Hacktivist attacks on critical infrastructure doubled over the course of the third quarter, according to a new Cyble report.
Hacktivist attacks on industrial control systems (ICS) grew throughout the third quarter and made up 25% of all hacktivist attacks by September, Cyble wrote in a blog post. “If that trend continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025,” Cyble said.
The report follows a Canadian Centre for Cyber Security warning last week that hacktivists are targeting critical infrastructure in that country.
Hacktivist Attacks on Critical Infrastructure Led by Russia-linked Groups
Cyble said DDoS attacks and website defacements still account for most hacktivist activity, but the ideologically-motivated threat groups are increasingly turning their focus toward ICS attacks, data breaches, unauthorized access, and ransomware.
Z-Pentest has been the leading hacktivist group targeting ICS infrastructure, but the threat group has also been joined by Dark Engine (also known as the Infrastructure Destruction Squad), Golden Falcon Team, INTEID, S4uD1Pwnz, and Sector 16.
“Russia-aligned hacktivist groups INTEID, Dark Engine, Sector 16, and Z-Pentest were responsible for the majority of recent ICS attacks, primarily targeting Energy & Utilities, Manufacturing, and Agriculture sectors across Europe,” Cyble said. “Their campaigns focused on disrupting industrial and critical infrastructure in Ukraine, EU and NATO member states.”
Among Z-Pentest’s targets in the third quarter were a water utility HMI system in the U.S. and an agricultural biotechnology SCADA system in Taiwan. The group frequently posts videos of its members tampering with ICS controls, and may have been one of the groups the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was referring to in a warning about critical infrastructure tampering attacks earlier this year.
Most Active Hacktivist Groups
NoName057(16) remains the most active hacktivist group despite attempts by law enforcement to disrupt its operations, Cyble said. Z-Pentest and Hezi Rash increased their share of attacks in the third quarter, the threat intelligence company said. Special Forces of the Electronic Army, Jokeir_07x and BL4CK CYB3R all lost ground in the quarter, while newcomers like Red Wolf Cyber Team and INTEID increased their share of hacktivist activity in the quarter.
One of the more noteworthy incidents in the quarter involved the Belarusian group Cyber Partisans BY, which joined with Silent Crow to claim a cyberattack on Russian state airline Aeroflot. The attackers disrupted key systems, exfiltrated more than 22TB of data, and claimed to have destroyed about 7,000 servers, Cyble said.
In another noteworthy hacktivist attack, the Ukrainian Cyber Alliance and BO Team claimed a breach of a Russian manufacturer involved in military drone production, stealing engineering blueprints, VMware snapshots, storage mappings, and CCTV footage from UAV assembly facilities. The groups said they wiped servers, backups, and cloud environments after they exfiltrated data.
Hacktivism and Geopolitical Conflict
Geopolitical conflict “remains a primary motive in hacktivist campaigns,” Cyble said.
The Thailand–Cambodia border conflict, the India–Pakistan and India-Bangladesh rivalries, Middle East conflicts – including the Israel–Hamas war and the Israel-Iran and Houthi–Saudi Arabian conflicts – the Russia–Ukraine war and domestic unrest in the Philippines were some of the major conflicts driving hacktivism across the globe.
Ukraine was the leading target of hacktivist campaigns in the third quarter, Cyble said (chart below).
“The growing sophistication of the leading hacktivist groups is by now an established trend and will likely continue to spread to other groups over time,” Cyble said. “That means that exposed environments in critical sectors can expect further compromise by hacktivist groups, advanced persistent threats (APTs), and others known to target critical infrastructure.”
