Forescout Technologies Inc. analyzed 780 hacktivist attacks in 2024, claimed by four groups active on opposing sides of the Russia-Ukraine and Israel-Palestine conflicts: BlackJack, Handala Group, Indian Cyber Force, and NoName057(16). Critical infrastructure remains a prime target, with government and military systems ranking at the top. Distributed Denial of Service (DDoS) attacks on websites continue to be the primary method used. As hacktivism increasingly intertwines with state interests, more than one-fifth of the attacks were directed at the transportation and logistics industries. Financial services, telecommunications, energy, and manufacturing also ranked among the top six most targeted sectors.
In a report titled ‘The Rise of State-Sponsored Hacktivism: An analysis of hacktivist attacks in 2024 and an outlook for 2025,’ Forescout revealed that between November 2023 and April 2024, at least 36 attacks targeted U.S. operational technology (OT) and industrial control systems (ICS). While most of these attacks focused on water utilities, sectors such as healthcare, energy, and manufacturing were also affected. The key known players include CyberAv3ngers, who are believed to be affiliated with the Iranian military; and the Cyber Army of Russia, which is linked to Sandworm, a unit of the Russian GRU, that launched attacks against U.S. water and wastewater facilities.
Forescout recognized that modern hacktivism has evolved considerably from its original form. While it once focused primarily on advocating for ideological causes, hacktivists now often target the critical infrastructure of adversaries and manipulate public opinion to further the strategic goals of nation-states. This shift has led to blurring the lines between traditional hacktivism and state-sponsored cyber operations, making it increasingly challenging to differentiate between independent activists and proxy actors acting on behalf of governments.
The report highlighted that hacktivist activity has surged since the escalations of the Russia-Ukraine and Israel-Palestine conflicts in 2022 and 2023, respectively. These conflicts have created an ideal environment for nationalistic hacktivist groups to amplify their agendas in cyberspace.
Several key factors have contributed to the rise in hacktivist activity, making it easier and more effective for these groups to engage in cyber campaigns. The deep ideological divide surrounding various global conflicts has intensified public attention, providing hacktivist groups on opposing sides with greater visibility. This heightened attention has resulted in a steady influx of followers and recruits, strengthening the influence and reach of hacktivist campaigns.
Forescout noted that hacktivism has increasingly become a critical tool in information warfare, where cyber campaigns are used to control narratives and shape public perception. Even less sophisticated attacks, such as website defacements and data leaks, can have significant effects by manipulating public opinion, discrediting adversaries, and eroding trust in institutions. These campaigns contribute to a broader strategic effort to sway the public’s views and advance ideological objectives.
Additionally, the accessibility of tools needed to conduct cyberattacks has significantly increased, with individuals and groups now having easier access to the necessary resources. This includes the ability to target critical infrastructure and operational technology. As a result, the barrier to entry for hacktivists has been lowered, enabling them to launch disruptive attacks with minimal technical expertise. This trend has made hacktivism more widespread and potent, allowing more individuals and groups to engage in high-impact cyber operations.
Forescout cited as an example ‘Predatory Sparrow,’ a group claiming to oppose the Iranian regime but widely believed to be linked to Israel. In response, Iranian groups like ‘Karma Power’ and ‘The Malek Team’ have targeted Israeli critical infrastructure, with suspected ties to Iran’s Ministry of Intelligence or the IRGC. Hacktivism has evolved from grassroots activism into a strategic tool of hybrid warfare—used by states for espionage, disinformation, and attacks on critical infrastructure.
Nation-states have increasingly weaponized hacktivism, leveraging it as a strategic tool in cyber warfare and information operations. This approach offers several key advantages.
First, it provides plausible deniability. Governments can distance themselves from hacktivist activity by claiming no direct involvement, allowing them to conduct aggressive cyber operations without openly violating international norms or risking diplomatic fallout. Second, attribution becomes more difficult. As independent hacktivists, state-sponsored groups, and faketivists often collaborate, distinguishing between them becomes nearly impossible. This ambiguity hampers response efforts and allows state-backed actors to operate with relative impunity.
Third, hacktivist personas give the illusion of public support. When state-sponsored actors pose as grassroots activists, they create the appearance of widespread public endorsement for nationalistic causes, reinforcing state propaganda. Finally, states exploit the exaggerated or fabricated impact of hacktivist attacks. Sensationalized claims or staged cyber incidents—often paired with disinformation tactics like AI-generated imagery—can manipulate public perception and amplify the perceived effectiveness of an operation.
