Hacktivists’ attacks on Industrial Control Systems (ICS) are becoming more intense in a noticeable evolution of ideologically motivated cyber operations. They have progressed from simple Distributed Denial of Service (DDoS) attacks and website vandalism to more complex intrusions targeted at data exfiltration and disruption of operations.
According to Cyble’s Q2 2025 threat landscape assessment Report, ICS-targeted attacks, combined with data breaches and access-based compromises, now constitute 31% of hacktivist activities, a rise from 29% in the previous quarter.
This uptick underscores a growing technical proficiency among threat actors, who are leveraging vulnerabilities in Operational Technology (OT) environments to tamper with Supervisory Control and Data Acquisition (SCADA) systems and Human-Machine Interfaces (HMIs), often resulting in the extraction of sensitive telemetry data, configuration files, and proprietary industrial protocols.
Such operations not only threaten national resilience but also amplify psychological warfare through publicized evidence of compromises, such as screen recordings of real-time ICS manipulations.
Escalating Threats to Critical Infrastructure
Russia-affiliated groups are at the forefront of this ICS offensive, with Z-Pentest emerging as the dominant actor, responsible for 38 incidents in Q2 a 150% surge from the 15 attacks in Q1.
Employing advanced reconnaissance and exploitation techniques, Z-Pentest has systematically targeted energy infrastructure across Europe, focusing on protocols like Modbus and DNP3 to interfere with control loops and exfiltrate operational data.
Complementing this, the nascent Dark Engine group executed 26 ICS intrusions, exhibiting a rapid operational ramp-up in June, while Sector 16 contributed 14 attacks.
These entities demonstrate coordinated efforts, sharing Indicators of Compromise (IoCs), synchronized attack timelines, and aligned geopolitical narratives that support Russian cyber objectives.
Primary sectors under siege include Energy & Utilities, where attackers exploit unpatched Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) for persistent access, alongside Manufacturing, Transportation, and Telecommunications, where national network compromises have involved lateral movement via vulnerable Industrial Internet of Things (IIoT) devices.
Geographically, Italy leads as the most targeted nation, followed by NATO allies like the United States, Czech Republic, France, and Spain, reflecting a strategic focus on disrupting allied supply chains and critical infrastructure resilience.
Emergence of Novel Actors
The hacktivist ecosystem is further enriched by emerging groups exhibiting diverse tactics and ideological alignments.
Dark Engine, self-styled as the “Infrastructure Destruction Squad,” has conducted multi-continental operations spanning the EU, Asia, and Latin America, blending access-based intrusions with data exfiltration from SCADA interfaces.
A notable incident involved unauthorized access to a Vietnamese HMI controlling high-temperature furnaces, potentially in metallurgy or food processing sectors, where attackers exfiltrated control parameters and justified the breach as retaliation against nations perceived as antagonistic to China.
Similarly, APT IRAN has honed OT-centric capabilities during the Iran-Israel conflict, targeting U.S. energy ICS with precision intrusions to siphon sensitive data amid escalating tensions.
In Southeast Asia, the Cambodian collective BL4CK CYB3R has escalated DDoS and access attacks against Thai entities in IT, government, and consumer goods sectors, coinciding with the late-May border dispute.
Geopolitical conflicts continue to fuel this surge, with flashpoints like Ukraine-Russia, Israel-Iran, India-Pakistan, Thailand-Cambodia, and Morocco-Algeria driving cross-border campaigns that also ensnare perceived allies, including heightened activity against Vietnam.
Dominant actors such as NoName057(16), Special Forces of the Electronic Army, and Keymous+ have prioritized government and law enforcement sectors, deploying botnets for sustained disruptions and credential harvesting.
In banking and finance, groups like Indian Cyber Force have exfiltrated transaction logs and user data via SQL injection and phishing vectors.
Trends reveal persistent data breaches exposing administrative credentials and internal records, often in government and education domains, while access-based attacks facilitate reconnaissance for future Advanced Persistent Threat (APT)-style operations.
Pro-Muslim collectives are innovating by integrating cyber disclosures with multimedia information operations to erode institutional trust.
Cross-regional alliances, unbound by ethnicity, target mutual adversaries like France, and experimental ransomware deployments hint at hybrid motives, though lacking verified success in encryption or extortion phases.
As hacktivists refine their OT exploitation toolkits, organizations must bolster ICS segmentation, anomaly detection, and threat intelligence to mitigate these ideologically charged intrusions.
Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.
