Hacktivism Increasingly Targeting Critical Infrastructure

Research from Cyble indicates that hacktivists are expanding beyond website defacements and DDoS attacks (which are typically connected with ideologically driven cyberattacks) and increasingly targeting critical infrastructure. In the second quarter of 2025, 31% of hacktivist attacks included industrial control system (ICS) attacks, access-based attacks, and data breaches. This is an increase from the first quarter of the year, in which this type if activity comprised 29% of hacktivist activity.  

Z-Pentest, a Russia-linked hacktivist group, is currently the top observed group targeting critical infrastructure. In the second quarter of 2025, the group has 38 ICS attacks, representing a 150% increase from the previous quarter. Z-Pentest’s consistent targeting suggests an organized campaign approach to its attacks. 

Below, security leaders discuss these findings and more. 

Security Leaders Weigh In 

Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace:

This research underscores a growing reality: hacktivists are increasingly targeting critical infrastructure. As geopolitical tensions escalate, we’re seeing an increase in activity aimed at operational technology (OT) environments. This pattern aligns with warnings issued by agencies like CISA and the NCSC, particularly regarding the heightened threat landscape for critical infrastructure in Europe and the U.S. 

As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network. By adopting good cyber hygiene and proactively addressing vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors — especially in sectors where disruption can ripple across national security, public safety, and economic stability.

James Maude, Field CTO at BeyondTrust:

As global geopolitical tensions continue to rise Hacktivism is evolving and increasing being used to disrupt, intimidate and score political points. 

We have seen groups evolve from large scale DDoS and defacement into much more sophisticated threats targeting Industrial Control Systems (ICS), spoofing GPS signals in the Gulf region to disrupt shipping, and breaching Nobitex a prominent Iranian cryptocurrency exchange. Increasingly the lines between hacktivism, cybercrime for profit and nation state activities are blurred. A group known as “Keymous+” appear to be building alliances across multiple hacktivist groups in order to expand their reach while also offering a for hire DDoS service known as EliteStress.

As the lines between hacktivism and cybercrime blurs the techniques used have evolved in a similar way. In the past hacktivists often behaved like protestors blocking access to websites using DDoS attacks or defacing them in much the same way that protesters might graffiti a building. This has now evolved into tactics more associated with for profit cybercrime seeking to inflict damage from within and breach sensitive data or disrupt internal systems. 

While access-based intrusions and ICS attacks are still in the minority their growing prevalence reflects the fact that identity is the new perimeter. With increasingly sophisticated DDoS defences it is becoming easier to make your point by compromising the right identity and logging in than building a global botnet to launch a DDoS attack. In fact the impact can be far greater as while knocking a website offline can make a point being able to have control over industrial control systems is far more concerning.

These internal systems often represent a softer target for hacktivists as they may be able to target vendors and 3rd parties who have privileged credentials and access to the target network via a VPN. This increases the identity attack surface and can provide hacktivists with an easier route in. As these attacks continue to evolve organizations should think about proactively reducing their identity attack surface. Focusing on least privilege for privileges and access and ideally Just-in-Time (JIT) to avoid risks of standing privilege that could be exploited. Organizations should also seek to understand their identity attack surface better through holistic visibility of all the paths to privilege in their environment which might enable a hacktivist to start in one system but pivot into others increasing the ‘blast radius’.

Thomas Richards, Infrastructure Security Practice Director at Black Duck:

Hacktivist groups are growing bolder and more sophisticated with their capabilities. This research also brings to attention what experts have been warning about for years; ICS systems are often not secured properly and are at risk of compromise. For organizations that operate this infrastructure, they should be committing to making cybersecurity a top priority. This should include a complete review and threat model of their external attack surface, reviewing how vendors access systems for maintenance, and making attempts to air gap critical systems to reduce the likelihood of a compromise.

Trey Ford, Chief Information Security Officer at Bugcrowd:

This part of the research is the most interesting to me:

The groups have aligned messaging, coordinated timing, and shared targeting priorities, suggesting deliberate collaboration supporting Russian strategic cyber objectives. 

Bob Lord probably said it best, “we are up against human adversaries who organize their work in campaigns” — while these groups may not be paid or funded by another entity or state — they’re clearly coordinated.

Attack evolution is to be expected — they may have new guidance, requests, interest, or tooling enabling the shift toward directed compromise over disruptive DDoS attacks. The dynamic to note is that as defender, we respond to the threat actor — we prepare, detect, contain, recover — in response to their attacks. ICS (transportation, power, manufacturing) systems are notoriously softer targets, if you can get access to them. We may find that the DoS activity follows the classic template of task-loading technical teams to increase their dwell time — they’ll be too busy with the DoS to identify and respond to a network intrusion.

Venky Raju, Field CTO at ColorTokens:

Hacktivists have been attacking ICS infrastructure for several years now. The low-hanging fruit for hackers is default credentials on popular HMIs, which are often made accessible directly on the Internet for remote management due to operator budget constraints. While VPNs somewhat mitigate the risk, hacktivists can leverage credential dumps from past breaches and password re-use.

Practical considerations for operators include microsegmentation of ICS systems and implementing strong identity-based zero-trust network access (ZTNA). HMIs should never be put on the open Internet, even with obfuscated ports, as adversaries have tools like Shodan and Censys to discover, enumerate, and attack them. Furthermore, passwordless authentication should be considered to eliminate the fundamental problems of password re-use and leaks.