Pro-Russian Hackers Forge New Alliances for High-Profile Cyberattacks

The ongoing Russia-Ukraine conflict, which intensified in 2022, continues to reshape the cybercrime landscape in 2025, with hacktivism emerging as a potent weapon in geopolitical disputes.

Since the war’s outbreak, pro-Russian and pro-Ukrainian hacktivist groups have waged a parallel battle in cyberspace, employing distributed denial-of-service (DDoS) attacks, website defacements, and data breaches to influence the conflict.

The evolving geopolitical climate, particularly the uncertainty over U.S. military support for Ukraine following President Donald Trump’s inauguration in January 2025, has further fueled these cyber campaigns.

Escalating Hacktivism Amid Geopolitical Tensions

European nations, responding to fears of reduced U.S. involvement, have ramped up defense spending and aid to Ukraine, prompting a surge in retaliatory cyberattacks from pro-Russian groups.

Notably, after Lithuania’s Foreign Minister Kestutis Budrys criticized Russian tactics in May 2025, groups like NoName057(16), Dark Storm Team, and ServerKillers launched #OpLithuania, targeting Lithuanian government and financial sectors with coordinated DDoS attacks.

Among the prominent actors, NoName057(16) has solidified its position as a leading pro-Russian hacktivist group since its inception in March 2022, eclipsing predecessors like KillNet, which shifted focus to financially motivated cybercrime.

NoName057(16) frequently targets NATO countries and Ukrainian supporters, leveraging current events like military aid announcements to justify attacks and rally other hacktivist factions.

According to Intel471 Report, their DDoSia project, a crowdsourced attack tool developed in Go, enables volunteers to participate in DDoS campaigns, with top contributors rewarded in cryptocurrency.

Strategic Collaborations

Meanwhile, new groups like IT Army of Russia, which surfaced in late March 2025, and TwoNet, emerging in January 2025, have added fresh momentum to pro-Russian cyber efforts.

IT Army of Russia focuses on data theft via SQL injection vulnerabilities and DDoS attacks against Ukrainian infrastructure, while also seeking insider information through Telegram channels.

TwoNet, with around 40 members, targets entities in Spain, Ukraine, and the U.K., primarily in aviation and government sectors, using tools like MegaMedusa Machine for DDoS operations.

Their collaboration with other groups, such as Dark Storm and Sector 16, highlights a growing network of alliances, amplifying their impact.

Questions persist about state involvement, with allegations of Russian government ties to groups like Cyber Army of Russia Reborn (CARR).

The U.S. Treasury’s 2024 sanctions on CARR members Yuliya Pankratova and Denis Degtyarenko, coupled with Mandiant’s findings linking CARR to GRU-attributed Seashell Blizzard (APT44), suggest plausible deniability for state-sponsored cyber operations.

Ukrainian OSINT provider Molfar’s January 2025 research further claims connections between NoName057(16) members and Russian state structures, though these remain unverified.

Beyond Europe, pro-Russian groups like TwoNet and ServerKillers have extended attacks to Israeli targets following Israel’s military actions against Iran in June 2025, reflecting broader geopolitical alignments given Iran’s support for Russia with drone technology.

As hacktivist alliances strengthen and tools become more accessible, the intersection of cyber warfare and global politics continues to pose significant risks to critical infrastructure worldwide, demanding robust cybersecurity defenses and international cooperation to mitigate these evolving threats.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free