restoration and DDoS resilience. Organizations should remain vigilant for follow-on attacks or attempts to exploit the disruption for phishing or disinformation campaigns.

References

https://www.euronews.com/2025/12/24/pro-russian-hackers-claim-french-postal-service-cyberattack https://www.clickondetroit.com/business/2025/12/24/pro-russian-hackers-claim-cyberattack-on-french-postal-service/ https://www.devdiscourse.com/article/law-order/3740671-cyberstorm-pro-russian-hackers-disrupt-french-postal-service-before-christmas?amp https://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the cyber risk posture of their vendors and supply chain partners. Our platform supports the identification of critical dependencies, detection of emerging threats, and validation of incident response readiness for DDoS and other cyberattack scenarios. For questions regarding this incident or to discuss your organization’s risk management needs, contact us at ops@rescana.com.