In recent years, the cybersecurity landscape has experienced a significant shift as hacktivist groups increasingly target Industrial Control Systems (ICS), moving beyond traditional methods like Distributed Denial-of-Service (DDoS) attacks and website defacements. This evolution poses a substantial threat to national security and economic stability, as these systems are integral to critical infrastructure.
Rising Incidence of ICS Attacks
Data from the second quarter of 2025 indicates that attacks on ICS, data breaches, and access-based intrusions now constitute 31% of all hacktivist activities, up from 29% in the previous quarter. This trend underscores a growing focus on disrupting essential services and highlights the enhanced technical capabilities within the hacktivist community.
Prominent Hacktivist Groups and Their Tactics
Z-Pentest
Emerging as a leading threat actor, the Russia-linked group Z-Pentest has significantly increased its activities, executing 38 ICS attacks in Q2 2025—a 150% rise from 15 attacks in the first quarter. Their operations predominantly target energy infrastructure across multiple European nations, indicating a coordinated strategy aimed at maximizing both psychological and operational impact. A notable tactic employed by Z-Pentest involves recording and publishing screen captures of their manipulations within ICS environments, thereby amplifying the psychological effect of their attacks. ([cyble.com](https://cyble.com/blog/hacktivists-attacks-on-critical-infrastructure/?utm_source=openai))
Dark Engine
Operating under the alias Infrastructure Destruction Squad, Dark Engine has conducted 26 ICS-targeted incidents in the second quarter, with a significant surge in June. Their recent compromise of a Human-Machine Interface (HMI)/Supervisory Control and Data Acquisition (SCADA) system controlling a high-temperature furnace in Vietnamese industrial operations exemplifies the sophisticated nature of their attacks. Dark Engine’s focus on exploiting HMI and SCADA systems in sectors such as metallurgy, ceramics, cement, and food processing indicates a deep understanding of industrial control protocols and advanced reconnaissance capabilities. ([cybersecuritynews.com](https://cybersecuritynews.com/hacktivist-groups-attacks-on-critical-ics-systems/?utm_source=openai))
CyberArmyofRussia_Reborn
This pro-Russia hacktivist group has been active since 2023 and is believed to act as a proxy for state actors like APT28 and Sandworm. In January 2024, they posted a video showing the manipulation of water tanks in confirmed attacks on two water authorities in Texas. By exploiting known vulnerabilities in Virtual Network Computing (VNC) technology, they accessed HMI systems and altered setpoints regulating water tank pressure. Subsequent claims of attacks across the United States, Poland, and France suggest a broader strategy to disrupt services and gather intelligence. ([dragos.com](https://www.dragos.com/blog/hacktivist-tactics-targeting-operational-technology/?utm_source=openai))
SiegedSec
Formed in early 2022, SiegedSec, self-described as the Gay Furry Hackers, committed several high-profile cyber attacks, including breaches of NATO, Idaho National Laboratory, and Real America’s Voice. On July 10, 2024, after attacking The Heritage Foundation, the group announced its disbandment to avoid closer scrutiny. ([en.wikipedia.org](https://en.wikipedia.org/wiki/SiegedSec?utm_source=openai))
Advanced Malware and Ransomware Deployment
Hacktivist groups are increasingly deploying sophisticated malware and ransomware to disrupt critical infrastructure. For instance, the group GhostSec has claimed successful compromises of over 100 Modbus programmable logic controller devices, 40 Aegis 2 water control systems, and 8 Unitronics devices across Israeli critical infrastructure. Their malware arsenal includes custom-developed tools such as GhostLocker ransomware, GhostStealer data exfiltration framework, and the IOControl embedded Linux backdoor with integrated wiper capabilities. ([cybernoz.com](https://cybernoz.com/hacktivist-group-claimed-attacks-across-20-critical-sectors-following-iran-israel-conflict/?utm_source=openai))
Geopolitical Implications and Targeted Sectors
The escalation in ICS attacks is closely tied to geopolitical tensions. Pro-Russian hacktivist collectives have predominantly targeted NATO-aligned states and nations supporting Ukraine, focusing on critical infrastructure assets. The energy and utilities sector has emerged as the primary focus, highlighting a strategic emphasis on infrastructure tied to national resilience. Additional targeting has been observed in the manufacturing, transportation, and telecommunications sectors, including attempts to compromise control systems within national networks. ([cyble.com](https://cyble.com/blog/hacktivists-attacks-on-critical-infrastructure/?utm_source=openai))
Recommendations for Mitigating Risks
Given the increasing sophistication and frequency of these attacks, organizations operating critical infrastructure should prioritize cybersecurity measures, including:
– Comprehensive Security Assessments: Conduct thorough reviews and threat modeling of external attack surfaces to identify vulnerabilities.
– Vendor Access Management: Evaluate and secure how vendors access systems for maintenance to prevent unauthorized entry points.
– Network Segmentation: Implement air-gapping or robust segmentation of critical systems to reduce the likelihood of a compromise.
– Patch Management: Regularly update and patch ICS and SCADA systems to address known vulnerabilities.
– Incident Response Planning: Develop and regularly test incident response plans to ensure swift action in the event of a breach.
By adopting these measures, organizations can enhance their resilience against the evolving threat landscape posed by hacktivist groups targeting critical infrastructure.
