New data from Cyble reveals that hacktivists are escalating their campaigns against critical infrastructure, moving beyond basic DDoS (distributed denial of service) and defacement tactics to more advanced intrusions and data breaches. In the second quarter of this year, ICS (industrial control system) attacks, data leaks, and access-based intrusions made up 31 percent of hacktivist activity, marking a rise of 29 percent in the first quarter. Notably, Russia-linked groups lead hacktivist ICS attacks.
“Since the emergence of Russia-linked Z-Pentest last year, ICS attacks have become increasingly part of hacktivists’ arsenal. This shift from surface-level disruption to infrastructure-level interference suggests growing strategic intent and technical capability within the hacktivist ecosystem,” Cyble disclosed in its blog post. “Z-Pentest has become the leading hacktivist group targeting critical infrastructure, with 38 ICS attacks in the second quarter of 2025 – up more than 150% from the 15 ICS attacks that Cyble attributed to the group in the first quarter.”
It added that Z-Pentest’s consistent energy infrastructure targeting across multiple European countries reflects a structured and sustained campaign approach. A frequent Z-Pentest tactic is to post screen recordings of members tampering with ICS controls to amplify the psychological impact of the attacks.
Furthermore, two other Russia-linked groups have also been actively targeting ICS environments in recent months. Dark Engine, a new group, accounted for 26 ICS-targeted incidents in the second quarter, with a significant operational surge in June. Meanwhile, Sector 16 was linked to 14 attacks in the most recent quarter.
The groups have aligned messaging, coordinated timing, and shared targeting priorities, suggesting deliberate collaboration supporting Russian strategic cyber objectives.
The energy and utilities sector has emerged as the primary focus of ICS attacks, highlighting a strategic emphasis on infrastructure tied to national resilience. Additional targeting has been observed in the manufacturing, transportation, and telecommunications sectors, including attempts to compromise control systems within national networks.
Cyble identified that Italy was the most frequently targeted country in ICS attacks by hacktivists, followed by other NATO-aligned states, including the U.S., the Czech Republic, France, and Spain.
The researchers also reported that hacktivist activity reveals that DDoS attacks remain the most common tactic, accounting for 54 percent of incidents. Website defacements follow at 15 percent, showing that traditional forms of digital protest are still widely used. However, more targeted and disruptive attack types are on the rise. ICS attacks now make up 13 percent of hacktivist incidents, while data breaches account for 11 percent. It also revealed that access-based intrusions, where attackers gain unauthorized access to networks or systems, comprise the remaining 7 percent. The data reflects a noticeable shift in hacktivist strategies toward more complex and damaging operations.
Providing more details on Dark Engine, Cyble detailed that the group has operated across multiple continents, with confirmed activity in the EU, Asia, and Latin America. The group has engaged in a range of tactics, including access-based intrusions, data breaches, and ICS attacks, demonstrating strategic breadth and technical depth. The group’s targeting has spanned critical infrastructure, notably the energy and utilities sector, along with food and beverages, education, and manufacturing, indicating a deliberate focus on national resilience sectors.
“In a recent incident, Dark Engine – also known as the ‘Infrastructure Destruction Squad’ – claimed unauthorized access to an HMI/SCADA interface used in Vietnamese industrial operations,” Cyble disclosed. “As observed from the leaked screenshots of the compromise, the breached system controls a high-temperature furnace likely used in sectors such as metallurgy, ceramics, cement, or food processing. The group’s justification for the attack references its stance against any nation perceived as hostile to China.”
It added that Dark Engine frames its activity as part of a cyber campaign in geopolitical alignment with the Eastern bloc, reinforcing its ideological commitment through targeted industrial disruption.
APT IRAN is another emerging group and has maintained a highly focused operation during the Iran-Israel conflict. With observed activity in the U.S., the group has executed ICS-specific operations against the energy sector. The group’s selectivity, timing, and infrastructure targeting suggest alignment with national strategic interests and OT (operational technology)-centric intrusion capabilities.
BL4CK CYB3R, a new politically motivated Cambodian collective, has mainly targeted Thailand. The group has employed both access and DDoS attacks, impacting a wide range of sectors, including IT and ITES, government, and consumer goods. BL4CK CYB3R was extremely active during the Thailand-Cambodia border conflict that began in late May.
Cyble mentioned that hacktivism in the second quarter was largely dominated by several major conflicts, with Ukraine-Russia, Israel-Iran, India-Pakistan, Thailand-Cambodia, and Morocco-Algeria among the flashpoints for hacktivist activity that has also targeted other countries perceived as allies. Vietnam has also been a target of significant hacktivist activity recently. Government and law enforcement topped the list of sectors most impacted by hacktivist attacks in the quarter, although significant activity was seen in other critical and symbolic sectors.
NoName057(16), Special Forces of the Electronic Army, and Keymous+ repeatedly targeted government and law enforcement agencies, underscoring a sustained focus on disrupting public sector operations.
The energy and utilities sector faced concentrated campaigns from Z-Pentest and Dark Engine, both active in broader ICS-focused operations. Their activity was marked by persistent, cross-border engagement. In banking and finance, NoName057(16) remained the most active, followed by Keymous+ and the Indian Cyber Force.
The post added that data breaches remain a persistent but secondary threat, frequently used to expose credentials, administrative interfaces, and internal records. The most impacted sectors were government and law enforcement, followed by education, banking, financial services and insurance (BFSI), and transportation and logistics. Multi-sector incidents were also recorded, particularly where attacks leveraged shared infrastructure or political messaging.
Additionally, access-based attacks were less frequent but indicative of ongoing reconnaissance or pre-positioning efforts. While limited in scale, these incidents were often used to publicly demonstrate system compromise or support information operations aimed at eroding trust in public institutions.
Cyble concluded that as hacktivist groups increasingly collaborate, the rise in attack sophistication seen in the second quarter is likely to spread across the threat landscape. The trend points to continued risk for exposed environments in critical infrastructure and government sectors, with growing threats not only from hacktivists but also from advanced persistent threats and other actors targeting essential systems.To reduce exposure, critical assets should be kept off the Internet whenever possible. IT and OT networks must be segmented and governed by zero trust access controls. Strong vulnerability management, along with continuous monitoring and hardening of networks and endpoints, remains essential to defense.
