By Mackenzie Storm
Hacktivists have evolved from conscience-driven activists to state-sponsored cyber soldiers waging hybrid war against businesses critical to society, from energy to finance, and healthcare.
There was a point in time when business leaders saw cyber hacktivism as harmless online protestors. Websites went dark for a few hours to protest against human rights abuses or unethical corporate activities. Campaign slogans replaced homepages; the damage was visible but shallow. Serious threats, it was assumed, came from elsewhere.
That assumption no longer holds.
Since 2022, hacktivism has shifted from conscience-driven activism to the mobilization of state-sponsored irregular cyber forces conducting a hybrid war to advance national interests.
For European businesses, particularly those delivering critical infrastructure, the implications are stark. Hacktivism has become a tool of pressure, retaliation, and destabilization, one that increasingly threatens the support systems on which modern society depends.
The end of innocence
Hacktivism evolved with the internet and for a long time largely remained performative. It was noisy, emotional, and often crude. Groups sought attention, legitimacy, and symbolic victories. Their operations were shaped by ideology and visibility – like web graffiti – rather than strategy. Security teams learned to absorb the blows and move on.
Russia’s invasion of Ukraine changed the nature of the fight. As conventional armies clashed, a parallel conflict took shape online. Hacktivist collectives aligned themselves openly with geopolitical camps.
A clear turning point came in early 2022, when a group of Belarusian hacktivists known as the ‘Cyber Partisans’ used ransomware to attack and disrupt the IT system of the state-run Belarusian railway system. Their objective was to hamper and delay the delivery of Russian weapons and troops being moved into their country. The Cyber Partisans threatened to destroy data unless the government of Belarus removed Russian soldiers from Belarus and released political prisoners.[i]
Since then, the boundaries that separate activism, state-aligned hybrid warfare and criminality have blurred even further. Many hacktivist groups now appear to be directly or indirectly state sponsored. They are tolerated, encouraged, and occasionally amplified by state narratives. Their ambiguity is their protection. These actors allow governments to deny responsibility while reaping the benefits of disruption carried out by others.
Europe as the theatre
Europe has become the primary theatre for this new form of conflict. While financially motivated cybercrime continues to plague businesses worldwide, European organizations have faced sustained campaigns driven by ideology and geopolitics. Government services, transport systems, hospitals, financial institutions, and election infrastructure have all been subjected to pressure.
Distributed denial‑of‑service attacks against public services are designed to sow fear and cause chaos, erode trust and reveal societal vulnerabilities. The attacks remind governments that support for allies or sanctions against adversaries carry consequences. Businesses that operate critical services find themselves on the front line, whether they chose to be there or not.
This shift is reflected in recent resilience research conducted by DNV Cyber. Hacktivism is the threat source executives in critical infrastructure in Sweden, Finland and Denmark are most concerned with, ranking this type of activity higher than cybercriminal gangs. In Norway, hacktivists were ranked second by those surveyed.[ii] Executives increasingly recognize that politically motivated actors are not just background noise, but part of a broader security environment shaped by geopolitics.
NoName057(16): An irregular force
Few groups illustrate this evolution more clearly than NoName057(16). Formed in 2022, the collective has focused its activity almost exclusively on European countries aligned with Ukraine. Its operations are frequent, coordinated, and unapologetically political.[iii]
Authorities and researchers across Europe have assessed that the group operates in alignment with Russian strategic interests. Target selection, timing, and rhetoric consistently mirror official positions. The group operates openly, without the fear of domestic consequence. Researchers have observed, based on its activities, that NoName057(16) likely operates within a Russian time zone.[iv]
Through its DDoSia platform, NoName057(16) mobilizes volunteers, distributes tasks, and rewards participation with cryptocurrency.[v] For European businesses, this model is deeply unsettling. There is no bargaining with actors motivated and protected by geopolitical adversaries.
Crossing into the physical world
The most dangerous development is the invasion of hacktivists beyond IT systems and into operational technology (OT) and industrial control systems (ICS), which allow physical assets, such as electricity grids, dams, and traffic light systems to be controlled remotely. Groups associated with the so‑called pro-Russia aligned Z‑Alliance have claimed responsibility for compromises affecting energy, water, and industrial facilities across Europe.[vi] Groups associated to Iran are known to do the same.[vii]
In several cases, these claims have been confirmed. In Apil 2025, hackers gained unauthorized access to the control system of a Norwegian dam located in Bremanger.[viii] The attackers manipulated the system to open a floodgate, releasing approximately 500 litres of water per second for nearly four hours before the incident was detected and stopped. Norway’s police security service (PST) attributes the attack to a pro-Russian hacktivist group.[ix] While the physical impact of the attack was limited, the incident marks a shift to societal level cyber risk where physical consequences extend far beyond individual companies.
After the war, the fighters Remain
There is a final risk that Europe has yet to fully confront.
The war in Ukraine has given purpose to thousands of technically capable actors. They have learned coordination, persistence, and operational discipline. They have built networks, reputations, and tools. When the war ends, these capabilities will not disappear and may multiply.
History offers little comfort here: irregular forces rarely return quietly to civilian life. Some drift into criminal enterprise. Others sell their skills to new patrons. The line between hacktivism and cybercrime, already thin, may dissolve entirely.
For European business and government alike, preparation must go beyond firewalls and patches. Cyber risk must be understood as a political phenomenon. OT environments must be treated as strategic assets, and resilience must assume continuity of threat.
Conclusion
Hacktivism is no longer conscience-driven activism. It has evolved into a disciplined, persistent weaponized instrument in the hybrid war that Europe now faces. It operates in the shadows between state policy and criminal enterprise, targeting data and the physical systems that sustain society with a new, far more dangerous purpose to destabilize the societies of its enemies and cause chaos. Businesses, particularly those operating critical infrastructure, are in the crosshairs. Even if the war ends on the battlefield, businesses cannot let down their guard, because these fighters will not just lay down their weapons and go home.
