The hacktivist threat landscape has undergone a marked shift in 2025, with groups increasingly targeting critical industrial control systems (ICS) in deliberate efforts to compromise sensitive data and disrupt essential services.
Recent analysis by threat intelligence firm Cyble has shown that ICS attacks, data breaches, and access-based intrusions accounted for 31% of hacktivist activities in the second quarter of 2025 an uptick from 29% in the previous quarter.
This evolution reflects a growing strategic intent and technical capability within hacktivist ecosystems, moving beyond the familiar territory of distributed denial-of-service (DDoS) offensives and website defacements.
Russia-Linked Groups
At the forefront of this escalation are Russia-affiliated hacktivist collectives, most notably the group Z-Pentest, which has dramatically increased its output with 38 ICS attacks in Q2 more than double the recorded incidents in Q1.
The coordinated nature of these attacks, frequently targeting energy infrastructure across multiple European and NATO-aligned countries, points to a structured campaign approach likely aligned with broader Russian cyber-espionage and disruption objectives.
Z-Pentest, along with other newly emerged Russia-linked threat actors such as Dark Engine and Sector 16, have begun publishing screen recordings of ICS tampering to amplify the psychological and operational impact of their campaigns.
Cyble’s analysis indicates a broadening of target sectors, with the Energy & Utilities segment remaining the primary focus, accompanied by significant intrusions into manufacturing, transportation, and telecommunications.
Notably, Italy has emerged as the leading target, with the United States, Czech Republic, France, and Spain also experiencing significant surges in ICS-targeted attacks.
Emergence of New Threat Actors
The hacktivist arena is also witnessing the rise of new actors with varied geopolitical motivations.
The group Dark Engine, which has operated across the EU, Asia, and Latin America, displays both strategic breadth and technical depth in its attacks against infrastructure sectors, including Energy, Food & Beverages, and Manufacturing.
Dark Engine’s intrusions are often accompanied by leaks of ICS/HMI control interface screenshots to demonstrate system compromise.
A high-profile attack involved unauthorized access to SCADA systems controlling industrial furnaces in Vietnam, justified by the group as retaliation against adversaries hostile to China and framing its campaigns within the context of the Eastern bloc.
Other notable hacktivist entities include APT IRAN, which intensified operations against the US energy sector amid heightened Iran-Israel tensions, and BL4CK CYB3R, a Cambodia-based collective targeting Thai government and IT sectors during the recent border conflict.
These groups have demonstrated the ability to adapt access-based intrusions, data exfiltration, and psychological operations to ongoing regional disputes, further blurring the lines between hacktivism and state-aligned cyber operations.
Hacktivist operations in 2025 have become increasingly sophisticated, with cross-group collaboration now extending beyond regional or ideological boundaries to unite disparate actors around shared adversaries.
Attacks are often synchronized to coincide with physical or geopolitical flashpoints Ukraine-Russia, Israel-Iran, India-Pakistan, and others maximizing their disruptive and symbolic impact.
According to the Report, The government and law enforcement sector remains the most heavily targeted, followed by persistent threats in education, banking, and transportation.
Data breaches serve both as a tool for exposing sensitive credentials and as a catalyst for information operations aimed at undermining trust in public institutions.
Meanwhile, some collectives are experimenting with ransomware tactics, suggesting a potential pivot toward hybrid financially motivated campaigns, though no large-scale operational success from such attacks has yet been observed.
A growing trend among pro-Muslim and other ideologically driven hacktivist groups is the integration of cyberattack disclosures with curated news content and user-generated media, amplifying psychological and political shockwaves.
As hacktivists increasingly target core national resilience sectors and evolve their methods, organizations operating ICS environments must adopt enhanced threat intelligence and robust operational technology (OT) security protocols to safeguard critical infrastructure against this rising tide of cyber-physical disruption.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
