Hacktivists are increasingly targeting critical infrastructure as they expand beyond the DDoS attacks and website defacements typically associated with ideologically motivated cyberattacks. 

Cyble’s assessment of the hacktivism threat landscape in the second quarter of 2025 found that industrial control system (ICS) attacks, data breaches, and access-based attacks now comprise 31% of hacktivist attacks, up from 29% in the first quarter (chart below). 

What follows is an overview of the hacktivist threat landscape as of mid-2025, including new threat actors and the most attacked global hotspots and sectors. 

Russia-Linked Groups Lead Hacktivist ICS Attacks

Since the emergence of Russia-linked Z-Pentest last year, ICS attacks have become increasingly part of hacktivists’ arsenal. This shift from surface-level disruption to infrastructure-level interference suggests growing strategic intent and technical capability within the hacktivist ecosystem. 

Z-Pentest has become the leading hacktivist group targeting critical infrastructure, with 38 ICS attacks in the second quarter of 2025 – up more than 150% from the 15 ICS attacks that Cyble attributed to the group in the first quarter. 

Z-Pentest’s consistent energy infrastructure targeting across multiple European countries reflects a structured and sustained campaign approach. A frequent Z-Pentest tactic is to post screen recordings of members tampering with ICS controls to amplify the psychological impact of the attacks. 

Two other Russia-linked groups have also been actively targeting ICS environments in recent months. Dark Engine – a new group – accounted for 26 ICS-targeted incidents in the second quarter, with a significant operational surge in June. Meanwhile, Sector 16 was linked to 14 attacks in the most recent quarter. 

The groups have aligned messaging, coordinated timing, and shared targeting priorities, suggesting deliberate collaboration supporting Russian strategic cyber objectives. 

The Energy & Utilities sector has emerged as the primary focus of ICS attacks, highlighting a strategic emphasis on infrastructure tied to national resilience. Additional targeting has been observed in the Manufacturing, Transportation, and Telecommunications Sectors, including attempts to compromise control systems within national networks. 

Italy was the most frequently targeted country in ICS attacks by hacktivists, followed by other NATO-aligned states, including the U.S., the Czech Republic, France, and Spain. 

New Hacktivist Groups Emerge 

Dark Engine has operated across multiple continents, with confirmed activity in the EU, Asia, and Latin America. The group has engaged in a range of tactics—access-based intrusions, data breaches, and ICS attacks—demonstrating both strategic breadth and technical depth. The group’s targeting has spanned critical infrastructure, notably the Energy and Utilities sector, along with Food and beverages, Education, and Manufacturing, indicating a deliberate focus on national resilience sectors. 

In a recent incident, Dark Engine – also known as the “Infrastructure Destruction Squad” – claimed unauthorized access to an HMI/SCADA interface used in Vietnamese industrial operations. As observed from the leaked screenshots of the compromise (image below), the breached system controls a high-temperature furnace likely used in sectors such as metallurgy, ceramics, cement, or food processing. The group’s justification for the attack references its stance against any nation perceived as hostile to China. Dark Engine frames its activity as part of a cyber campaign in geopolitical alignment with the Eastern bloc, reinforcing its ideological commitment through targeted industrial disruption. 

APT IRAN is another emerging group and has maintained a highly focused operation during the Iran-Israel conflict. With observed activity in the U.S., the group has executed ICS-specific operations against the energy sector. The group’s selectivity, timing, and infrastructure targeting suggest alignment with national strategic interests and OT-centric intrusion capabilities. 

BL4CK CYB3R, a new politically motivated Cambodian collective, has mainly targeted Thailand. The group has employed both access and DDoS attacks, impacting a wide range of sectors, including IT and ITES, government, and consumer goods. BL4CK CYB3R was extremely active during the Thailand-Cambodia border conflict that began in late May. 

Hacktivism Follows Regional Conflicts 

Hacktivism in the second quarter was largely dominated by several major conflicts, with Ukraine-Russia, Israel-Iran, India-Pakistan, Thailand-Cambodia, and Morocco-Algeria among the flashpoints for hacktivist activity that has also targeted other countries perceived as allies. Vietnam has also been a target of significant hacktivist activity recently. 

Below are the countries most affected by hacktivist attacks in the second quarter: 

These were the most active hacktivist groups in the second quarter: 

Government and law enforcement topped the list of sectors most impacted by hacktivist attacks in the quarter, although significant activity was seen in other critical and symbolic sectors (chart below). 

NoName057(16), Special Forces of the Electronic Army, and Keymous+ were among the hacktivist groups targeting government and law enforcement. Their sustained activity reflects an ongoing focus on public sector disruption. 

Energy & Utilities experienced concentrated targeting by Z-Pentest and Dark Engine, aligned with broader ICS-related operations. Persistent, cross-border engagements characterized their campaigns. 

In the banking and finance sector, NoName057(16) led, followed by Keymous+ and Indian Cyber Force. 

Hacktivism Trends

Data breaches remain a persistent but secondary threat, frequently used to expose credentials, administrative interfaces, and internal records. The most impacted sectors were Government and law Enforcement, followed by Education, Banking, Financial Services and insurance (BFSI), and Transportation and logistics. Multi-sector incidents were also recorded, particularly where attacks leveraged shared infrastructure or political messaging. 

Access-based attacks were less frequent but indicative of ongoing reconnaissance or pre-positioning efforts. While limited in scale, these incidents were often used to publicly demonstrate system compromise or support information operations aimed at eroding trust in public institutions. 

Particularly within pro-Muslim hacktivist collectives, there is a growing trend of combining cyberattack disclosures with news reports, user-generated content, and footage from media agencies. This tactic is designed to amplify the impact of attacks through coordinated information waves, creating broader psychological and political effects. 

Group collaboration is no longer limited to regional or ethnic affiliation. Increasingly, threat actors are aligning based on the identification of a mutual enemy and forming temporary alliances across geographic boundaries to target perceived shared adversaries. France has been a target of multiple attack waves by hacktivist alliances. 

Some hacktivist factions have experimented with ransomware tactics, signaling a potential shift towards financially motivated hybrid operations. However, no verified evidence of operational success has been identified to date. 

Conclusion 

As hacktivist groups collaborate and work together, the growing attack sophistication observed in the second quarter will likely continue to spread to other groups over time. 

That means that exposed environments in critical and government sectors can expect further compromise by hacktivist groups, advanced persistent threats (APTs), and others known to target critical infrastructure. 

Critical assets should be isolated from the Internet wherever possible, and operational technology (OT) and IT networks should be segmented and protected with Zero Trust access controls. Vulnerability management, along with network and endpoint monitoring and hardening, is another critical cybersecurity best practice. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.