Pro-Russian Hacktivists Escalate 2025 Cyber Offensive: Targeting Western Critical Infrastructure & ICS

The cybercrime landscape in 2025 has been dramatically reshaped by the geopolitical upheaval stemming from the Russia-Ukraine war. In a detailed report, Intel 471 outlines how pro-Russian hacktivist groups are continuing their digital assault on Ukraine, NATO allies, and critical Western infrastructure—often responding directly to political developments with waves of DDoS attacks, defacements, and data leaks.

“The outbreak of the Russia-Ukraine war in 2022 had a profound and lasting effect on the cybercrime landscape that caused a dramatic rise in hacktivism aimed at influencing the conflict,” the report states.

Much of the 2025 hacktivist activity has been sparked by renewed political tensions, particularly U.S. wavering support for Ukraine under President Donald Trump, and Europe’s ramped-up military commitments. In response, pro-Russian groups have intensified cyber operations.

One prominent case occurred in May 2025 after Lithuanian Foreign Minister Kestutis Budrys criticized Russian delay tactics and called for tougher sanctions. In retaliation, seven pro-Russian groups launched #OpLithuania, including:

• Dark Storm Team
• Mr Hamza
• NoName057(16) (aka NNM057(16))
• Russian Bears
• ServerKillers
• Z-PENTEST ALLIANCE

“The ServerKillers group targeted the Lithuanian financial sector and the Dark Storm Team targeted Lithuanian government institutions,” Intel 471 reported.

With the decline of the once-dominant KillNet group—whose founder KillMilk pivoted toward profit-driven crime—the title of top pro-Russian hacktivist group now belongs to NoName057(16).

“The group will often cite a recent event — military activity, a political state or aid announcements — as a trigger for the attack in order to draw attention to it and encourage other like-minded groups to join in.”

Notably, NoName057(16) operates the DDoSia project, a crowdsourced DDoS platform written in Go. Volunteers earn crypto rewards based on their attack activity, tracked via a unique client_id.

Intel 471 also identified the IT Army of Russia, a new group formed in March 2025. They combine data theft, DDoS, and insider recruitment to assault Ukraine’s digital infrastructure.

The group actively promotes operations via the Telegram channel t.me/itarmyofrussianews, recruiting participants with the motto: “We are recruiting bright minds to help the Motherland!”

They reportedly use tools like PanicBotnet, a DDoS utility advertised on underground forums, and also created the t.me/itarmyrussia_bot Telegram bot to gather intelligence and nominate cyber targets.

Another emerging player is TwoNet, a DDoS-focused group that appeared in early 2025. According to Intel 471:

“The group primarily attacked digital infrastructure in Spain, Ukraine and the U.K… usually in the aviation; government; and technology, media and telecommunications sectors.”

TwoNet reportedly uses MegaMedusa Machine, a tool developed by the RipperSec group and freely available on GitHub. Their Telegram posts have also revealed collaboration with other pro-Russian actors, including:

• BLOCKWEB
• КиберVойска (CyberArmy)
• OverFlame
• Sector091
• Russian Partisan

While most hacktivist tactics are basic—such as DDoS or website defacements—Intel 471 warns of increasingly bold moves against industrial control systems (ICS). A chilling example involved the group Z-Pentest, which claimed responsibility for a cyberattack on a U.S. water treatment facility in Arkansas, forcing a fallback to manual operations.

“These kinds of hacking exercises can have an outsize impact, particularly as many Western nations recognize and have sought to remediate long-standing security issues around critical infrastructure.”

This follows prior claims from CARR (Cyber Army of Russia Reborn) of compromising ICSs in Texas and Europe, adding further concern to the growing overlap between hacktivist theatrics and real-world consequences.

There remains strong suspicion that the Russian government plays a coordinating or enabling role behind these operations. While hard proof is elusive, several indicators suggest alignment:

• U.S. sanctions against CARR members Yuliya Pankratova and Denis Degtyarenko
• Intelligence suggesting overlap between CARR and APT44 (aka Sandworm), a GRU-linked group
• Molfar’s OSINT report exposing personal details of individuals allegedly involved in both NoName057(16) and CARR

“The hacktivist scene supporting Russia is fluid,” Intel 471 concludes. “While most activity may be unsophisticated, these groups can and have recruited or had access to people with skills required to hunt down and tamper with ICSs.”

Related Posts:

• Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations
• Weaponized Hacktivism: How Countries Use Activists for Cyber Warfare
• Dragon RaaS: Pro-Russian Hacktivist Group Walks the Razor’s Edge Between Cybercrime and Propaganda
• CyberVolk: The Hacktivist Collective Blurring Lines Between Activism, Ransomware, and Geopolitics