{
	"id": "f5abc04f-7605-479a-93e5-11c614b9c555",
	"created_at": "2026-04-10T03:20:30.58864Z",
	"updated_at": "2026-04-10T13:12:35.667807Z",
	"deleted_at": null,
	"sha1_hash": "5641ccdd87b21afcc8fce523343f731265cb2dcf",
	"title": "Is RuskiNet the Next Big Russian Hacktivist Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1244334,
	"plain_text": "Is RuskiNet the Next Big Russian Hacktivist Group\r\nBy Orlaith Traynor\r\nPublished: 2025-10-30 · Archived: 2026-04-10 02:01:32 UTC\r\n1. What is RuskiNet?\r\n2. Is RuskiNet an APT group?\r\n3. Notable cyberattacks (2025)\r\n4. 1. Targeted data breaches\r\n5. 2. DDoS attacks\r\n6. 3. Botnets\r\n7. 4. Recycled data attacks\r\n8. Alliances\r\n9. MoroccanCyberForces\r\n10. LockBit\r\n11. Mapping RuskiNet onto the MITRE ATT\u0026CK framework\r\n12. Mitigation tips\r\n13. Stop advanced persistent threats with CybelAngel\r\nEmerging from pro-Russian cyber ecosystems, RuskiNet is the next rising hacktivist group.\r\nA blend of cybercrime and a challenge to national security and public trust, RuskiNet uses hacktivism to push\r\nRussian agendas against adversarial nations.\r\nTheir attacks focus on phishing and malware attacks to gain access, relying on social engineering to gain a\r\nfoothold in systems.\r\nLet‘s dive into RuskiNet‘s threat intelligence profile, how to identify a potential breach, and what you need to\r\nconsider in your mitigation efforts.\r\nWhat is RuskiNet?\r\nRuskiNet is a hacktivist group first observed in February 2025 via an X post. The gang is believed to be associated\r\nwith Russian cyber operations; however, their attacks are launched from Eastern Europe.\r\nCurrently, public information about RuskiNet is limited, and some analysts question the credibility of the reported\r\ndata leaks on dark web forums.\r\nWhile RuskiNet is not officially state-sponsored by Russia, the hackers operate in ideological support of Russian\r\ngeopolitical interests—such as targeting Ukraine, Israel, and nations in support of NATO.\r\nIs RuskiNet an APT group?\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 1 of 11\n\nAdvanced Persistent Threat (APT) groups are typically state-sponsored cybercriminals who perform long-term\r\nespionage to compromise targets.\r\nRuskiNet hasn‘t yet been confirmed as an APT group by threat analysts, as the group operates more akin to a\r\nhacktivist collective than an extended arm of Russia‘s GRU units.\r\nWith that being said, the group does align with similar goals to APTs like APT28 (Fancy Bear) or APT29 (Cozy\r\nBear).\r\nNotable cyberattacks (2025)\r\nRuskiNet has utilized cyberattacks to disrupt critical infrastructure across the globe.\r\nSince the beginning of 2025, RuskiNet has launched attacks against the US, Canada, Turkey, Israel, the UK, and\r\nIndia. Hackers targeted energy suppliers and shipping organizations with coordinated DDoS attacks to bring down\r\ndaily operations and cause chaos.\r\nHere are some of their notable breaches since the group‘s inception at the beginning of 2025.\r\n1. Targeted data breaches\r\nOn August 4, 2025, RuskiNet claimed responsibility for a targeted data breach on the Israeli intelligence team\r\nMossad. The leak included identifiable data, including picture IDs, names, and email addresses.\r\nAn X post claiming RuskiNet‘s responsibility for the data breach on Mossad.\r\nRuskiNet‘s geopolitical ambitions also led them to hack several Israeli critical infrastructure companies, including\r\nEnlight Renewable Energy, Tadiran New Energy, Electis, and Infinity Pack.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 2 of 11\n\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 3 of 11\n\nA screenshot from RuskiNet‘s Telegram group detailing an alleged attack on the Australian\r\nDepartment of Defence. Source: CyberKnow on X\r\nAn X post detailing the RuskiNet cyberattack on an Israeli energy company.\r\nSimilarly, in Australia, the hacktivist group claimed to have breached the Australian Defence Force (ADF) site\r\nduring operation “OpAustralia”. However, cybersecurity analysts found that all the data revealed in the breach\r\noriginated from publicly available sources, such as airfield reports and parliamentary reports. In this case, the\r\nintent was to cause disruption and chaos.\r\nCurrent reporting suggests that not all released data may be legitimate, yet with the group‘s alleged connection to\r\nRussia, prevention and proper cyber defenses are key.\r\n2. DDoS attacks\r\nAccording to claims, RuskiNet hackers have targeted 16 industry sectors with DDoS attacks. Threat actors often\r\nuse methods like VPNs, proxies, or TOR to conceal their real IP addresses and evade attribution.\r\nIn March 2025, the hacktivist group went after Colombia‘s energy sector, targeting Colombia Oil and Gas\r\ncorporations in a coordinated DDoS attack. The digital operations were disrupted, but energy services continued\r\nundisrupted.\r\nThe cyberattack aimed to paralyze operations and send political messages rather than steal information. Especially\r\nsince Colombia publicly showed Ukraine support at the UN General Assembly right before the attack.