**UK Public Sector and CNI at Risk from Russian Hacktivist Attacks**

A wave of denial-of-service (DoS) attacks against UK organisations, allegedly orchestrated by Russian hacktivists, has prompted the National Cyber Security Centre (NCSC) to issue a warning alert to vulnerable bodies. The NCSC is urging local government and critical national infrastructure (CNI) operators to strengthen their defenses against these attacks, which can be highly disruptive despite being relatively unsophisticated.

The current wave of attacks is driven by ideology and the UK's support for Ukraine, rather than financial gain, according to the NCSC. However, the agency emphasizes that the groups responsible are not directly controlled by Moscow, but instead operate independently in alignment with Russian goals.

"We continue to see Russian-aligned hacktivist groups targeting UK organisations," said Jonathan Ellison, director of national resilience at the NCSC. "Although denial-of-service attacks may be technically simple, their impact can be significant." He added that these attacks can prevent people from accessing essential services and cause organizations to lose time, money, and operational focus.

The NCSC is advising all organisations, especially those identified in today's alert, to take precautions against hacktivist attacks. This includes reviewing and implementing the agency's freely available guidance on protecting against DoS attacks and other cyber threats. Organisations are also encouraged to work with upstream internet service providers to establish what denial-of-service mitigations they may already have in place and to consider using third-party distributed denial of service (DDoS) mitigation services and content delivery networks (CDNs).

"Modern supply chains and critical infrastructure are deeply interconnected, making disruption easier than ever," said Gary Barlet, public sector chief technology officer at Illumio. "Hacktivists have successfully targeted essential services across Europe for years, and with rising geopolitical tensions in 2026, these attacks are likely to escalate."

The NCSC has previously co-sealed a separate advisory on hacktivist activity alongside partner agencies from around the world, highlighting the nefarious activities of several Russia-aligned operations. The most notorious group, NoName057(16), operates a proprietary DDoS tool called DDoSIA and was the subject of a major Europol enforcement action in July 2025.

NoName057(16) is believed to be part of the Center for the Study and Network Monitoring of the Youth Environment (CISM) – a Kremlin-backed 'NGO' – and its senior operatives and employees are accused of funding the group and assisting with malware development and admin tasks. The agency also identified another collective, Z-Pentest, which specialises in targeting operational technology (OT) within CNI organisations and so-called hack-and-leak attacks and website defacements.

The agencies warned that these groups may be receiving indirect support from the Russian government in exchange for running attacks that align with Moscow's geopolitical goals. The NCSC is advising all organisations to prepare a response plan, including graceful degradation of systems and services, retaining admin access during an attack, and having a scalable fallback plan for essential services.

"Downtime is the driving force not just behind hacktivist activity, but behind most cyber-criminal campaigns," said Barlet. "We need a new way of dealing with DoS attacks. For too long, we have focused solely on prevention, and this approach has not worked."

The NCSC's advice signals a change by recommending that plans include retaining administrative access and implementing full-scale backup plans. However, there needs to be an entire mindset shift within critical infrastructure organisations to focus on prioritising impact mitigation and maintaining service and operational uptime.