Hungary Under Digital Siege: Cyberattacks Surge 316% as Ukraine Leads Onslaught

The weekly total of 6,904 threats tells only part of the story. The real shock lies in the distribution. Thursday, February 27th, saw 2,672 attacks slam into Hungarian networks. Friday followed with another 2,015. Two days. Nearly 4,700 incidents. That's 68% of the entire week's malicious activity compressed into a 48-hour window. This wasn't opportunistic scanning or background noise from compromised IoT devices. The concentration suggests orchestration — a deliberate, high-intensity campaign designed to overwhelm defensive capabilities and probe for weaknesses at scale. Sunday, by contrast, saw just 52 attacks. The lull is almost more unsettling than the storm.

More than half of all documented attacks — 55.5% — originated from Ukrainian sources. Let that sink in. A neighboring country, currently waging an active war, hostile to Budapest's political positions, accounted for 1,054 hostile actions against Hungarian digital infrastructure in a single week. This is not coincidence. Hungarian-Ukrainian relations have deteriorated sharply throughout 2025 and into 2026. Kyiv has made no secret of its frustration with Hungary's opposition to arms shipments and war escalation. That frustration has apparently found expression in cyberspace. With parliamentary elections approaching, the timing is hardly accidental. Ukrainian state and non-state actors possess both the capability and motivation to disrupt Hungarian systems, sow chaos, and potentially influence electoral outcomes. The 1,054 attacks represent probing, testing, mapping — the preparatory work for something larger.

Ukraine wasn't alone. Russia contributed 164 attacks. China added 117. Iran, 93. Together with Ukraine, these Eastern sources accounted for 76.3% of all hostile traffic targeting Hungary this week. Turkey and the United States round out the top six, but the geographic pattern is unmistakable: Hungary sits in the collision zone between Eastern and Western cyberspace, and it's taking fire from precisely the actors you'd expect. Russian and Chinese operations rarely announce themselves. They move quietly, methodically, seeking persistent access rather than attention. The Iranian presence is more curious — Tehran's interest in Central European infrastructure suggests either proxy operations or opportunistic exploitation of the chaos.

Redis servers absorbed 802 attacks — the most targeted service of the week. The in-memory database system is a perennial favorite for attackers because misconfigured instances leak data and can be hijacked for cryptomining or as pivot points deeper into networks. Telnet followed with 656 incidents, a reminder that legacy protocols never truly die; they just become liabilities. RDP, the remote desktop protocol that fueled so much ransomware chaos during the pandemic years, saw 548 attempts. Docker API endpoints faced 528 attacks, and MongoDB installations 349. These aren't random. Each represents a known vulnerability vector, a door that attackers hope has been left unlocked. The Elasticsearch and HTTP-proxy attacks — 308 and 341 respectively — point to efforts to compromise enterprise infrastructure and potentially turn Hungarian servers into nodes for further criminal operations.

Two hundred seventy-five attacks struck government systems. Of those, 129 carried critical severity ratings. That's 47% critical — a higher concentration than the overall threat landscape. Government networks represent sovereignty itself, and in an election year, they're also repositories of sensitive political data, voter information, and communication systems. Hostile actors understand this perfectly. The 275 incidents represent reconnaissance at minimum, and potentially preparation for more destructive operations. When a wartime neighbor accounts for over half your incoming threats, and your government networks face persistent probing, the conclusion writes itself. This is hybrid warfare, playing out in packet streams and login attempts.

Magyar Telekom saw 1,237 attacks. DIGI absorbed 1,156. Invitech, 666. These three providers alone account for nearly half the week's total. The concentration reflects infrastructure reality: major ISPs host the services attackers want, and their customer bases provide the attack surface. The apparent involvement of AS62214 — a smaller autonomous system with 551 documented incidents — warrants attention. Smaller operators often lack the security resources of national carriers, making them attractive targets for establishing footholds.