Pro-Russia Hacktivist Activity Continues to Target UK Organisations
Summary:
On January 19, 2026, the UK's National Cyber Security Centre (NCSC) issued an alert highlighting the persistent targeting of UK organizations by Russian state-aligned hacktivist groups seeking to disrupt networks. The alert notes that these ongoing attacks are driven by ideology, specifically, perceived Western support for Ukraine, rather than financial gain, and that the groups operate outside the direct control of the Russian state.
A prominently named actor is NoName057(16), which has been active since March 2022 and has conducted attacks against government and private sector entities across NATO member states and other countries viewed as hostile to Russian geopolitical interests. The group operates primarily through Telegram channels and uses GitHub and other repositories to host its proprietary DDoS tool, DDoSia, and to share TTPs with followers.
Additional groups including Cyber Army of Russia Reborn (CARR), Z-Pentest, and Sector16 have been identified as exploiting poorly secured VNC connections to access operational technology (OT) devices in critical infrastructure, with attacks primarily targeting water, food and agriculture, and energy sectors, in some cases causing physical damage.
This alert follows a joint international advisory co-signed by the UK approximately one month prior, which named CARR, Z-Pentest, and Sector16 as groups responsible for attacks on Western organizations.
Security Officer Comments:
UK local government bodies have appeared frequently in NoName057(16)'s campaigns, with attacks against council websites and online services largely taking the form of DDoS activity. The NCSC handled 204 nationally significant cyberattacks in the past year, more than double the 89 incidents from the prior year, representing approximately four major attacks per week, with local government bodies and critical infrastructure operators bearing the brunt.
Security researchers warn the threat is escalating in strategic scope: an emerging pattern described as "escalatory hacktivism" sees groups aligning with state-backed narratives and contributing to hybrid warfare efforts, pushing activity beyond nuisance-level disruption toward targeting operational technology environments.
Groups are also known to overstate the impact of their attacks, regularly making false or misleading claims about results, including dressing up minor intrusions as severe incidents, as a deliberate propaganda component designed to create an atmosphere of fear and uncertainty.
Suggested Corrections:
Organizations, particularly local government authorities and operators of critical national infrastructure, are encouraged to review their defenses and improve cyber resilience by preparing for and being able to respond to denial of service attacks.
The NCSC recommends that all organizations look into third-party DDoS mitigation services, as well as using a content delivery network (CDN) for web services.
Additional recommended actions include understanding weak points in internet-facing services, enabling scalable infrastructure, preparing incident response plans, and regularly testing and monitoring systems to detect and handle attacks quickly.
For OT-owning organizations, the NCSC encourages following recommended mitigation guidance to harden cyber defenses, given the evolution of the threat to now include targeting of operational technology systems.
Link(s):
https://www.ncsc.gov.uk/news/pro-russia-hacktivist-activity-continues-to-target-uk-organisations
On January 19, 2026, the UK's National Cyber Security Centre (NCSC) issued an alert highlighting the persistent targeting of UK organizations by Russian state-aligned hacktivist groups seeking to disrupt networks. The alert notes that these ongoing attacks are driven by ideology, specifically, perceived Western support for Ukraine, rather than financial gain, and that the groups operate outside the direct control of the Russian state.
A prominently named actor is NoName057(16), which has been active since March 2022 and has conducted attacks against government and private sector entities across NATO member states and other countries viewed as hostile to Russian geopolitical interests. The group operates primarily through Telegram channels and uses GitHub and other repositories to host its proprietary DDoS tool, DDoSia, and to share TTPs with followers.
Additional groups including Cyber Army of Russia Reborn (CARR), Z-Pentest, and Sector16 have been identified as exploiting poorly secured VNC connections to access operational technology (OT) devices in critical infrastructure, with attacks primarily targeting water, food and agriculture, and energy sectors, in some cases causing physical damage.
This alert follows a joint international advisory co-signed by the UK approximately one month prior, which named CARR, Z-Pentest, and Sector16 as groups responsible for attacks on Western organizations.
Security Officer Comments:
UK local government bodies have appeared frequently in NoName057(16)'s campaigns, with attacks against council websites and online services largely taking the form of DDoS activity. The NCSC handled 204 nationally significant cyberattacks in the past year, more than double the 89 incidents from the prior year, representing approximately four major attacks per week, with local government bodies and critical infrastructure operators bearing the brunt.
Security researchers warn the threat is escalating in strategic scope: an emerging pattern described as "escalatory hacktivism" sees groups aligning with state-backed narratives and contributing to hybrid warfare efforts, pushing activity beyond nuisance-level disruption toward targeting operational technology environments.
Groups are also known to overstate the impact of their attacks, regularly making false or misleading claims about results, including dressing up minor intrusions as severe incidents, as a deliberate propaganda component designed to create an atmosphere of fear and uncertainty.
Suggested Corrections:
Organizations, particularly local government authorities and operators of critical national infrastructure, are encouraged to review their defenses and improve cyber resilience by preparing for and being able to respond to denial of service attacks.
The NCSC recommends that all organizations look into third-party DDoS mitigation services, as well as using a content delivery network (CDN) for web services.
Additional recommended actions include understanding weak points in internet-facing services, enabling scalable infrastructure, preparing incident response plans, and regularly testing and monitoring systems to detect and handle attacks quickly.
For OT-owning organizations, the NCSC encourages following recommended mitigation guidance to harden cyber defenses, given the evolution of the threat to now include targeting of operational technology systems.
Link(s):
https://www.ncsc.gov.uk/news/pro-russia-hacktivist-activity-continues-to-target-uk-organisations