Hacktivist groups are rapidly evolving beyond traditional disruptive activities into more sophisticated and destructive cyberattacks targeting critical infrastructure and deploying ransomware, according to a new report from cybersecurity firm Cyble.

The report, which analyzes hacktivist activities during the first quarter of 2025, reveals that hacktivism has "transformed into a complex instrument of hybrid warfare" with some groups now employing advanced techniques previously associated primarily with nation-state actors and financially motivated criminal organizations.

Pro-Russian hacktivist groups, including NoName057(16), Hacktivist Sandworm, Z-pentest, Sector 16, and Overflame, were identified as the most active in Q1 2025. These groups primarily targeted NATO-aligned nations and countries supporting Ukraine, with a concerning 50% surge in attacks on Industrial Control Systems (ICS) and Operational Technology (OT) in March alone.

"Hacktivism is no longer confined to fringe ideological outbursts," the Cyble report states. "It is now a decentralized cyber insurgency apparatus, capable of shaping geopolitical narratives, destabilizing critical systems, and directly engaging in global conflicts through the digital domain."

The sectors most frequently targeted include government and law enforcement agencies, banking and financial services, telecommunications companies, and energy and utilities. The latter was particularly singled out for ICS attacks, with notable incidents affecting energy distribution and water utilities.

Geographically, India experienced the highest number of incidents in January, while Israel remained a persistent target throughout the quarter with a major spike in March, driven largely by pro-Palestinian hacktivist groups responding to the ongoing conflict in Gaza.

The United States saw an increase in attacks in March, which Cyble correlates with early actions by the new Trump Administration, including military strikes in Yemen and the implementation of import tariffs.

Perhaps most concerning is the adoption of ransomware by hacktivist groups. Cyble identified at least eight hacktivist groups and their allies "embracing ransomware as a tool for ideological disruption" during Q1.

In one notable incident, the Ukraine-aligned BO Team conducted a ransomware attack on a Russian industrial manufacturer allegedly linked to the Ministry of Defense, encrypting over 1,000 hosts and 300TB of data, which resulted in a $50,000 Bitcoin ransom payment.

Other groups, including Yellow Drift and C.A.S., have focused on data exfiltration operations against Russian targets, with Yellow Drift claiming to have compromised over 250TB of government data from the Tomsk region and 550TB from Russia's national e-procurement system.

The report also noted that hacktivist groups are increasingly employing more sophisticated website attack methods, including SQL injection, brute-forcing web panels, exploiting OWASP vulnerabilities, and using Dorking techniques to discover exposed databases.

Cyble warns that as the technical capabilities of these ideologically motivated actors continue to advance, the distinction between hacktivists, nation-state actors, and financially motivated threat groups is increasingly blurred, creating heightened risks for organizations in regions experiencing geopolitical tensions.

To mitigate these evolving threats, the security firm recommends organizations implement comprehensive cybersecurity measures, including network segmentation, Zero Trust architecture, risk-based vulnerability management, ransomware-resistant backups, enhanced protection for web-facing assets, and comprehensive monitoring of networks, endpoints, and cloud environments.