Cyble warns hacktivists shift tactics, targeting critical infrastructure

New data from Cyble reveals that hacktivists are escalating their campaigns against critical infrastructure, moving beyond basic DDoS (distributed denial of service) and defacement tactics to more advanced intrusions and data breaches. In the second quarter of this year, ICS (industrial control system) attacks, data leaks, and access-based intrusions made up 31 percent of hacktivist activity, marking a rise of 29 percent in the first quarter. ​​Notably, Russia-linked groups lead hacktivist ICS attacks.

“Since the emergence of Russia-linked Z-Pentest last year, ICS attacks have become increasingly part of hacktivists’ arsenal. This shift from surface-level disruption to infrastructure-level interference suggests growing strategic intent and technical capability within the hacktivist ecosystem,” Cyble disclosed in its blog post. “Z-Pentest has become the leading hacktivist group targeting critical infrastructure, with 38 ICS attacks in the second quarter of 2025 – up more than 150% from the 15 ICS attacks that Cyble attributed to the group in the first quarter.” 

It added that Z-Pentest’s consistent energy infrastructure targeting across multiple European countries reflects a structured and sustained campaign approach. A frequent Z-Pentest tactic is to post screen recordings of members tampering with ICS controls to amplify the psychological impact of the attacks. 

Read more at Industrial Cyber