According to a Cyble report sent to clients recently, France is increasingly becoming a target of hacktivists for its active role in international diplomacy and in ongoing conflicts in Ukraine and the Middle East.

France’s role in those conflicts “has drawn the ire of pro-Russian and pro-Palestinian hacktivist groups,” Cyble said, as those hacktivists have found ideological alignment and a common adversary in France.

The attacks have ranged from Distributed Denial-of-Service (DDoS) attacks against French government institutions and other critical infrastructure to attacks against Industrial Control Systems (ICS), with the goal of disrupting essential services, influencing public opinion, and creating political pressure.

Hacktivist Alliance Began with ‘Holy League’

Pro-Russian and pro-Palestinian hacktivists collaborated in the December “Holy League” attacks against French infrastructure and have picked up significantly since January, although Holy League activity against France could also be seen months earlier following the arrest in France of Telegram founder and CEO Pavel Durov.

Cyble threat intelligence researchers listed 13 hacktivist groups that have been active in attacks against France this year:

• NoName057(16)
• Z-pentest
• Keymous+
• RipperSec
• Sector 16
• Cyber Jund (formerly Anonymous Morocco)
• Special Forces of the Electronic Army
• New Republic of Golden Falcon Team
• Anonymous Sudan
• Spider-X
• Rachel Hunter
• Mr Hamza
• DxPloit

NoName has been the most active group, responsible for 30% of the hacktivist attacks, while Z-pentest has been the second most active group with 20% of the attacks.

DDoS attacks account for 73% of the attacks, while ICS breaches account for the other 27%.

Hacktivism in France Up Significantly

Looking at the broadest measure of hacktivist activity – chatter on the groups’ underground channels – Cyble detected 845 mentions of activity targeting France in the first three months of 2025, up nearly 50% from the same period a year earlier. Those mentions may also include other communications, such as sharing news and offers of help in conducting cyberattacks, so that data is more a measure of interest than attack numbers.

Two clusters of attacks stand out in Cyble data. At least 11 French organizations faced DDoS and ICS attacks after a March 10 government announcement of military aid to Ukraine funded by interest from frozen Russian assets, and eight of the groups were involved in organized attacks against at least 10 French targets following an early February announcement of government plans to supply Ukraine with Mirage 2000-5 fighter jets.

NoName057(16), a pro-Russian group, has been “persistently targeting governmental and other sectors” since January, the Cyble report noted.

Z-pentest, Golden Falcon Team and Sector 16 have primarily targeted Industrial Control Systems (ICS) in critical infrastructure environments like energy and wastewater and posted videos of members tampering with system controls, a pattern that Z-pentest, in particular, has been notably pursuing since last year.

RipperSec has targeted digital services and industrial controls, while Cyber Jund (formerly Anonymous Morocco), Keymous+, Rachel Hunter, and Mr Hamza have all predominantly focused on DDoS attacks.

Analysis of the attacks by the NoName057(16) reveals concentrated targeting across several key French regions. The region Île-de-France, home to Paris and many strategic economic entities experienced the highest number of incidents, highlighting the region’s strategic and symbolic value to attackers. Other regions significantly impacted include Provence-Alpes-Côte d’Azur, Grand Est, and northern and western regions such as Normandy, Pays de la Loire, and Hauts-de-France.

In addition to government institutions such as local governments and key federal government offices, hacktivist groups have also been targeting critical sectors such as Energy and utilities, Banking and financial Services (BFSI), Transportation and logistics, and Telecommunications.

Cyble noted that in critical infrastructure attacks, “hacktivists are leveraging illicit access to industrial control panels, VNCs, and HMIs to disrupt industrial operations and maximize the impact of their attacks.”

Hacktivists Hit French Critical Infrastructure

Cyble has detailed numerous attacks against French ICS and SCADA (Supervisory Control and Data Acquisition) systems.

Among other attacks, the pro-Russian hacktivist group Z-Pentest claims to have gained unauthorized access to a hydroelectric power plant’s SCADA system. The group shared screenshots of turbine control settings, power output data, water flow rates, and generator synchronization parameters.

Sector16, in collaboration with the Russian group OverFlame, claimed unauthorized access to the control systems of another hydroelectric facility in the southern region of France. Images of the control interface suggest a system “designed for managing critical operations such as water level regulation, pressure control, and turbidity monitoring,” Cyble said, along with advanced tools for monitoring and controlling parameters tied to the facility’s hydroelectric operations.

Golden Falcon Team claimed responsibility for unauthorized access to an application that monitors municipal wastewater sanitation works in France. The group released screenshots of interface control metrics such as pH levels, temperature, conductivity, and water distribution processes, which are essential for managing wastewater treatment and public sanitation operations.

Conclusion

The Cyble report underscores the importance of strong DDoS and critical infrastructure cybersecurity controls.

A comprehensive, risk-based vulnerability management program, strong access controls based on Zero Trust principles, network segmentation – particularly between operational technology (OT) and IT networks – and removing or protecting web-facing access are some of the more important controls for all organizations to adopt.

Cyble’s comprehensive attack surface management solutions can help organizations protect vulnerable assets, whether at the network’s edge or in the cloud.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.