Introduction

When the group Vulcan—presumed to be a pro-Russian hacktivist network—attacked Berlin’s power grid, no ransom was demanded and no data was stolen. The goal was simpler: to paralyze operations and send a high-profile message (Reuters). This is the defining characteristic of hacktivism. Hacktivists are driven by ideology and politics; their primary goal is visibility and sowing uncertainty in society.

Who Are These Hacktivists—and How Do They Differ?

Most organizations have tailored their cyber defenses to a familiar threat model: a profit-driven attacker who operates quietly, wants to remain undetected, and wants something your organization possesses—data, credentials, intellectual property. Hacktivists break this mold. Visibility is the goal, not risk. While conventional cybercriminals go to great lengths to remain undetected, hacktivists do the exact opposite. They publicly claim responsibility for their attacks, post evidence on social media, and time their campaigns to coincide with political events for maximum impact. There are no stealthy attacks that the public never hears about.

Source: https://www.wallstreetmojo.com/hacktivism/

When one thinks of hacktivist groups, Anonymous comes to mind first. However, many of today’s hacktivist groups have moved far beyond the loosely organized collectives of the early internet era. Generally, their motivations can be divided into four types:

  1. ideological groups that target organizations that challenge their worldview
  2. political groups that pursue specific agendas or oppose governments
  3. nationalist groups that act in the interest of a country or an ethnic identity
  4. opportunistic groups that join a cause when an opportunity arises.

In practice, these categories increasingly overlap—and that is precisely what makes the current situation so difficult to navigate. The most dangerous actors today are found at the intersection of nationalist and political motivations: state-affiliated groups—organizations that may appear independent but operate with tacit or direct state support and pursue geopolitical goals under an ideological guise. In the context of the war in Ukraine, pro-Russian groups have become the dominant force targeting European critical infrastructure—blending genuine ideology and state interests in a way that is deliberately difficult to disentangle (CISA).

These groups are increasingly collaborating across categories and forming far-reaching alliances. Ideological collectives, nationalist crews, and state-affiliated actors pool resources, share attack tools, and coordinate campaigns via Telegram channels and dark web forums. As collaboration grows, so does their level of capability—and with it, the scope of what they are capable of.

Overview Table: Relevant Hacktivism Groups

When one thinks of hacktivist groups, Anonymous comes to mind first. However, many of today’s hacktivist groups have moved far beyond the loosely organized collectives of the early internet era.

Group Motivation Origin Method Capabilities Primary Areas of Activity
NoName057(16) (Europol, EU-Council) Nationalist / Political Russia DDoS · DDoSia botnet Medium DE · UA · FR · IT · SE · CH · NATO
CARR (CyberArmy Russia) (Wired, U.S. Treasury, CyberScoop) Nationalist / Political Russia (Sandworm) OT/ICS Manipulation · HMI High UA · USA · PL · Western Europe · Industry
Z-Pentest (Cyble, Rewards for Justice, CISA) Nationalist / Opportunistic GRU / Sandworm ICS/SCADA · Hack & Leak High UA ·USA · DE · Energy Infrastructure
Handala Hack Team (Wikipedia, Check Point) Nationalist / Political / State-Proxy Iran (MOIS / Void Manticore) Wiper · Phishing · Psy-Ops · Hack & Leak High Israel (Primary) · USA (Stryker) · Albania · Western Defense
CyberAv3ngers (CISA, Dragos) Ideological / Political Iran (IRGC) PLC/HMI · ICS Supply Chain High Israel · USA (OT systems)
Anonymous Sudan (Wikipedia, Cyble, Flashpoint, Dark Reading) Ideological / Political None / Killnet connection DDoS · SKYNET botnet Medium USA · SE · DK · global
Anonymous (The Verge, Wikipedia, Mysterium VPN) Ideological None (independent) DDoS · Defacement · Leaks Low Global; authoritarian governments, Russia (since 2022)
Dark Engine (Cyble, Cyble, SC Media) Nationalist / Opportunistic Russia (suspected) ICS/OT · Energy sector High Europe · USA · Ukraine
Sector 16 (Cyble, Cyble, SC Media) Nationalist / Opportunistic Russia (suspected) ICS/OT · Physical process disruption High Europe · USA · CA

The Attack Landscape: Shift Toward Industrial Systems

DDoS (Distributed Denial of Service) attacks have long been the hallmark tool of hacktivism. In a DDoS attack, thousands of compromised devices—often computers and servers that have been incorporated into a botnet without their owners’ knowledge—are directed to simultaneously flood a target with requests, thereby exceeding its capacity limits. The result: legitimate users are locked out, websites go offline, login portals become inaccessible, and operational dashboards stop responding.

Inexpensive to carry out and executable with limited technical knowledge, DDoS remains the most frequently recorded method—accounting for 77% of incident types among 4,875 publicly reported EU incidents between July 2024 and June 2025, with hacktivists responsible for the overwhelming majority (ENISA Threat Landscape 2025). However, high volumes should not be equated with high impact. Only 2% of these hacktivist DDoS incidents caused measurable service disruptions (ENISA). A flooded portal is merely an inconvenience—it recovers within hours, and the damage is largely reputational.