Through these tactics, nation-states have turned hacktivism into a powerful component of hybrid warfare, blending cyberattacks, psychological operations, and propaganda to pursue strategic goals.
As hacktivism becomes increasingly entangled with state interests, examining the operational tactics of the most active groups offers valuable insight into the nature of modern cyber conflict. To explore these dynamics, Forescout analyzed four highly active and influential hacktivist groups between January and October last year. These groups reflect a range of geopolitical alignments and diverse operational strategies and primarily target three categories of assets.
Forescout reported that the majority of attacks, 91 percent, were directed at websites. Of these, 89 percent involved DDoS attacks, which rendered the targeted websites inaccessible. An additional 2 percent of the website-related attacks resulted in defacement, altering the appearance or content of the sites.
Data was the second most common target, accounting for 7 percent of all attacks. These incidents typically involved the theft or leakage of sensitive information. In approximately 1 percent of cases, attackers went further by wiping data entirely from compromised systems. The remaining 2 percent of attacks focused on other types of assets, including routers and Internet of Things (IoT) devices. Tactics used against these devices included the installation of malware, encryption of stored data, manipulation of device configurations, and, in some instances, forced shutdowns.
The majority of hacktivist attacks were concentrated in Europe and Asia, reflecting the geopolitical alignments of the groups involved. Specifically, 82 percent of attacks targeted Europe, while 18 percent were focused on Asia, including the Middle East. Less than 1 percent of attacks were directed at the Americas. This distribution mirrors the strategic objectives of the hacktivist groups: those aligned with Russia primarily targeted European nations that support Ukraine, while groups aligned with Palestine concentrated their efforts on Israeli entities. In total, 40 countries were affected by these attacks. The most frequently targeted nations were Ukraine, with 141 recorded incidents; Israel, with 80 attacks; and Spain, which experienced 64 attacks.
Forescout reported that the majority of hacktivist attacks targeted critical infrastructure sectors, with the top three industries accounting for over 75 percent of all recorded incidents. Governmental organizations, including military services, were the most frequently targeted, representing 44 percent of the attacks.
The transportation and logistics sector was the second most affected, comprising 21 percent of incidents. Key targets in this sector included ports, airports, roads, railways, and urban transit systems. Financial services companies accounted for 13 percent of attacks, with disruptions affecting banking operations, payment systems, and other financial infrastructure. Notably, all of the top five industries targeted fall within the category of critical infrastructure, highlighting the strategic intent behind these cyber campaigns.
Forescout reported that BlackJack is a Ukrainian hacktivist group active since October 2023, primarily targeting Russian organizations across critical infrastructure sectors. Their operations focus on database breaches, data theft, public leaks, and occasional data wiping, aiming both to expose and disrupt.
Unlike many groups, they keep a low profile on Telegram and are believed to have ties to Ukrainian intelligence. All known attacks during the study period targeted Russian entities across various industries, including broadcasting, banking, government, and education. Their methods and affiliations highlight the growing role of state-sponsored hacktivism in the Russia-Ukraine cyber conflict.
Handala Group is an Iranian hacktivist group that emerged in December 2023, known for a broad range of cyber operations including phishing, ransomware, website defacement, data theft, and extortion. Strongly pro-Palestinian in its stance, the group exclusively targets Israeli organizations across multiple sectors such as transportation, healthcare, government, and technology. Their primary methods include data leaks and ransomware, with a focus on psychological impact and political retaliation.
Handala actively publicizes its attacks through a Telegram channel and a self-hosted website, using these platforms to claim responsibility and extend the reach of their messaging. They are particularly known for leaking data allegedly belonging to high-level Israeli officials to erode public trust and generate political pressure.
Two high-profile attacks in 2024 drew significant media attention: one in April targeting Israeli radar systems and civilian communications, and another in September involving breaches of companies allegedly tied to explosives used in Hezbollah-related incidents. The latter included the theft of 14 terabytes of data and threats of public exposure. Handala’s use of a professional website distinguishes it from other hacktivist groups, providing censorship-free, lasting visibility while enhancing its image as a credible and organized entity.
Indian Cyber Force, active since December 2022, is a pro-India and pro-Israel hacktivist group that targets critical infrastructure in countries viewed as politically or ideologically opposed to its stance. The group is highly active on social media platforms like Telegram and X, where it promotes its operations and engages with followers.
During the study period, the group conducted cyberattacks across multiple countries, including Pakistan, Indonesia, the Maldives, Canada, the UK, and Bangladesh, driven by a mix of historical grievances, geopolitical tensions, and religious motivations. Pakistan was the primary target, with attacks often referencing the 2019 Pulwama attack as justification.
