Systemic position: which targets were chosen by politically motivated hackers in Russia

The main targets of hacktivist hackers, who choose the targets of attacks based on political motives, in 2025 were the Russian transport and logistics industry and telecom. In total, the country is being attacked by at least 20 "ideologically charged" hacker clusters, mainly for cyber espionage, data theft and blackmail. About those who may face the threat of their attack this year — in the material of Izvestia.

Dynamics of hacktivist attacks

In 2025, 16% of all cyber attacks on Russian organizations were carried out for political or ideological reasons, according to the Threat Zone 2026 study. A year earlier, hacktivists accounted for only 12% of attacks.

Photo: Global Look Press/Lantyukhov Sergey/news.ru

The main target of the attackers were transport and logistics companies - their share was 15%, according to the cyber intelligence portal with a focus on the Russian threat landscape BI.ZONE Threat Intelligence. Another 11% accounted for the telecom sector and 9% for the public sector.

"This may be due to the desire to make the attacks as resonant as possible," the portal experts believe. — A successful attack on the transport industry can paralyze both passenger transportation, as well as the supply of necessary goods and cargo flows, have a negative impact on businesses throughout the country and cause a negative reaction from significant groups of the population.

According to the company, at the end of last year, there were 21 hacktivist clusters in Russia attacking Russian organizations. Eight of them were active, while there is a lull in the activity of the rest.

Anna Kulashova, managing director of Kaspersky Lab in Russia, the Baltic States and the CIS, also mentioned a similar figure: more than 20 hacktivist groups attacked Russian organizations in 2025.

Photo: IZVESTIA

At the same time, the share of attacks committed for the sake of espionage increased from 21% to 37%, said the head of BI.ZONE Threat Intelligence Oleg Skulkin.

—And this does not give reason to believe that there will be fewer or less intense attacks on Russian organizations in general: it's just that many clusters that were initially considered hacktivist are turning to extortion and demanding ransom from their victims," Oleg Skulkin clarified.

And the head of Kaspersky GReAT, Dmitry Galov, even noted that cyber espionage was on the rise in 2025: there was a 62% increase in the number of steeler attacks (a type of malware designed to steal confidential information from users) compared to 2024, and 49% increase in spyware attacks when they have been monitored for a long time. by users, and by 25% — backdoor attacks (a method of bypassing authentication mechanisms that provides remote, privileged access to the system). Overall, the number of targeted attacks on Russian companies for cyber espionage purposes has increased by almost a third.

Denis Ushakov, a presale engineer at Speakatel, confirmed the trend towards increasing attacks on infrastructure industries, in particular, transport and telecom.

Photo: Global Look Press/Vladimir Andreev/URA.RU

"These industries are under threat precisely because the damage is most noticeable in them," he said. — It is enough to recall the attack on a major airline in 2025. According to our estimates, over the past year, the intensity of hacktivist attacks on infrastructure has increased by about a third.

Industries such as telecom and transportation are among the most frequently attacked by hacktivists, Daniel Shcherbakov, Deputy CEO of Servicepipe, agreed.

"If we talk about DDoS attacks, in 2025, about 48% of all cyber incidents occurred in the telecom industry," the expert noted. — At the same time, the most common form of DDoS attacks on companies in the industry were the so-called carpet attacks, when multiple IP addresses are bombarded simultaneously with minimal load on one address, the carpet area was measured in thousands of simultaneously attacked IP addresses.

Both small Internet service providers and the largest market players became victims of the attacks.

Photo: IZVESTIA/Anna Selina

— At the same time, to protect against such attacks, telecom needs not only traffic filtering systems, but also an analyzer that sends traffic only from attacked IP addresses for cleaning, — said Daniil Shcherbakov. — Our experience of communicating with Internet service providers shows that about 73% of market participants do not have traffic analyzers, if we look at the largest players, this figure will be about 92%.

The situation is not much better with protection against DDoS attacks: no more than 30% of companies have protection in the entire market, and a maximum of 10% are protected among small players.

