A newly released report from cyber threat intelligence firm Cyble reveals a significant evolution in hacktivist activities, as groups increasingly shift from traditional disruption techniques to sophisticated attacks targeting critical infrastructure and deploying ransomware.
According to Cyble, hacktivism is rapidly transforming into a potent instrument of hybrid warfare, characterized by the adoption of attack methods typically associated with nation-state and financially motivated cybercriminal actors.
Pro-Russian Groups Lead Surge in ICS and OT Attacks
The first quarter of 2025 saw pro-Russian hacktivist collectives dominate the threat landscape, with groups such as NoName057(16), Hacktivist Sandworm, Z-pentest, Sector 16, and Overflame orchestrating a high volume of attacks.
These actors predominantly targeted NATO-aligned states and nations supporting Ukraine, focusing their efforts on critical infrastructure assets.
Cyble observed a 50% surge in hacktivist-driven intrusions against Industrial Control Systems (ICS) and Operational Technology (OT) in March, as threat actors exploited internet-exposed systems to maximize political and economic disruption.
Coalition attacks combining DDoS, credential exposure, and direct ICS interference have become increasingly common, enabling adversaries to bypass single-layer defenses and inflict broader operational impact.
Ransomware and Sophisticated Web Intrusions Expand Hacktivist Arsenal
The report further highlights the adoption of ransomware by at least eight hacktivist groups as a means of ideological disruption and extortion.
Notable incidents include a Ukraine-aligned group, BO Team, ransomware attack on a Russian defense-linked manufacturer, encrypting thousands of endpoints and extracting a $50,000 Bitcoin ransom.
Similarly, Yellow Drift compromised hundreds of terabytes of Russian government data, while C.A.S., another pro-Ukrainian actor, targeted a Russian technology firm, exfiltrating three terabytes of sensitive corporate data and partially destroying both Windows and Linux infrastructure.
Moroccan Dragons, operating out of North Africa, announced the development of a proprietary ransomware variant, M-DragonsWare, suggesting further tactical evolution among ideologically motivated threat actors.
Additionally, Cyble documented a spike in SQL injection attacks, brute-forcing of web login panels, exploitation of known OWASP vulnerabilities, and “dorking” to locate misconfigured or unprotected databases.
Groups like ParanoidHax, THE ANON 69, Indohaxsec, and Defacer Kampung have been actively publicizing data leaks on encrypted communication platforms such as Telegram.
Hacktivists have most frequently targeted sectors vital to national stability and public confidence, including government and law enforcement, banking and financial services, telecommunications, and especially energy and utilities.
The energy sector, encompassing electricity distribution and water utilities, continues to be a primary focus due to its role in national resilience.
Nations such as India, Israel, the United States, and key NATO members experienced heightened attack activity, often correlating with geopolitical events, ongoing conflicts, and policy shifts.
India, for example, faced a spike in attacks in January, while Israel experienced a major uptick in March, largely linked to ongoing Middle Eastern tensions and conflict in Gaza.
The United States saw attack volumes increase in conjunction with new policy initiatives by the Trump administration.
Cyble’s findings underscore the narrowing gap between hacktivist, nation-state, and financially motivated cyber threats, significantly raising the risk profile for organizations operating in volatile geopolitical environments.
To mitigate these evolving threats, Cyble recommends robust cybersecurity measures, including network segmentation, Zero Trust architecture, risk-based vulnerability management, ransomware-resistant backups, protection of web-facing assets, and comprehensive monitoring across network, endpoint, and cloud environments.
Their attack surface management solutions can proactively identify and remediate exposures, providing early warning and critical defense against the rising tide of ideologically driven cyber aggression.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
