Critical Infrastructure Attacks Became Routine for Hacktivists in 2025

Hacktivists moved well beyond their traditional DDoS attacks and website defacements in 2025, increasingly targeting industrial control systems (ICS), ransomware, breaches, and data leaks, as their sophistication and alignment with nation-state interests grew. 

That was one of the conclusions in Cyble’s exhaustive new 2025 Threat Landscape report, from which this blog was adapted. 

Looking ahead to 2026 and beyond, Cyble expects critical infrastructure attacks by hacktivists to continue to grow, increasing use of custom tools by hacktivists, and deepening alignment between nation-state interests and hacktivists. 

ICS Attacks by Hacktivists Surge 

Between December 2024 and December 2025, several hacktivist groups increased their focus on ICS and operational technology (OT) attacks. Z-Pentest was the most active actor, conducting repeated intrusions against a wide range of industrial technologies. Dark Engine (Infrastructure Destruction Squad) and Sector 16 persistently targeted ICS, primarily exposing Human Machine Interfaces (HMI). 

A secondary tier of groups, including Golden Falcon Team, NoName057 (16), TwoNet, RipperSec, and Inteid, also claimed to have conducted recurrent ICS-disrupting attacks, albeit on a smaller scale. 

HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the most frequently targeted systems, followed by a limited number of Virtual Network Computing (VNC) compromises, which posed the greatest operational risks to several industries. 

Building Management System (BMS) platforms and Internet of Things (IoT) or edge-layer controllers were also targeted in increasing numbers, reflecting the broader exploitation of weakly secured IoT interfaces. 

Europe remained the primary region affected by pro-Russian hacktivist groups, with sustained targeting of Spain, Italy, the Czech Republic, France, Poland, and Ukraine contributing to the highest concentration of ICS-related intrusions. 

The Intersection of State Interests and Hacktivism 

State-aligned hacktivist activity remained persistent throughout 2025. Operation Eastwood (14–17 July) disrupted NoName057(16)’s DDoS infrastructure, prompting swift retaliatory attacks from the hacktivist group. The group rapidly rebuilt capacity and resumed operations against Ukraine, the EU, and NATO, underscoring the resilience of state-directed ecosystems. 

U.S. indictments and sanctions further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts. The Justice Department detailed GRU-backed financing and tasking of the Cyber Army of Russia Reborn (CARR), as well as the state-sanctioned development of NoName057(16)’s DDoSia platform. 

Z-Pentest, identified as part of the same CARR ecosystem and attributed to GRU, continued targeting EU and NATO critical infrastructure, reinforcing the convergence of activist personas, state mandates, and operational doctrine. 

Pro-Ukrainian hacktivist groups, though not formally state-directed, conducted sustained, destructive operations against networks linked to the Russian military. The BO Team and the Ukrainian Cyber Alliance conducted several data destruction and wiper attacks, encrypting key Russian businesses and state machinery. Ukrainian actors repeatedly stated that exfiltrated datasets were passed to national intelligence services. 

Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow claimed a year-long Tier-0 compromise of Aeroflot’s IT environment, allegedly exfiltrating more than 20TB of data, sabotaging thousands of servers, and disrupting core airline systems, a breach that Russia’s General Prosecutor confirmed caused significant operational outages and flight cancellations. 

Research into BQT.Lock (BaqiyatLock) suggests a plausible ideological alignment with Hezbollah, as evidenced by narrative framing and targeting posture. However, no verifiable technical evidence has confirmed a direct organizational link. 

Cyb3r Av3ngers, associated with the Islamic Revolutionary Guard Corps (IRGC), struck critical infrastructure assets, including electrical networks and water utilities in Israel, the United States, and Ireland. After being banned on Telegram, the group resurfaced under the alias Mr. Soul Team. 

Tooling and capability development by hacktivist groups also grew significantly in 2025. Observed activities have included: 

• Notable growth in custom tool creation (e.g., BQT Locker and associated utilities), including the adoption of ransomware as a hacktivist mechanism. 