Key targets included sectors such as travel, education, banking, law enforcement, and government. Their main tactic was website defacement, used to publicly humiliate adversaries and assert dominance in cyberspace. This was often followed by data theft and leaks, especially from banks and government agencies, aiming to damage credibility and escalate conflicts.
The group also breached surveillance systems in sensitive locations (e.g., banks, malls, power plants), indicating an effort to gather intelligence and compromise security infrastructure. While their methods are not technically advanced, they are strategically symbolic, serving propaganda and psychological objectives.
NoName057(16) is a Russian hacktivist group active since March 2022, known for executing large-scale DDoS attacks primarily targeting Ukraine and countries that support it, especially European NATO members. The group has one of the most active Telegram presences, posting multiple updates daily to promote its attacks and recruit followers.
Their operations span Europe, Asia, and North America, with a clear focus on institutions in Ukraine, Poland, and the Nordic countries. Unlike other hacktivist groups that target selectively, NoName057(16) employs a broad and high-frequency approach, often conducting several attacks per day and repeating hits on high-value targets.
The group is a key participant in the DDoSia project, a pro-Russian initiative offering DDoS toolkits (successor to the Bobik botnet) to volunteers. Through its Telegram channel, NoName057(16) mobilizes participants for cyberattacks against so-called ‘Russophobic’ states, incentivizing them with both ideological appeal and financial rewards.
While direct state sponsorship is unconfirmed, the group is believed to be linked to the Cyber Army of Russia Reborn (CARR), which is associated with Sandworm, a known Russian military cyber unit. This suggests NoName057(16) may be part of Russia’s broader strategy of state-aligned hacktivism and hybrid warfare.
The Forescout report analyzes the shift of hacktivism from grassroots activism to becoming a tool for state-aligned and state-sponsored cyber operations. By examining four active hacktivist groups in 2024, the study reveals how geopolitical conflicts increasingly influence cyber threats.
Focusing on 2025, its key findings and predictions include that DDoS attacks will remain the primary attack method due to the accessibility of tools like DDoSia, which enable easy execution by hacktivist groups and their supporters. There will be a rise in attacks targeting IoT and OT systems, particularly due to the disruptive potential of these cyber-physical attacks (e.g., BlackJack’s Fuxnet malware). Also, critical infrastructure will continue to be the main target of hacktivist attacks, particularly sectors impacting daily life, like financial services, government, and utilities.
The report also expects that hacktivists will increasingly focus on active conflict zones (e.g., Ukraine, Israel), adjusting targets based on geopolitical shifts like ceasefires or escalating tensions. More governments will adopt hacktivist personas to conduct cyber operations, providing plausible deniability while advancing political agendas, while hacktivist groups will likely shift identities over time, rebranding or splitting to evade legal repercussions and continue their operations, similar to ransomware gangs. The report highlights the growing role of state-sponsored hacktivism in global conflicts and its increasing impact on cyber warfare strategies.
To counter current and future hacktivist threats, Forescout calls upon organizations to implement several key security measures to safeguard their networks and systems.
Organizations should follow the National Cyber Security Centre (NCSC-UK)’s guide on Denial of Service (DoS) attacks. This includes identifying weak points in service infrastructure, ensuring service providers are equipped to handle resource exhaustion scenarios, and scaling services to withstand concurrent attack traffic. Developing a response plan and conducting regular stress testing are also crucial for preparedness.
Next, organizations must harden IoT and OT security. This involves identifying and patching vulnerabilities in IoT and OT devices and changing default or easily guessable passwords on all systems. To reduce exposure, it is essential to avoid directly exposing IoT and OT devices to the internet. Instead, organizations should follow the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s best practices for providing remote access to industrial control systems. Another vital step is to strengthen network segmentation. By isolating IT, IoT, and OT networks, organizations can prevent lateral movement in the event of a breach, containing the potential damage from an attack.
Lastly, enhancing monitoring and threat detection is critical. Organizations should continuously monitor IoT and OT network traffic to detect anomalies and identify devices that might be co-opted into botnets or DDoS campaigns. Early detection can help mitigate the impact of an attack and allow for a quicker response. By implementing these measures, organizations can bolster their defenses against hacktivist groups and other cyber threats, ensuring greater resilience in the face of evolving attack tactics.
Earlier this month, Cyble also reported that hacktivists are increasingly targeting critical infrastructure installations, shifting beyond traditional tactics such as DDoS attacks and website defacements. This comes as they are adopting more sophisticated and destructive methods, including ransomware and attacks specifically designed to disrupt critical systems.
