Full Report
Quartet accused of attacking public institutions, claiming the government was responsible for 2024 tragedy Spanish police say four self-proclaimed members of Anonymous are in custody after allegedly carrying out several cyberattacks on public authorities in the wake of the 2024 DANA floods.…
Analysis Summary
# Incident Report: Anonymous Fénix Hacktivist Attacks Post-Flood
## Executive Summary
Four individuals, self-proclaimed members of the "Anonymous Fénix" collective, were arrested by Spanish authorities for conducting cyberattacks against public institutions following the 2024 DANA floods. The attacks, primarily Distributed Denial of Service (DDoS), targeted government ministries and political parties, motivated by the group claiming the government was responsible for the flood tragedy. The operations resulted in successful compromises of several government websites.
## Incident Details
- Discovery Date: Detection occurred leading up to arrests in May 2025 and February 2026.
- Incident Date: Attacks occurred in the wake of the 2024 DANA floods, with arrests spanning May 2025 to February 2026.
- Affected Organization: Multiple public authorities, government ministries, and political parties in Spain.
- Sector: Government, Public Administration/Sector.
- Geography: Spain (Arrests in Ibiza, Móstoles, Alcalá de Henares, Oviedo).
## Timeline of Events
### Initial Access
- Date/Time: Occurred sometime after the 2024 DANA floods (exact start dates for specific attacks are not detailed).
- Vector: Attack vector details are not explicitly stated for initial access to internal systems, but the primary visible attack method was DDoS.
- Details: The group used its social media presence (less than 700 X followers) to recruit members to carry out hacktivist operations.
### Lateral Movement
- Not explicitly detailed in the initial report, likely focused on the immediate impact of the DDoS attacks rather than deep network infiltration.
### Data Exfiltration/Impact
- Impact: Successful denial-of-service attacks against several government websites reportedly achieved their objective. No data exfiltration details were specified.
### Detection & Response
- Detection: Spanish police (Guardia Civil) identified and tracked members of the group.
- Response actions taken: Arrest of four members (two leaders in May 2025, two active members in February 2026). Court orders were issued to seize the group's X profile and YouTube account, and officials shut down their Telegram account.
## Attack Methodology
*Note: Based solely on the provided text, the methodology appears narrow.*
- Initial Access: Not explicitly detailed (potential use of compromised credentials or publicly known vulnerabilities to launch large-scale external attacks).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Not detailed.
- Exfiltration: Not detailed.
- Impact: **Distributed Denial-of-Service (DDoS) attacks successfully targeted government ministries and political parties.**
## Impact Assessment
- Financial: Not available.
- Data Breach: Not specified; the focus was on service disruption (DDoS).
- Operational: Successful denial-of-service attempts on several government websites, causing service outages or degradation.
- Reputational: Negative impact on the targeted institutions due to successful attacks publicized by the alleged perpetrators.
## Indicators of Compromise
- Network indicators: None specified (Defanged: N/A)
- File indicators: None specified.
- Behavioral indicators: Organized hacktivist activity under the "Anonymous Fénix" banner targeting Spanish public institutions post-disaster.
## Response Actions
- Containment measures: Successful disruption of the group's communication channels (seizure of X/YouTube, closure of Telegram).
- Eradication steps: Arrest of the four identified members, effectively dismantling the operational capacity of this specific offshoot.
- Recovery actions: Implicit recovery of affected government systems post-DDoS mitigation.
## Lessons Learned
- Hacktivist groups can mobilize around specific national tragedies (like the 2024 DANA floods) to recruit and launch attacks, even if the groups are small (less than 700 followers).
- Coordination between national law enforcement agencies (Guardia Civil) is effective in tracking and apprehending alleged members of decentralized hacktivist cells over time.
## Recommendations
- Implement enhanced DDoS mitigation strategies and capacity planning for critical government websites, especially those related to disaster response and public information dissemination.
- Proactively monitor public forums and fringe social media platforms for recruitment or mobilization efforts related to political or disaster events.