Hacktivist Groups Attacks on Critical ICS Systems to Steal Sensitive Data

The cybersecurity landscape has witnessed an alarming evolution in hacktivist operations, with threat actors increasingly shifting their focus from traditional DDoS attacks and website defacements to sophisticated industrial control system (ICS) infiltrations.

This tactical transformation represents a significant escalation in the hacktivist threat ecosystem, as groups now target critical infrastructure components that directly impact national security and economic stability.

Industrial control system attacks, data breaches, and access-based intrusions have surged to comprise 31% of all hacktivist activities in the second quarter of 2025, marking a notable increase from the 29% recorded in the previous quarter.

This upward trajectory signals a concerning shift toward infrastructure-level interference, demonstrating enhanced strategic intent and technical capabilities within the hacktivist community.

The emergence of Russia-linked groups has fundamentally altered the hacktivist landscape, with organizations like Z-Pentest leading the charge in ICS-targeted operations.

Cyble analysts identified Z-Pentest as the most prolific hacktivist group targeting critical infrastructure, executing 38 ICS attacks in Q2 2025 alone—representing a staggering 150% increase from the 15 attacks attributed to the group in the first quarter.

The group’s consistent targeting of energy infrastructure across multiple European nations reflects a coordinated campaign strategy designed to maximize psychological and operational impact.

Dark Engine, operating under the alias “Infrastructure Destruction Squad,” has emerged as another significant threat actor, conducting 26 ICS-targeted incidents during the second quarter with a pronounced operational surge in June.

The group’s recent compromise of an HMI/SCADA interface controlling a high-temperature furnace in Vietnamese industrial operations exemplifies the sophisticated nature of these attacks.

Attack Methodologies and Technical Sophistication

The technical approach employed by these hacktivist groups reveals a concerning level of operational maturity in ICS environments.

Z-Pentest has adopted a particularly insidious tactic of recording screen captures during their tampering with ICS controls, subsequently publishing these recordings to amplify the psychological impact of their operations.

Dark Engine’s infiltration techniques focus on exploiting human-machine interface (HMI) and SCADA systems, particularly those controlling industrial processes in sectors such as metallurgy, ceramics, cement, and food processing.

The group’s ability to gain unauthorized access indicates sophisticated reconnaissance capabilities and deep understanding of industrial control protocols.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now