The State of State-Sponsored Hacktivist Attacks

With hacktivism increasingly intertwined with state interests, understanding the operational tactics of the most active groups provides insight into modern cyber conflict. In a new threat briefing, “The Rise of State-Sponsored Hacktivism”, we analyze 780 hacktivist attacks in 2024 claimed by four groups operating on opposing sides of the Russia-Ukraine and Israel-Palestine conflicts: BlackJack, Handala Group, Indian Cyber Force, and NoName057(16).

Background

At the end of 2022, Forescout Research – Vedere Labs began reporting on hacktivist groups aligning with nation-state interests in geopolitical conflicts. These groups expanded their tactics, techniques and procedures (TTPs) beyond traditional website defacements and distributed-denial-of-service (DDoS) attacks to more sophisticated methods, including data leaks and disruption of cyber-physical systems within critical infrastructure.

Two years later, this trend has further evolved with state-sponsored actors increasingly adopting hacktivist personas to conduct cyberattacks. This shift may be driven by several strategic factors, such as enhanced campaign visibility and plausible deniability for the perpetrators.

Critical infrastructure organizations remain disproportionally targeted by hacktivists. Between November 2023 and April 2024, at least 36 attacks targeted U.S. operational technology (OT) and industrial control systems (ICS). Most of these attacks focused on water utilities, though other sectors such as healthcare, energy and manufacturing were also affected. Notable examples include CyberAv3ngers, believed to be affiliated with the Iranian military, and the Cyber Army of Russia, linked to Sandworm a unit of the Russian GRU, launching attacks against U.S. water and wastewater facilities.

Key Findings

To examine the dynamics, we analyzed the activities of four highly active and influential hacktivist groups from January until October 2024. These groups, listed alphabetically, represent different geopolitical alignments and operational tactics:

• BlackJack, a Ukrainian group active since October 2023 is known for targeting Russian companies and critical infrastructure. Their activities primarily involve breaching databases, exfiltrating sensitive information, publishing stolen data and, in some cases, wiping records entirely. Unlike other groups, BlackJack maintains a relatively low-profile presence on Telegram, where they occasionally claim responsibility for their attacks. The group is believed to have affiliations with Ukrainian intelligence services.
• Handala Group, an Iranian group that emerged in December 2023, specializes on a wide range of cyber operations, including phishing, ransomware, website defacement, data theft, and extortion. Their attacks predominantly target Israeli organizations, aligning with their strongly pro-Palestine stance. Handala Group actively publicizes its operations through a dedicated Telegram channel and an official website, leveraging these platforms to claim responsibility and amplify its messaging.
• Indian Cyber Force, an Indian hacktivist group active since December 2022, focuses on cyberattacks against critical infrastructure in nations that oppose its pro-India and pro-Israel viewpoints. The group engages in aggressive online activity, frequently using social media platforms like X and Telegram to claim responsibility for its attacks and interact with its followers.
• NoName057(16), a Russian hacktivist group active since March 2022, is best known for its large-scale DDoS attacks against organizations in Ukraine and nations that support Ukraine. This group maintains the most active Telegram presence among the four, posting multiple daily updates about its attacks. By consistently tracking and promoting its operations online, NoName057(16) has positioned itself as one of the most visible and persistent hacktivist entities in the ongoing cyber conflict.

We monitored the Telegram channels, X accounts and other media outlets of each group and collected a set of 780 claimed attacks. NoName057(16) was by far the most active group, with 704 (90%) of the attacks.

These groups focused their attacks on three types of assets:

• Websites (91% of attacks)
  • 89% of attacks involved DDoS, taking websites offline
  • 2% of attacks resulted in website defacement.
• Data (7% of attacks),
  • 7% of attacks led to data theft or leakage
  • Around 1% of attacks involved data being wiped.
• Other assets, such as routers and IoT devices (2% of attacks)
  • Methods included malware installation, data encryption on devices, tampering with device configurations and forced shutdowns.

The figure below shows the most popular target countries for these attacks:

• 82% of attacks targeted Europe, while 18% focused on Asia (including the Middle East). Less than 1% of attacks were directed at the Americas. This distribution aligns with the strategic objectives of the hacktivist groups, as those aligned with Russia primarily target European countries supporting Ukraine, while groups aligned with Palestine focus on Israeli entities, among other region-specific patterns.
• In total, 40 countries were attacked. The most targeted nations were Ukraine (141 attacks), Israel (80 attacks) and Spain (64 attacks).

