A new report from Cyble reveals that hacktivists are increasingly targeting critical infrastructure installations, shifting beyond traditional tactics such as DDoS attacks and website defacements. This comes as they are adopting more sophisticated and destructive methods, including ransomware and attacks specifically designed to disrupt critical systems.
“Pro-Russian hacktivists were the most active in the first quarter, led by NoName057(16), Hacktivist Sandworm, Z-pentest, Sector 16, and Overflame. The groups primarily targeted NATO-aligned nations and Ukraine supporters,” according to a recent blog post. “Russia-linked groups are increasingly targeting critical infrastructure. Hacktivist attacks on Industrial Control Systems (ICS) and Operational Technology (OT) surged 50% just in the month of March, Cyble said, as ‘Pro-Russian actors increasingly exploited internet-facing ICS/OT for wider political and economic impact.’”
Additionally, multi-vector and coalition attacks have also become more common. “Groups have combined DDoS, credential leaks, and ICS disruption to bypass single-layer defenses—an evolution Cyble predicted in its 2024 Annual Report. Meanwhile, pro-Ukrainian, pro-Palestinian, and anti-establishment hacktivists targeted Russia, Israel, and the United States, often aligning their campaigns with conflict developments, elections, or other events.”
The report provided a look at the most active hacktivist groups in the first quarter, showing consistent activity by Mr Hamza, Team 1722, and Keymous+. Cyble disclosed that the most targeted sectors by hacktivists in the first quarter of 2025 were government and law enforcement, banking and financial services, telecommunications, and energy and utilities.
The hacktivist group NoName057(16) continued to orchestrate and instigate attacks across multiple sectors. The energy and utilities sector emerged as the primary target for attacks on ICS, with significant incidents affecting energy distribution and water utilities. This reflects a calculated shift toward disrupting infrastructure critical to national resilience and essential service delivery.
Regionally, India reported the highest number of incidents in January, though activity declined in the following months. Cyble suggests this trend likely corresponds to India’s rising strategic visibility and ongoing regional rivalries. Israel remained under sustained attack, with a notable spike in March. This escalation was largely attributed to pro-Palestinian hacktivist groups responding to continued hostilities in Gaza and broader tensions across the Middle East.
In the U.S., March also saw a marked uptick in hacktivist activity, coinciding with early policy actions by the administration of President Donald Trump, including military strikes in Yemen and the imposition of import tariffs.
NATO countries—particularly France, Italy, and Spain—faced persistent hacktivist campaigns. Spain, in particular, experienced a sharp increase in attacks in March, underscoring a broader pattern of reprisals against NATO members for their ongoing political, financial, and military support of Ukraine.
Cyble observed at least eight hacktivist groups and their allies embracing ransomware as a tool for ideological disruption in the first quarter. A Ukraine-aligned group BO Team, conducted a ransomware attack on a Russian industrial manufacturer allegedly linked to the Ministry of Defense. The operation encrypted over 1,000 hosts and 300TB of data, culminating in a $50,000 Bitcoin ransom payment. The incident highlights the growing overlap between hacktivist motivation and cybercriminal methodology.
Yellow Drift targeted Russian government platforms and claimed several attacks during the quarter. Notably, the group compromised over 250TB of government data from the Tomsk region and 550TB from the national e-procurement system.
The pro-Ukrainian hacktivist group known as C.A.S. carried out a coordinated cyber operation against a Russian technology firm. The attackers claim to have exfiltrated approximately 3 terabytes of internal corporate data, including source code, accounting records, employee documents, and internal network documentation. The group reported that they partially destroyed the company’s infrastructure, targeting Windows and Linux Mint workstations, database servers, development environments, and backup systems.
Moroccan Dragons announced the development of a proprietary ransomware program named M-DragonsWare. The statement was shared via their Telegram channels, though no technical specifications or intended deployment targets have been disclosed.
Cyble also observed several hacktivist groups engaged in more sophisticated website attacks, including SQL Injection attacks, brute forcing internet-exposed web panels to gain illicit access to data, exploiting OWASP vulnerabilities in web panels to steal data, and Dorking to discover misconfigured or internet-exposed databases. ParanoidHax, THE ANON 69, Indohaxsec, and Defacer Kampung were observed promoting data leaks on their Telegram channels.
In conclusion, Cyble noted that the growing sophistication of hacktivist groups is narrowing the gap between nation-states and financially motivated threat actors and increasing risk for organizations in regions with geopolitical conflicts, such as the U.S., Europe, Asia, and the Middle East. “To guard against these growing risks, organizations should implement cybersecurity best practices such as network segmentation, Zero Trust, risk-based vulnerability management, ransomware-resistant backups, protecting web-facing assets, and network, endpoint, and cloud monitoring.”
