By name: hacktivism description: Use when the user asks about hacktivist activity (Killnet, NoName057(16), IT Army of Ukraine, Anonymous Sudan, RipperSec, CARR, etc.), DDoS-claiming groups, politically-motivated cyber operations, or wartime cyber-ops chatter. Self-updating knowledge cell. user-invocable: true metadata: category: knowledge-cell created: 2026-04-05 last_updated: 2026-04-05 update_count: 0 confidence: moderate
Hacktivism
Executive Summary
The hacktivist landscape has been fundamentally reshaped since Russia's invasion of Ukraine in February 2022, triggering an unprecedented surge in politically and geopolitically motivated cyber operations. The conflict spawned dozens of pro-Russian and pro-Ukrainian hacktivist groups conducting DDoS attacks, website defacements, data leaks, and in some cases more destructive operations against perceived adversary nations. The most significant development is the blurring of lines between genuine grassroots hacktivism and state-directed or state-aligned operations that use hacktivist branding as cover for intelligence service activities. Groups like KillNet, NoName057(16), and Anonymous Sudan have operated with varying degrees of suspected state alignment, complicating attribution and threat assessment.
The Israel-Hamas conflict beginning in October 2023 opened a second major front for hacktivist activity, with pro-Palestinian and pro-Israeli groups conducting operations against each other and their perceived supporters. Groups targeting Israel and allied nations included pre-existing pro-Russian groups (demonstrating geopolitical alignment patterns), dedicated pro-Palestinian groups, and Iranian-aligned hacktivist personas. The convergence of pro-Russian and pro-Palestinian hacktivist activities reflects broader geopolitical alignment patterns and suggests coordination or at minimum shared infrastructure among some groups.
Despite the volume of hacktivist activity, the actual impact of most operations remains limited. DDoS attacks — the dominant hacktivist tactic — cause temporary service disruptions but rarely inflict lasting damage. Website defacements are symbolic. However, some groups have escalated to more consequential operations: targeting operational technology (OT) and industrial control systems (ICS), leaking sensitive databases, and conducting wiper attacks. Anonymous Sudan (identified by researchers as likely two Sudanese nationals, though with suspected state connections) demonstrated that even a small group could conduct DDoS attacks disruptive enough to temporarily impact major services including Microsoft, Cloudflare, and multiple US hospitals. The group's members were indicted by the US DOJ in October 2024.
Key Actors
| Group | Alignment | Primary TTPs | Status |
|---|---|---|---|
| KillNet | Pro-Russia | DDoS, propaganda; claimed attacks on NATO countries | Fragmented/Rebranded |
| NoName057(16) | Pro-Russia | DDoS via DDoSia tool (crowdsourced); targets NATO government sites | Active |
| Anonymous Sudan (Storm-1359) | Claimed pro-Sudan; suspected state ties | Layer 7 DDoS; targeted Microsoft, Cloudflare, US hospitals | Disrupted (Oct 2024 indictment) |
| IT Army of Ukraine | Pro-Ukraine | Crowdsourced DDoS; Telegram-coordinated attacks on Russian infrastructure | Active |
| CyberArmyofRussia_Reborn | Pro-Russia; suspected GRU links | DDoS; claimed OT/ICS targeting (US water systems) | Active |
| People's Cyber Army | Pro-Russia | DDoS; emerged during Ukraine conflict | Active |
| SiegedSec | Hacktivist (anti-government) | Data leaks; targeted NATO, US states over political issues | Disbanded (claimed) |
| GhostSec | Originally Anonymous offshoot; now unclear alignment | Varied targets; has cooperated with ransomware groups | Active (reduced) |
| Cyber Av3ngers | Pro-Iran; linked to IRGC | Targeted ICS/SCADA; Unitronics PLC attacks on water systems | Active |
| Various pro-Palestine groups | Pro-Palestine | DDoS, defacements, data leaks against Israel and allies | Active |
Current Activity
Pro-Russian DDoS Campaigns Continue (2024-2025)
NoName057(16) remains the most active pro-Russian hacktivist group, conducting near-daily DDoS attacks against government websites in NATO and EU countries, particularly those providing military aid to Ukraine. The group operates the DDoSia project — a crowdsourced DDoS tool where volunteers download software that participates in coordinated attacks, with cryptocurrency rewards for participants. Targets rotate based on geopolitical events (arms shipments, diplomatic statements, elections). While individual attacks are typically brief and cause minimal lasting impact, the sustained operational tempo generates media coverage and contributes to information warfare objectives.