The top three targeted industries accounted for over 75% of all incidents.

• 44% of targeted entities were governmental organizations, including military services.
• 21% of attacks focused on the transportation and logistics sector, with key targets including ports, airports, roads, railways and urban transportation systems.
• 13% of attacks targeted financial services companies, disrupting banking, payment systems, and other financial infrastructure.
• All of the top five industries targeted are critical infrastructure sectors.

The concentration of attacks on critical infrastructure sectors highlights how hacktivist campaigns are not merely symbolic but strategically designed to disrupt essential services, erode public trust, and apply geopolitical pressure.

 

Conclusion and Recommended Mitigations

The ongoing conflicts in Europe and the Middle East have fueled the rise of hacktivist groups with direct or indirect ties to state actors. The U.S. Homeland Threat Assessment 2025 predicts that “criminal hacktivists sympathetic to Russia will continue to carry out disruptive cyber attacks against poorly protected Western critical infrastructure to weaken US resolve in supporting Ukraine.”

We agree with this assessment and extend it with the following expectations for 2025:

• DDoS will remain the primary attack method. DDoS attacks are the easiest to execute, especially with tools like NoName057(16)’s DDoSia, which can be quickly downloaded and deployed by supporters. This accessibility ensures that DDoS remains the go-to tactic for hacktivist groups.
• Attacks on IoT and OT systems will increase. While DDoS attacks gain visibility, attacks directly targeting IoT and OT devices – such as BlackJack’s Fuxnet malware – attract even more attention due to their potential for cyber-physical disruption. As these attacks grow more frequent, technical knowledge about OT vulnerabilities will continue spreading among hacktivist groups a trend we previously documented when hacking guides for Unitronics PLCs circulated on Telegram channels.
• Critical infrastructure will remain the primary target. Our 2024 threat roundup identified critical infrastructure sectors as the top target of cyberattacks, and that trend holds for hacktivist campaigns as well. Hacktivists focus on industries that have an immediate impact on daily life, such as financial services and government entities. While DDoS and data exfiltration will dominate attacks on financial services and government entities, IoT and OT exploitation will be the preferred method for disrupting sectors heavily reliant on connected devices, as seen in ongoing attacks against water utilities.
• Hacktivists will prioritize active conflict zones. The highest volume of attacks has targeted countries in active conflict (e.g. Ukraine and Israel) or nations openly supporting them (e.g. the U.S. and European allies). As conflicts evolve, hacktivist groups will adjust their targeting based on geopolitical shifts, such as ceasefires, peace deals, or the escalation of other tensions into full-scale wars.
• More governments will adopt hacktivist personas. Russia, Ukraine, Iran, and Israel have already leveraged hacktivist fronts for cyber operations. As new conflicts emerge, more states are expected to deploy hacktivist proxies, or expand support for ideologically aligned groups, to carry out cyberattacks, with plausible deniability.
• Hacktivist groups and identities will shift over time. While hacktivist groups thrive on notoriety, high visibility also attracts the attention of other governments and law enforcement, leading to sanctions, indictments, or countermeasures. Like ransomware gangs, which frequently rebrand or fragment to avoid legal consequences, hacktivist organizations are likely to adopt similar tactics – splitting into smaller factions or re-emerging under new identities to continue operations.

To counter current and future hacktivist threats, organizations should implement the following security measures:

• Follow the NCSC-UK’s guide on Denial of Service attacks, which includes:
  • Identifying weak points in your service infrastructure
  • Ensuring that service providers can handle resource exhaustion scenarios
  • Scaling the service to withstand concurrent attack traffic
  • Developing a response plan and conducting regular stress testing.
• Harden IoT and OT security
  • Identify and patch vulnerabilities in IoT/OT devices
  • Change default or easily guessable passwords on all IoT/OT systems.
  • Avoid exposing IoT/OT devices directly to the internet – instead follow CISA’s best practices for providing remote access for industrial control systems.
• Strengthen network segmentation
  • Isolate IT, IoT, and OT networks to prevent lateral movement in case of a breach.
• Enhance monitoring and threat detection
  • Continuously monitor IoT/OT network traffic to detect anomalies and identify devices being co-opted into botnets or DDoS campaigns.

Get the Report