New data from Cyble reveals that hacktivists are escalating their campaigns against critical infrastructure, moving beyond basic DDoS and defacement tactics to more advanced intrusions and data breaches. You can read the report here.
In the second quarter of this year, ICS attacks, data leaks, and access-based intrusions made up 31 percent of hacktivist activity, marking a rise of 29 percent in the first quarter. Notably, Russia-linked groups lead hacktivist ICS attacks.
From the blog post: “Since the emergence of Russia-linked Z-Pentest last year, ICS attacks have become increasingly part of hacktivists’ arsenal. This shift from surface-level disruption to infrastructure-level interference suggests growing strategic intent and technical capability within the hacktivist ecosystem.
“Z-Pentest has become the leading hacktivist group targeting critical infrastructure, with 38 ICS attacks in the second quarter of 2025 – up more than 150 percent from the 15 ICS attacks that Cyble attributed to the group in the first quarter.”
Z-Pentest’s consistent energy infrastructure targeting across multiple European countries reflects a structured and sustained campaign approach. A frequent Z-Pentest tactic is to post screen recordings of members tampering with ICS controls to amplify the psychological impact of the attacks.
Furthermore, two other Russia-linked groups have also been actively targeting ICS environments in recent months. A new group, Dark Engine, accounted for 26 ICS-targeted incidents in the second quarter, with a significant operational surge in June.
Meanwhile, Sector 16 was linked to 14 attacks in the most recent quarter. The groups have aligned messaging, coordinated timing, and shared targeting priorities, suggesting deliberate collaboration supporting Russian strategic cyber objectives.
The researchers also reported that hacktivist activity reveals that DDoS attacks remain the most common tactic, accounting for 54 percent of incidents. Website defacements follow at 15 percent, showing that traditional forms of digital protest are still widely used.
However, more targeted and disruptive attack types are on the rise. ICS attacks now make up 13 percent of hacktivist incidents, while data breaches account for 11 percent. It also revealed that access-based intrusions, where attackers gain unauthorized access to networks or systems, comprise the remaining seven percent. The data reflects a noticeable shift in hacktivist strategies toward more complex and damaging operations.
This data stimulated responses from several industry leaders:
Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace
“This research underscores a growing reality: hacktivists are increasingly targeting critical infrastructure. As geopolitical tensions escalate, we’re seeing an increase in activity aimed at operational technology (OT) environments. This pattern aligns with warnings issued by agencies like CISA and the NCSC, particularly regarding the heightened threat landscape for critical infrastructure in Europe and the U.S.
“As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network.
“By adopting good cyber hygiene and proactively addressing vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors – especially in sectors where disruption can ripple across national security, public safety, and economic stability.”
James Maude, Field CTO at BeyondTrust
“We have seen groups evolve from large scale DDoS and defacement into much more sophisticated threats targeting Industrial Control Systems (ICS), spoofing GPS signals in the Gulf region to disrupt shipping, and breaching Nobitex, a prominent Iranian cryptocurrency exchange.
“Increasingly the lines between hacktivism, cyber-crime for profit and nation state activities are blurred. A group known as “Keymous+” appear to be building alliances across multiple hacktivist groups in order to expand their reach while also offering a for hire DDoS service known as EliteStress.
“As the lines between hacktivism and cyber-crime blurs the techniques used have evolved in a similar way. In the past hacktivists often behaved like protestors blocking access to websites using DDoS attacks or defacing them in much the same way that protesters might graffiti a building. This has now evolved into tactics more associated with for profit cyber-crime seeking to inflict damage from within and breach sensitive data or disrupt internal systems.
“While access-based intrusions and ICS attacks are still in the minority, their growing prevalence reflects the fact that identity is the new perimeter. With increasingly sophisticated DDoS defences it is becoming easier to make your point by compromising the right identity and logging in than building a global botnet to launch a DDoS attack.
“In fact the impact can be far greater as while knocking a website offline can make a point being able to have control over industrial control systems is far more concerning. These internal systems often represent a softer target for hacktivists as they may be able to target vendors and 3rd parties who have privileged credentials and access to the target network via a VPN. This increases the identity attack surface and can provide hacktivists with an easier route in.
“As these attacks continue to evolve, organizations should think about proactively reducing their identity attack surface. Focussing on least privilege for privileges and access and ideally Just-in-Time (JIT) to avoid risks of standing privilege that could be exploited. Organizations should also seek to understand their identity attack surface better through holistic visibility of all the paths to privilege in their environment which might enable a hacktivist to start in one system but pivot into others increasing the ‘blast radius’.”
Trey Ford, Chief Information Security Officer at Bugcrowd:
“This part of the research is the most interesting to me: ‘The groups have aligned messaging, coordinated timing, and shared targeting priorities, suggesting deliberate collaboration supporting Russian strategic cyber objectives.’
“Bob Lord probably said it best, ‘We are up against human adversaries who organize their work in campaigns’ – while these groups may not be paid or funded by another entity or state – they’re clearly coordinated.
“Attack evolution is to be expected – they may have new guidance, requests, interest, or tooling enabling the shift toward directed compromise over disruptive DDoS attacks.
“The dynamic to note is that as a defender, we respond to the threat actor – we prepare, detect, contain, recover – in response to their attacks. ICS (transportation, power, manufacturing) systems are notoriously softer targets, if you can get access to them. We may find that the DoS activity follows the classic template of task-loading technical teams to increase their dwell time – they’ll be too busy with the DoS to identify and respond to a network intrusion.”
Mr. Venky Raju, Field CTO at ColorTokens:
“Hacktivists have been attacking ICS infrastructure for several years now. The low-hanging fruit for hackers is default credentials on popular HMIs, which are often made accessible directly on the Internet for remote management due to operator budget constraints. While VPNs somewhat mitigate the risk, hacktivists can leverage credential dumps from past breaches and password re-use.
“Practical considerations for operators include microsegmentation of ICS systems and implementing strong identity-based zero-trust network access (ZTNA). HMIs should never be put on the open Internet, even with obfuscated ports, as adversaries have tools like Shodan and Censys to discover, enumerate, and attack them. Furthermore, passwordless authentication should be considered to eliminate the fundamental problems of password re-use and leaks.”