The more consequential shift is taking place at a deeper level. As hacktivist groups become increasingly capable through cross-group collaboration, shared tools, and close ties to state-sponsored actors, they are shifting from DDoS to far more significant targets: Industrial Control Systems (ICS)—the technology that physically controls power grids, pipelines, water treatment plants, and transportation networks. ICS attacks require deep knowledge of operational technology environments, patient reconnaissance, and a level of coordination previously attributed almost exclusively to state-sponsored actors.

A successful attack does more than just take a website offline—it can damage equipment, trigger safety failures, and cause cascading outages with real-world consequences that no reboot can undo.

The figures clearly reflect this shift. ICS and OT breaches accounted for 29% and 31% of all recorded hacktivism activities in Q1 and Q2 2025 (Cyble). Over the course of the year, Europe saw the highest concentration of ICS-related breaches worldwide. Groups such as Dark Engine and Sector 16 have driven much of this escalation—Dark Engine carried out 26 ICS-targeted incidents in Q2 2025 alone, while Sector 16 conducted 14 confirmed attacks during the same period, both primarily targeting energy and utility infrastructure (Cyble). CyberArmy of Russia_Reborn has gone even further—by directly manipulating human-machine interfaces at water utilities in the U.S. and Poland, demonstrating that physical process disruptions are no longer a theoretical risk (U.S. Treasury).

Four actors demonstrate exactly what this means; their documented attacks show that these threats are no longer merely theoretical—ranging from massive DDoS waves to targeted interventions in industrial control systems to destructive wiper operations against major Western corporations.

NoName057(16): DDoS Attacks on the Financial Sector and Critical Infrastructure

Since spring 2022, NoName057(16) has been the most active pro-Russian hacktivism group in Europe. Its tool, DDoSia, combines its own botnet (hundreds of servers) with a crowdsourcing model in which volunteers are compensated in cryptocurrency for their participation. At the time of its dismantling, the group coordinated over 4,000 active volunteer clients. German authorities recorded 14 separate waves of attacks against more than 250 institutions (Europol, Juli 2025).

April 2024: Simultaneous DDoS waves targeting Sparkasse, Commerzbank, and Volksbank

Targets: Online banking portals of Sparkasse, Commerzbank, and Volksbank

Method: Coordinated HTTP Layer 7 flood via the DDoSia botnet

Trigger: German parliamentary resolution on military aid to Ukraine

Result: Portals temporarily inaccessible; no permanent damage

Sources: DCSO; ENISA Finance TL 2024

CARR (Cyber Army of Russia Reborn): OT Attacks on Critical Infrastructure

CARR is one of the few hacktivist groups that has demonstrably caused physical damage to critical infrastructure. The U.S. Department of Justice classifies CARR as “founded, funded, and directed by the GRU” (Unit 74455 / Sandworm). In December 2025, the joint advisory CISA AA25-343A—co-signed by 23 international agencies, including those from Germany, France, Italy, and Spain—identified CARR as one of the four main groups targeting critical infrastructure worldwide.

January 2024: Water supply in Muleshoe and Abernathy, Texas

Targets: Water supply systems of the small towns of Muleshoe (~5,000 residents) and Abernathy, Texas

Method: Remote access to HMI control systems (Human-Machine Interfaces) via VNC; manipulation of control values

Result: Water tank in Muleshoe overflowed for nearly an hour – tens of thousands of gallons of water lost. The mayor declared a state of emergency. In July 2024, the U.S. Treasury Department imposed sanctions on two CARR members.

Sources: U.S. Treasury Press Release jy2473, Wired, CSO Online, Daily Mail, Mandiant/CyberScoop

Handala Hack Team: Iran’s Cyber Front Against Israel and the West

Handala Hack Team is one of the most destructive hacktivism groups of our time. Check Point Research (2026) classifies Handala as an online persona of the Iranian threat actor Void Manticore (Red Sandstorm, Banished Kitten), which is attributed to the Iranian MOIS. Other personas: Karma (inactive) and Homeland Justice (Albania). Since 2025, the group has relied on NetBird for traffic tunneling as well as AI-assisted PowerShell wiper scripts.

April 2, 2026: PSK WIND Technologies — Israeli Air Defense Contractor

Target: PSK WIND Technologies Ltd. – C2 systems, RF communications, air defense (Iron Dome supplier)

Claims: Complete network infiltration; exfiltration of technical schematics and C2 data

Method: Supply chain intrusion → Lateral movement → Exfiltration → Wiper malware

Assessment: Attack on PSK Wind confirmed (Security Affairs, GBHackers); extent of exfiltration unverifiable

Context: Attack on the eve of Passover – deliberate psychological warfare

Sources: Security Affairs, GBHackers, Cyberpress, Check Point Research 2026

Screenshot of handala-hack.tw — PSK Wind Technologies Breach, April 2, 2026

Source: NSIDE-TI Team. ⚠ Self-reported statements cannot be independently verified. Note: We have deliberately chosen not to include images of the actual leaks shown on this page!