• Actors are increasingly using AI-generated text and imagery for propaganda and spreading misinformation and disinformation. 

• Tool promotion and marketing is becoming an emerging driver fueling hacktivism. 

 Hacktivist Sightings Surged 51% in 2025 

In 2025, hacktivism evolved into a globally coordinated threat, closely tracking geopolitical flashpoints. Armed conflicts, elections, trade disputes, and diplomatic crises fueled intensified campaigns against state institutions and critical infrastructure, with hacktivist groups weaponizing cyber-insurgency to advance their propaganda agendas. 

Pro-Ukrainian, pro-Palestinian, pro-Iranian, and other nationalist groups launched ideologically driven campaigns tied to the Russia-Ukraine War, the Israel-Hamas conflict, Iran-Israel tensions, South Asian tensions, and the Thailand-Cambodia border crisis. Domestic political unrest in the Philippines and Nepal triggered sustained attacks on government institutions. 

Cyble recorded a 51% increase in hacktivist sightings in 2025, from 700,000 in 2024 to 1.06 million in 2025, with the bulk of activity focused on Asia and Europe (chart below). 

Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape. 

Alongside these dominant ecosystems, Cyble observed a marked increase in operations by Kurdish hacktivist groups and emerging Cambodian clusters, both of which conducted campaigns closely aligned with regional strategic interests. 

Below are some of the major hacktivist groups of 2025: 

India, Ukraine, and Israel were the countries most impacted by hacktivist activity in 2025 (country breakdown below). 

Among global regions targeted, Europe and NATO faced a sustained pro-Russian campaign marked by coordinated DDoS attacks, data leaks, and escalating ICS intrusions against NATO and EU member states. Government & LEA, Energy & Utilities, Manufacturing, and Transportation were consistent targets. 

In the Middle East, Israel remains the principal target amid the Gaza conflict-related escalation, Iran-Israel confrontation, and Yemen-Saudi hostilities. Saudi Arabia, UAE, Egypt, Jordan, Iraq, Syria, and Yemen faced sustained DDoS attacks, defacements, data leaks, and illicit access to exposed ICS assets from ideologically aligned coalitions operating across the region. 

In South Asia, India-Pakistan and India-Bangladesh tensions fueled high-volume, ideologically framed offensives, peaking around political flashpoints and militant incidents. Activity concentrated on Government & LEA, BFSI, Telecommunication, and Education. 

In Southeast Asia, border tensions and domestic unrest shaped a fragmented but active theatre: Thailand-Cambodia conflicts triggered reciprocal DDoS and defacements; Indonesia & Malaysia incidents stemmed from political and social disputes; the Philippines saw attacks linked to internal instability; and Taiwan emerged as a recurring target for pro-Russian actors.  

 Below are some of the major hacktivist campaigns of 2025: 

Most Impacted Industries and Sectors 

2025 witnessed a marked expansion of hacktivist focus across multiple industries. Government & LEA, Energy & Utilities, Education, IT & ITES, Transportation & Logistics, and Manufacturing experienced the most pronounced growth in targeting, driving the year’s overall increase in operational activity. 

The dataset also reveals a broadened attack surface, with several new or significantly expanded categories, including Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate. 

Government & LEA was the most impacted sector by a wide margin, followed by Energy & Utilities (chart below). 

The Evolution of Hacktivism 

Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism. 

In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors. 

Hacktivists and state actors will increasingly employ financially motivated tactics and appearances. State actors in Iran, Russia, and North Korea will increasingly adopt RaaS platforms to fund operations and maintain plausible deniability. Critical infrastructure attacks in Taiwan, the Baltic states, and South Korea will appear financially motivated while serving geopolitical objectives, complicating attribution and response. 

Critical assets should be isolated from the Internet wherever possible, and operational technology (OT) and IT networks should be segmented and protected with Zero Trust access controls. Vulnerability management, along with network and endpoint monitoring and hardening, is another critical cybersecurity best practice. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today. 

The post Critical Infrastructure Attacks Became Routine for Hacktivists in 2025 appeared first on Cyble.

Cyble – ​Read More