Hacktivism: From digital protest to real-world threat - what organisations must do to keep up

Cyber threats have never existed in a vacuum, but today they're more connected to global conflict than ever before. Hacktivist campaigns, once dismissed as annoying pranks or minor civil disobedience, are now routinely surfacing in geopolitical events like elections and the ongoing conflicts in Gaza and Ukraine. And many of these actors no longer operate alone. They're receiving state funding, guidance, or operating in alignment with national agendas.

For cyber threat intelligence (CTI) teams, the blurring of these lines poses serious challenges – not just to attribution, but to how cyber incidents are interpreted and escalated. As geopolitical tensions continue to erupt into hybrid conflicts, intelligence teams must rethink the frameworks they rely on to assess, contextualise and respond to threats.

Hacktivism is no longer just activism

Hacktivism, typically defined as politically or socially motivated cyber activity, has undergone a transformation. What began as loosely organised efforts tied to ideals like freedom of speech or anti-censorship has morphed into a digital battlefield where state-aligned "volunteers" are wielding denial-of-service tools and data-leak platforms in support of specific political goals.

This trend is demonstrated by the IT Army of Ukraine. Formed by Ukraine's Ministry of Defence in early 2022, this group includes researchers and hackers who carry out DDoS attacks and offensive cyber operations against Russian military and government entities. Though not formally embedded in Ukraine's military apparatus, their alignment is clear, and their tactics are strategic.

On the Russian side, the Cyber Army of Russia Reborn (CARR) illustrates the other half of the equation. CARR has launched attacks on critical infrastructure, including water and power facilities in the U.S., and is believed to operate as a proxy for Russian state interests. Mandiant has even linked CARR to APT44, an advanced persistent threat group with known ties to the Russian government.

Similar patterns are playing out in the Middle East. Predatory Sparrow, a group widely believed to have Israeli affiliations, launched destructive attacks on Iranian financial targets like Sepah Bank and a cryptocurrency exchange. Meanwhile, the group CyberAv3ngers, reportedly aligned with Iran's Islamic Revolutionary Guard Corps, has targeted Israeli electric utilities and fuel management systems. These aren't isolated stunts; they're coordinated influence and disruption campaigns tied to state objectives.

Strategic implications for intelligence teams

As the intersection of cyber security, activism and statecraft grows more commonplace, CTI teams are facing strategic uncertainty on several fronts.

Attribution complexity

When threat actors straddle the line between independent hacktivism and state-sponsored activity, traditional attribution models often fall short. Funding, tool reuse and operational overlaps between state APTs and hacktivist fronts muddy the waters, making it difficult to draw clear lines, or anticipate retaliation.

Escalation risk

A misread cyber incident in a tense geopolitical environment could trigger real-world escalations. For instance, attacks on critical infrastructure by actors with plausible ties to foreign governments could result in civilian organisations finding themselves caught in the literal crossfire.

Intelligence blind spots

Siloed intelligence teams, especially those separating physical, geopolitical and cyber disciplines, risk missing the broader context. Take the pro-Russian disinformation campaign in the 2024 Romanian elections. If seen only as a cyber issue, it might have seemed contained. But its real-world impact – the annulment of the vote and subsequent protests – shows how isolating intelligence can obscure the bigger picture.

What security teams must do now

The scope and sophistication of hybrid threats demand new strategies. Here are five critical areas CTI teams should prioritise:

1. Recognise the blurred lines between threat types

Avoid rigid classifications. Is an actor a hacktivist, cybercriminal or state proxy? Increasingly, the answer is 'all of the above'. Focus on motivations, affiliations and operational behaviour instead of traditional taxonomies.

2. Monitor geopolitical flashpoints

Track the geopolitical environment alongside technical indicators like CVEs and malware strains. Escalations in Gaza, Ukraine and Taiwan have all triggered cyber offensives. Intelligence efforts can help anticipate where attackers will strike next.

3. Filter intelligence inputs

Distil what matters. Analysts must establish the tools and processes needed to filter incoming data to ensure it's both relevant and timely. Without this step, the sheer volume of information can overwhelm teams and divert focus from higher-priority threats.

4. Develop Priority Intelligence Requirements (PIRs)

Define tactical, operational and strategic intelligence needs that include geopolitical considerations. These requirements should be living documents that are regularly reviewed, updated and shared across teams.

5. Collaborate across security disciplines

Break down silos. Coordinate cyber security with physical security and geopolitical risk teams. A single incident might appear to be contained but can signal further risk in other domains.

Intelligence for a hybrid era

In an era where cyberattacks can sway elections, cripple infrastructure and escalate conflict, threat intelligence can't afford to ignore global politics. This is no longer just about defending endpoints, it's about understanding threat actors who operate across physical, digital and psychological domains.

Organisations that consider risk holistically, evolve their tools and embrace cross-functional collaboration will be best placed to navigate what comes next. Tomorrow's hybrid threats demand equally hybrid defences today.