February/March 2026: Wiper Attack on Stryker Corporation

Target: Stryker Corporation (U.S. medical technology company)

Claims: Remote wipe of over 200,000 devices via Microsoft Entra ID/M365; approx. 50 TB exfiltrated; offices in 79 countries affected

Method: Microsoft environment compromised; NetBird traffic tunneling; legitimate admin tools misused for wipe

Significance: First documented significant expansion to major Western companies with no direct connection to Israel

Sources: Check Point Research 2026; Security Affairs

Iran’s Coordinated Cyber Ecosystem: PLC Attacks on U.S. Infrastructure

On April 7, 2026, the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command issued a joint advisory (CISA AA26-097A) warning of ongoing attacks by an Iran-affiliated APT group targeting internet-exposed Programmable Logic Controllers (PLCs) in U.S. critical infrastructure. The activity resembles previous operations by the CyberAv3ngers (Shahid Kaveh Group), which are attributed to the IRGC Cyber Electronic Command (CEC).

March 2026: Exploitation of Rockwell Automation / Allen-Bradley PLCs

Target: Rockwell Automation / Allen-Bradley PLCs (CompactLogix, Micro850) in U.S. infrastructure

Sectors: Water & wastewater, energy, government facilities, and municipalities

Method: Access via internet-exposed PLCs using Rockwell Studio 5000 Logix Designer; deployment of Dropbear SSH on port 22; manipulation of project files and HMI/SCADA displays

Result: Confirmed operational disruptions and financial losses at affected facilities

Context: Escalation in response to hostilities between Iran, the U.S., and Israel

Sources: CISA AA26-097A, The Hacker News, CSO Online, SecurityWeek

Why Law Enforcement Takedowns Often Have Only Limited Effect

Law enforcement agencies regularly achieve operational successes with takedowns—but permanent neutralization is rarely achieved. NoName057(16) is a prime example: In July 2025, Europol seized over 100 servers in 19 countries as part of Operation Eastwood and issued seven arrest warrants. About two weeks later, the group announced its reactivation; new DDoS attacks on German cities followed in August 2025. Decentralized structures, backup infrastructure in third countries, and state support make a complete dismantling nearly impossible. A takedown reduces operational capacity in the short term but does not replace a long-term defense strategy.

Implications for Organizations

Attack Readiness Is Unpredictable—But Opportunities Are Not

Hacktivists often time their attacks to coincide with external trigger events. Organizations familiar with relevant geopolitical events can anticipate the threat level and increase their defensive readiness accordingly.

The Escalation Threshold Has Dropped

The capability gap between DDoS-focused and ICS/OT-capable actors is narrowing. Moreover, DDoS resilience alone does not protect against the Handala model: Wiper + Hack-and-Leak + Psychological Operation.

Reputational Damage Is Part of the Attack Strategy

Incident response and crisis plans must include a prepared communication strategy for the public sphere—not just after the incident.

Identify your vulnerabilities before others do:

It is not enough to know that the threat exists. The crucial question for every executive is: How would we actually fare if one of these groups targeted us? The most honest answer comes from an ICS and OT penetration test—a controlled, expert-led assessment that examines your operational technology environment through the eyes of an attacker. Such a test identifies misconfigured systems, exposed interfaces, and exploitable access points into industrial networks: precisely the entry points that groups like CARR, Dark Engine, and Sector 16 are actively probing. The result is concrete and prioritized—not a theoretical risk, but a clear picture of where you are exposed and what needs to change. This documented evidence of active risk assessment is also exactly what regulators and frameworks like NIS-2 are increasingly demanding (NIS-2, Artikel 21).

What hacktivists ultimately seek is visibility—and crippling operational systems delivers exactly that. A blacked-out power grid, a disrupted water supply, a paralyzed transportation network: these make headlines in a way that a stolen dataset almost never will. That is why operational security and system availability must be treated with the same care as the protection of sensitive data. A penetration test allows you to find these vulnerabilities on your own terms—before an attacker exploits them to prove a point.

The question isn’t whether your infrastructure will be tested. The question is whether you’ll be the first to test it.

Ready to strengthen your defenses?

The threat landscape posed by hacktivists and state-affiliated actors is evolving faster than most defense strategies. NSIDE ATTACK LOGIC supports you with targeted red team assessments, TIBER-EU-compliant threat intelligence, and field-proven penetration tests—tailored to your critical assets and current attack surface.

Whether it’s resilience against threat actors, simulating supply chain attacks, or offensive open-source intelligence: We simulate real-world attacks before threat actors can succeed.

→  Schedule a 30-minute consultation with our experts: https://www.nsideattacklogic.de/kontakt/

Selected Sources