Hacktivist-ICS Targeting Escalation
Multiple groups have claimed attacks on industrial control systems, with varying degrees of credibility. CyberArmyofRussia_Reborn claimed to manipulate water system controls in US and European facilities, with some incidents confirmed by authorities (though impacts were minimal). Cyber Av3ngers (IRGC-linked) conducted confirmed attacks against Unitronics PLCs in US water facilities in late 2023, exploiting default passwords. While most hacktivist ICS claims are exaggerated, the trend represents an escalation beyond traditional DDoS and defacement.
Israel-Hamas Conflict Cyber Dimension (2023-2025)
The October 2023 conflict triggered extensive hacktivist activity. Pro-Palestinian groups launched DDoS campaigns against Israeli government sites, financial institutions, and media outlets. Pro-Israeli groups conducted counter-operations. Iranian-aligned hacktivist personas (Cyber Av3ngers, Homeland Justice) conducted more sophisticated operations. Notably, pro-Russian groups (KillNet, Anonymous Sudan) aligned with pro-Palestinian operations, demonstrating the geopolitical alliance structure underlying hacktivist ecosystems. Data leak operations targeted organizations in Israel and allied countries.
Historical Events
| Date | Event | Impact |
|---|---|---|
| Feb 2022 | Ukraine invasion sparks hacktivist surge | Dozens of new groups formed on both sides; IT Army of Ukraine launched via Telegram |
| 2022 | KillNet DDoS campaigns against NATO | Targeted government sites in US, Europe; caused brief disruptions; high media profile |
| 2022-2023 | Anonymous Sudan emerges | Launched major DDoS attacks on Microsoft, Cloudflare, X; disrupted US hospital services |
| Jun 2023 | SiegedSec leaks NATO data | Claimed theft of unclassified NATO documents; later targeted US state governments |
| Oct 2023 | Israel-Hamas conflict triggers cyber operations | Wave of hacktivist activity from pro-Palestinian, pro-Israeli, and aligned groups |
| Nov 2023 | Cyber Av3ngers target US water Unitronics PLCs | IRGC-linked group exploited default passwords on internet-exposed PLCs |
| Jan 2024 | CyberArmyofRussia_Reborn claims US water attacks | Claimed manipulation of water system controls in Texas; partially confirmed |
| Mar 2024 | Anonymous Sudan DDoS impacts multiple sectors | Major DDoS campaigns disrupted government and healthcare services |
| Oct 2024 | Anonymous Sudan members indicted | US DOJ charged two Sudanese nationals; infrastructure seized |
| 2024 | NoName057(16) sustained campaign tempo | Continued near-daily DDoS against European targets aligned with Ukraine support |
TTP Evolution
DDoS Capabilities: Hacktivist DDoS has evolved from basic volumetric attacks using off-the-shelf tools (LOIC, HOIC) to sophisticated Layer 7 application-layer attacks using commercial stresser services, botnets, and custom tools. Anonymous Sudan utilized cloud infrastructure and SaaS DDoS platforms to generate attacks exceeding 1 Tbps. NoName057(16)'s DDoSia represents a gamified crowdsourcing model. Some groups rent or operate botnets for sustained campaigns.
From DDoS to Data: More capable groups have moved beyond DDoS to data exfiltration and publication. SiegedSec specialized in data leaks targeting organizations based on political stance. Some pro-Russian groups have leaked data from Ukrainian organizations. The transition from "disruption" to "exposure" hacktivism increases potential impact and intelligence value.
ICS/OT Targeting: The claimed (and occasionally confirmed) targeting of industrial control systems represents a significant escalation. While most confirmed incidents involved exploitation of internet-exposed devices with default credentials rather than sophisticated ICS-specific attacks, the intent signals an evolution. Cyber Av3ngers specifically targeted Unitronics Vision PLC devices. CyberArmyofRussia_Reborn claimed HMI access to water systems.
State-Aligned Operations: The most significant TTP evolution is the use of hacktivist branding as a facade for state-directed operations. This provides plausible deniability, enables more aggressive operations without direct attribution to intelligence services, and leverages volunteer participants as unwitting proxies. The GRU's use of hacktivist personas (linked to Sandworm) represents the most sophisticated version of this approach.
Ransomware Crossover: Some hacktivist groups have adopted ransomware or wiper tactics. GhostSec partnered with Stormous ransomware. Groups have deployed wipers against Ukrainian targets under hacktivist banners. This convergence of hacktivist motivation with criminal tooling blurs traditional categorization.
