Analysis from Cyble signifies that hacktivists are increasing past web site defacements and DDoS assaults (that are sometimes related with ideologically pushed cyberattacks) and more and more focusing on crucial infrastructure. Within the second quarter of 2025, 31% of hacktivist assaults included industrial management system (ICS) assaults, access-based assaults, and information breaches. This is a rise from the primary quarter of the yr, wherein this kind if exercise comprised 29% of hacktivist exercise.
Z-Pentest, a Russia-linked hacktivist group, is at the moment the highest noticed group focusing on crucial infrastructure. Within the second quarter of 2025, the group has 38 ICS assaults, representing a 150% improve from the earlier quarter. Z-Pentest’s constant focusing on suggests an organized marketing campaign method to its assaults.
Beneath, safety leaders focus on these findings and extra.
Safety Leaders Weigh In
Nathaniel Jones, Vice President, Safety & AI Technique and Subject CISO at Darktrace:
This analysis underscores a rising actuality: hacktivists are more and more focusing on crucial infrastructure. As geopolitical tensions escalate, we’re seeing a rise in exercise geared toward operational know-how (OT) environments. This sample aligns with warnings issued by companies like CISA and the NCSC, significantly concerning the heightened menace panorama for crucial infrastructure in Europe and the U.S.
As OT turns into extra built-in with IT techniques, it presents extra alternatives for attackers. OT safety is strongest when supported by sturdy IT safety, requiring coordination between IT and OT groups to defend the complete community. By adopting good cyber hygiene and proactively addressing vulnerabilities earlier than they are often exploited, organizations will likely be a lot better outfitted to defend their networks towards more and more opportunistic menace actors — particularly in sectors the place disruption can ripple throughout nationwide safety, public security, and financial stability.
James Maude, Subject CTO at BeyondTrust:
As world geopolitical tensions proceed to rise Hacktivism is evolving and growing getting used to disrupt, intimidate and rating political factors.
Now we have seen teams evolve from giant scale DDoS and defacement into far more subtle threats focusing on Industrial Management Programs (ICS), spoofing GPS alerts within the Gulf area to disrupt transport, and breaching Nobitex a outstanding Iranian cryptocurrency change. More and more the traces between hacktivism, cybercrime for revenue and nation state actions are blurred. A gaggle often called “Keymous+” look like constructing alliances throughout a number of hacktivist teams as a way to develop their attain whereas additionally providing a for rent DDoS service often called EliteStress.
Because the traces between hacktivism and cybercrime blurs the strategies used have advanced in an analogous method. Up to now hacktivists typically behaved like protestors blocking entry to web sites utilizing DDoS assaults or defacing them in a lot the identical method that protesters would possibly graffiti a constructing. This has now advanced into ways extra related to for revenue cybercrime in search of to inflict harm from inside and breach delicate information or disrupt inside techniques.
Whereas access-based intrusions and ICS assaults are nonetheless within the minority their rising prevalence displays the truth that id is the brand new perimeter. With more and more subtle DDoS defences it’s changing into simpler to make your level by compromising the suitable id and logging in than constructing a world botnet to launch a DDoS assault. The truth is the affect could be far larger as whereas knocking an internet site offline could make some extent with the ability to have management over industrial management techniques is much extra regarding.
These inside techniques typically characterize a softer goal for hacktivists as they can goal distributors and third events who’ve privileged credentials and entry to the goal community through a VPN. This will increase the id assault floor and may present hacktivists with a neater route in. As these assaults proceed to evolve organizations ought to take into consideration proactively lowering their id assault floor. Specializing in least privilege for privileges and entry and ideally Simply-in-Time (JIT) to keep away from dangers of standing privilege that might be exploited. Organizations must also search to grasp their id assault floor higher via holistic visibility of all of the paths to privilege of their surroundings which could allow a hacktivist to start out in a single system however pivot into others growing the ‘blast radius’.
Thomas Richards, Infrastructure Safety Observe Director at Black Duck:
Hacktivist teams are rising bolder and extra subtle with their capabilities. This analysis additionally brings to consideration what specialists have been warning about for years; ICS techniques are sometimes not secured correctly and are prone to compromise. For organizations that function this infrastructure, they need to be committing to creating cybersecurity a high precedence. This could embrace a whole evaluate and menace mannequin of their exterior assault floor, reviewing how distributors entry techniques for upkeep, and making makes an attempt to air hole crucial techniques to cut back the probability of a compromise.
Trey Ford, Chief Data Safety Officer at Bugcrowd:
This a part of the analysis is probably the most attention-grabbing to me:
The teams have aligned messaging, coordinated timing, and shared focusing on priorities, suggesting deliberate collaboration supporting Russian strategic cyber targets.
Bob Lord in all probability stated it finest, “we’re up towards human adversaries who manage their work in campaigns” — whereas these teams will not be paid or funded by one other entity or state — they’re clearly coordinated.
Assault evolution is to be anticipated — they could have new steerage, requests, curiosity, or tooling enabling the shift towards directed compromise over disruptive DDoS assaults. The dynamic to notice is that as defender, we reply to the menace actor — we put together, detect, include, get well — in response to their assaults. ICS (transportation, energy, manufacturing) techniques are notoriously softer targets, if you will get entry to them. We could discover that the DoS exercise follows the basic template of task-loading technical groups to extend their dwell time — they’ll be too busy with the DoS to establish and reply to a community intrusion.
Venky Raju, Subject CTO at ColorTokens:
Hacktivists have been attacking ICS infrastructure for a number of years now. The low-hanging fruit for hackers is default credentials on widespread HMIs, which are sometimes made accessible immediately on the Web for distant administration because of operator price range constraints. Whereas VPNs considerably mitigate the chance, hacktivists can leverage credential dumps from previous breaches and password re-use.
Sensible concerns for operators embrace microsegmentation of ICS techniques and implementing sturdy identity-based zero-trust community entry (ZTNA). HMIs ought to by no means be placed on the open Web, even with obfuscated ports, as adversaries have instruments like Shodan and Censys to find, enumerate, and assault them. Moreover, passwordless authentication must be thought-about to eradicate the elemental issues of password re-use and leaks.
