Basque cybersecurity centre warns of 'drastic increase' in attacks on Spanish institutional websites

The industrial cybersecurity centre of Gipuzkoa, Ziur, has warned of a "drastic increase" in cyber-attacks on Spanish entities, both public and private. The surge has been registered in the first few months of this year, affecting institutions and companies.

The most visible example of this was the massive attack launched between 4 and 5 March that temporarily affected the websites of the provincial authority and town halls such as those of Donostia, Irun and Hondarribia. Outside Gipuzkoa, the provincial authorities of Albacete, Ciudad Real, Girona, Huesca and Toledo, as well as the government of Castilla-La Mancha and the city council and tram of Zaragoza were also victims. Shortly before, in February, the Basque Country's governmental website was down due to another attack.

The director of Ziur, María Penilla, said these attacks on Spain are a result of the "joining of forces" of "several pro-Russian hacktivist groups", that have orchestrated a "coordinated campaign of denial of service (DDoS) attacks" against Spanish interests due to the central government's support for Ukraine following the Russian invasion. The most affected sectors, in addition to government institutions and bodies, are "transport, energy and manufacturing".

DDoS attacks have become one of the biggest threats to systems dependant on the internet. Unlike attacks of an economic nature that seek to access accounts or data with which to blackmail companies or individuals for monetary gain, these attacks seek to disable systems, applications or machines, preventing access to the service they offer.

To do this, hackers use multiple computers or IP addresses simultaneously to overload a service with massive requests. These computers, often infected with malware and turned into bots under the control of cybercriminals, team up to be able to crash servers and the services they host by exploiting their vulnerabilities.

The ultimate goal of these attacks is to cause damage and financial losses to both service users and administrators, and erode their reputation.

Encouraged by Moscow, these groups are seeking to "attack a country's critical services and infrastructure", which "is Russia's way of threatening its opponent's allies and demonstrating its strength" - the new way of waging war.

"Fortunately, in Gipuzkoa and the Basque Country, we have done our homework and are quite well-prepared, as was demonstrated in March, when the websites affected by the attack were able to recover in a short time," said Penilla.

On World Internet Day, Ziur published a cyberintelligence report, warning of the increase in cyber-attacks within the '#OpSpain' operation. According to the report, during the first trimester of this year, "a total of 33 alleged data leaks concerning Spanish organisations and institutions have been detected in clandestine forums and Telegram channels, 16 more than in the last quarter of 2024". In the same period, the vulnerabilities published amounted to 12,173, representing growth of 13.72%.

The main actor behind the attacks on Spain is NoName057 - a pro-Russian hacktivist group that works against Ukraine and the countries that support it, as well as against Nato member states. Ziur's director said that "its operations are managed through Telegram and participants are rewarded with cryptocurrencies based on their contribution to the success of the attacks, which feeds the group's growing network".

This means that, behind the non-economic cyber-attacks there is a whole network involving governments with geopolitical interests, which are supplied by an army of 'hackers', who may well be their own, but may also be paid 'mercenaries' and freelance virus developers.

The NoName057 group itself claimed responsibility for the March attack on its Telegram channel, congratulating itself on having affected several institutional websites, such as those in Guipuzcoa. The group listed all its victims and stated that it will "continue to crush russophobic Spain".

In addition to Russia, another very active country from which many of the world's cyberattacks originate is China. From there, attacks are launched using Ghost, a type of ransomware (software that hijacks data), or Cl0p, the most aggressive ransomware with the highest number of incidents worldwide, surpassing Ransomhub, which had led in the last quarter of 2024.