Ecosystem & Infrastructure Patterns
Telegram as Command-and-Control: Telegram is the primary coordination platform for modern hacktivism. Groups use channels for target announcements, attack coordination, proof-of-impact screenshots, and recruiting. The platform's permissive moderation and encryption features make it the preferred infrastructure for both genuine and state-aligned hacktivist operations.
Geopolitical Alignment Clustering: The hacktivist landscape clusters along geopolitical lines: Pro-Russia (KillNet, NoName057(16), CyberArmyofRussia_Reborn, People's Cyber Army) + Pro-Iran (Cyber Av3ngers, Homeland Justice) + some pro-Palestine groups form one axis. Pro-Ukraine (IT Army of Ukraine, various) + pro-Israel groups form another. These alignments mirror state-level geopolitical alliances and suggest coordination or shared direction.
Crowdsourcing Models: NoName057(16)'s DDoSia and Ukraine's IT Army both use crowdsourcing — distributing target lists and tools to volunteers via Telegram, enabling large-scale operations without centralized infrastructure. DDoSia incentivizes participation with cryptocurrency payments, creating a paid volunteer model.
Attribution Challenges: Distinguishing genuine grassroots hacktivism from state-directed operations is extremely difficult. Indicators of state alignment include: operational sophistication exceeding stated capability, targeting aligned precisely with state foreign policy objectives, infrastructure overlapping with known state actors, and operational security inconsistent with volunteer groups.
Tooling
| Tool | Category | Usage |
|---|---|---|
| DDoSia | Crowdsourced DDoS | NoName057(16)'s custom volunteer DDoS tool with crypto incentives |
| IT Army tools | Crowdsourced DDoS | Various tools distributed by Ukraine's IT Army for volunteer attacks |
| MHDDoS | DDoS Tool | Multi-vector DDoS tool popular in hacktivist communities |
| Stresser/Booter services | DDoS-for-hire | Commercial DDoS services used by less technical groups |
| Telegram | C2/Coordination | Primary platform for coordination, targeting, and proof-of-attack |
| Web vulnerability scanners | Reconnaissance | Automated scanning for defacement and data exfiltration targets |
| SQLMap | Data Theft | SQL injection tool for database exfiltration |
| Wiper malware (various) | Destruction | Used by state-aligned groups under hacktivist cover |
| Leaked credentials | Account Takeover | Used for accessing and defacing websites or leaking data |
| Cloud DDoS platforms | Infrastructure | Rented cloud infrastructure for generating attack traffic |
Intelligence Gaps
- State direction vs. alignment: Determining whether specific hacktivist groups receive direct tasking from intelligence services, passive encouragement, or simply share ideological alignment remains the central attribution challenge. The spectrum from genuine volunteer to fully directed asset is poorly mapped for most groups.
- Actual DDoS impact: Most hacktivist groups self-report their impact through screenshots of error pages or downtime monitors. Independent verification of attack duration and actual disruption to operations (vs. brief outages) is rarely available.
- ICS/OT claims verification: Many hacktivist ICS claims are exaggerated or fabricated. Independently verifying which claims represent genuine compromises (vs. screenshots of internet-exposed HMIs with no actual control) is essential but difficult.
- Financial flows: How state-aligned hacktivist operations are funded — whether through state subsidies, cryptocurrency crowdfunding, or self-funding through cybercrime — is not well-understood for most groups.
- Post-conflict persistence: Whether hacktivist groups spawned by the Ukraine and Israel-Hamas conflicts will persist as standing capabilities or dissolve when media attention wanes is an open question.
Sources & References
- US DOJ - "Two Sudanese Nationals Indicted for Anonymous Sudan DDoS Attacks" (October 2024) — https://www.justice.gov/
- CISA - "IRGC-Affiliated Cyber Actors Exploit PLCs" Advisory (December 2023) — https://www.cisa.gov/
- Mandiant - "Hacktivism and State-Aligned Operations Analysis" — https://www.mandiant.com/resources
- CrowdStrike - "Hacktivist Landscape Reports" — https://www.crowdstrike.com/
- Radware - "Hacktivism Unveiled" reports — https://www.radware.com/
- Flashpoint - "Pro-Russian and Pro-Ukrainian Hacktivist Tracking" — https://flashpoint.io/
- Microsoft - "Storm-1359 (Anonymous Sudan) Analysis" — https://www.microsoft.com/en-us/security/blog/
- Orange Cyberdefense - "Cy-Xplorer Reports on Hacktivism" — https://www.orangecyberdefense.com/
Change Log
| Date | Change | Source |
|---|---|---|
| 2026-04-05 | Initial creation with baseline intelligence through early 2025 | Training knowledge |