Pro-Russian Hackers Forge Strategic Alliances for Upcoming Major Cyber Attacks

The evolving Russia-Ukraine conflict continues to transform the global cybercrime landscape, with a surge in pro-Russian hacktivism intent on influencing the course of war and European security.

Since January 2025, fears over wavering U.S. support for Ukraine under President Donald Trump have provoked European leaders to ramp up defense spending and sanction Russia, intensifying digital hostilities.

These developments have emboldened pro-Russian hacktivist groups to forge new alliances, orchestrating coordinated attacks on NATO allies and organizations supporting Ukraine.

Leading Groups and New Entrants – NoName057(16), IT Army of Russia, and TwoNet

At the epicenter of these operations is NoName057(16), now the most prominent pro-Russian hacktivist group after the shift of KillNet’s focus from ideology to financially motivated crime.

NoName057(16) and its collaborators, including CARR (Cyber Army of Russia Reborn), Dark Storm Team, and others, frequently launch Distributed Denial of Service (DDoS) attacks, deface websites, and leak stolen data often in retaliation to political events such as Lithuania’s recent calls for harsher sanctions against Russia.

The technical backbone of NoName057(16) is the DDoSia project, a crowdsourced DDoS attack tool developed in Go, distributed to volunteers who are rewarded in cryptocurrency for their participation.

This tool enables the group to sustain high-frequency, high-impact attacks against NATO and Ukrainian digital infrastructure.

Emerging groups, such as the IT Army of Russia, have augmented the threat landscape since March 2025.

Utilizing SQL injection vulnerabilities, they have exfiltrated and leaked data from Ukrainian businesses, actively recruiting insiders and leveraging the PanicBotnet DDoS utility, promoted on underground forums and coordinated via Telegram bots and channels.

TwoNet, which is set to appear in early 2025, boasts a membership of software developers and intelligence analysts, targeting critical sectors in Spain, Ukraine, and the U.K.

The group claims use of the MegaMedusa Machine DDoS tool, with attack selections often triggered by Western demonstrations of support for Ukraine.

State Influence and Critical Infrastructure At Risk

There is mounting evidence of overlap between these hacktivist collectives and state-backed Russian advanced persistent threat (APT) groups, particularly Russia’s GRU-associated APT44 (Sandworm).

For instance, U.S.-sanctioned operators of CARR have been linked to attacks on U.S. and European industrial control systems (ICS), including those in the water and energy sectors.

This convergence blurs the boundaries between hacktivism and state-directed cyberwarfare, complicating attribution and bolstering Russian plausible deniability.

As cybersecurity firms race to monitor new alliances and offensive tools, the risk of disruptive attacks, mainly targeting critical infrastructure, remains acute.

While most hacktivist actions are unsophisticated, the potential for catastrophic impact increases as these groups recruit more technically skilled members and coordinate on an unprecedented scale.