The targets of cyber criminals

Among the most active hacktivist groups today, those who specialize in massive DDoS attacks stand out, according to the cyber intelligence department of the security expert center Positive Technologies. For example, the so-called "Ukrainian IT army", as well as associations aimed at stealing, encrypting or completely destroying confidential data, such as BO Team and 4B1D.

Photo: IZVESTIA/Sergey Konkov

"In parallel with the activity of hacktivists, we are detecting ongoing attempts by attackers to circumvent various protection mechanisms, traffic filtering and geo—blocking," said Asker Jamirze, head of the threat research department at the company's expert security center. — Successful attempts can lead to hacking of web resources and their use in further attacks to steal personal data to host malware or phishing pages.

In 2025, hacktivist attacks were carried out on the fuel and energy sector, medicine, finance, telecom, logistics and transport, public and defense sector organizations, said Denis Chernov, an engineer at the incident investigation group of the Solar 4RAYS Cyber Threat Research Center at Solar Group.

"With a high degree of confidence, we determine the involvement of three groups in some of these attacks: the pro—Ukrainian Shedding Zmiy (ExCobalt), Fairy Trickster (Head Mare) and Partisan Zmiy (Cyber Partisans)," he said. — The authorship of other attacks is still difficult to determine. Over the past year, protracted and silent attacks have become more frequent, aimed not at destroying infrastructure, but at espionage.

Dmitry Galov mentioned the Cyber Partisans group, which aims to destroy data, deface (hacking a website and publishing malicious messages on it) and cyber espionage.

Photo: IZVESTIA/Anna Selina

"This group, which has been operating since about 2020, is an example of how attackers initially engaged in hacktivist activities and, trying to make as much noise as possible, positioned themselves as non—professionals trying to convey their idea," he recalled. — But over the past five years, they have been evolving and improving their tools. And now they are on the same level as professional groups that deal with targeted attacks.

According to Asker Jamirze, hacktivists are increasingly seeking to permanently destroy the victim's infrastructure after stealing confidential data. They also actively use AI services to write malicious code.

— The use of artificial intelligence can significantly reduce the "entry threshold" for cybercriminals and reduce the cost of preparing an attack, — said the expert. Neural networks help hacktivists adapt their tools to specific tasks much faster, quickly expanding the functionality of malware.

Photo: IZVESTIA/Sergey Konkov

According to Spikatel, the most popular targets of Internet attacks in 2025 were: the industrial sector - it accounted for 34%, telecommunications companies — 26%, IT companies — 11%, the financial sector — 16%, retail — 8%, Medtech — 5%. They were targeted by network attacks through cryptographers and contractors, the use of phishing and the exploitation of vulnerabilities.

How companies are coping

Against the background of the growing number of attacks, the demand for protection from telecom and the transport industry has increased, said Dina Fomicheva, director of the Corporate sales department at Telecom Exchange.

"We attribute this to the fact that these areas remain at the top of the attackers' targets: this is evident from the high—profile incidents of last year, as well as the growing digitalization of the transport industry," she said. — We also see changes in the behavior of hacktivists: the boundaries between their activities and attacks for profit are blurring.

According to her, many politically motivated groups have started using cryptographers and demanding ransom, which increases the pressure on the victims.

Photo: IZVESTIA/Dmitry Korotaev

Rustem Khayretdinov, Deputy General Director of the Garda company, drew attention to the fact that the previous targets of the attacks — financial organizations and the public sector — have significantly strengthened their protection in recent years thanks to the efforts of the attackers themselves, as well as security experts and regulators.

"As a result, they have become a more difficult target," he said. — Therefore, hacktivists, whose task is to harm citizens, not organizations, have switched to easier targets, which, with a lower level of overall security, also promise wide coverage and make it possible to create inconvenience for users.

According to experts, hacktivists are likely to shift their focus further, possibly to retail and energy. Now they are chosen less often, but the effect of such an attack can affect a large number of citizens and cause a wide public outcry.