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 4 of 11\n\nFigure 2. A screenshot from RuskiNet‘s Telegram channel claiming responsibility for the attack on\r\nColombia Oil \u0026 Gas. Source: TechOwlShield\r\nRuskiNet uses DDoS attacks frequently to deface websites and cause daily operations to grind to a halt.\r\n3. Botnets\r\nIt‘s believed that RuskiNet utilizes botnets to perpetrate DDoS attacks and malware distribution. Earlier this year,\r\naround 13,000 compromised MikroTik routers were believed to be used by Russian state-sponsored hackers. The\r\nrouters act as proxies, forwarding traffic without verifying its origin, helping attackers obfuscate detection.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 5 of 11\n\nFigure 3. A diagram showing how MikroTik routers were used for DDoS attacks. Source:\r\nCybernews\r\nIt‘s believed that the RuskiNet botnets have been used to send tens of thousands of spoofed emails containing\r\ntrojans or ransomware payloads. Botnets also make DDoS attacks faster and more effective to coordinate.\r\nAn indictment by the US Attorney‘s Office in May 2025 charged 16 defendants in connection with a DanaBot\r\nmalware network, infecting more than 300,000 victim computers globally.\r\n4. Recycled data attacks\r\nIn June 2025, a threat actor under the alias “YK3” claimed to have leaked data belonging to 38,000 employees of\r\nSAP Israel. The threat actor‘s claim was reposted by RuskiNet on X, linking the hacker group to the breach.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 6 of 11\n\nAn X post by RuskiNet claiming the DDoS attack on SAP Israel, performed by hacker YK3.\r\nAfter further investigation, it was revealed that the alleged data breach was actually recycled information from\r\na previously known data leak from October 2023, originally associated with an Israeli digital payments platform.\r\nAlliances\r\nAlthough unconfirmed publicly, many analysts have speculated that RuskiNet is working in tandem with other\r\ncybercriminal gangs to perpetrate attacks.\r\nMoroccanCyberForces\r\nIn the wake of the African Cybersecurity Forum 2025 in Rabat, Morocco, the government made strides towards a\r\npan-African cooperation in digital infrastructure for defense, with Russian delegates present to discuss initiatives\r\nfor joint Russian-African energy infrastructure protection.\r\nAfter the summit held in February, Morocco experienced a surge in cyberattacks, reportedly over 75,000\r\nDistributed Denial-of-Service (DDoS) attacks, ranking second in Africa. Around the time of RuskiNet‘s most\r\nprolific attacks in June 2025, Morocco had reported a further 20.7 million attempted cyberattacks.\r\nRussia has demonstrated its interest in participating in Morocco‘s rapidly expanding cyber defense strategy,\r\noffering cybersecurity tools and cooperation. From there, Morocco acts as a foothold into a broader global energy\r\nsupply chain. Morocco, if it rejects Russia‘s support, could threaten Russian interests in the region.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 7 of 11\n\nMoroccanCyberForces emerged following the leak of sensitive data from Morocco’s National Social Security\r\nFund (CNSS) in early 2025 by Algerian hackers as tensions between the two countries rose. In retaliation,\r\nMoroccanCyberForces leaked data from Algeria’s Ministry of Posts and Telecommunications (MGPTT).\r\nThe hacktivist‘s main goal is to protect Moroccan digital sovereignty, focusing on government agencies,\r\ninfrastructure systems, and diplomatic entities.\r\nBoth RuskiNet and MoroccanCyberForces have a shared interest in both Russia‘s influence in Africa and\r\nMoroccan digital independence from larger global powers like the US.\r\nRuskiNet is known for DDoS attacks, suggesting cooperation due to the large volume of DDoS attacks during\r\n2025. MoroccanCyberForces similarly works to spread disinformation, defaces government websites, and focuses\r\non operational disruption.\r\nNo official links have been made between the two hacktivist groups publicly, and information about the\r\ninvolvement between the two continues to evolve.\r\nLockBit\r\nLockBit, a cybercriminal group specializing in Ransomware-as-a-Service (RaaS), used double extortion tactics\r\nand social engineering in their cyberattacks. In May 2025, the group was breached and taken down by law\r\nenforcement.\r\nWhile there‘s no confirmed link between RuskiNet and LockBit, overlapping infrastructure and shared tactics\r\nshow a different story.\r\nThreat intelligence has revealed that both groups:\r\nHave a pro-Russian affiliation and aim to further Russian agendas.\r\nUse DDoS attacks, website defacement, and data leaks to intimidate victims.\r\nLaunch attacks on critical infrastructure for geopolitical goals.\r\nUse similar tools and tactics, like botnets and encrypted C2 infrastructure.\r\nMapping RuskiNet onto the MITRE ATT\u0026CK framework\r\nMITRE ATT\u0026CK‘s framework helps better understand RuskiNet‘s TTPs and supports threat hunting efforts.\r\nRuskiNet threat actors use a variety of sophisticated techniques, tactics, and procedures (TTPs) that rely on social\r\nengineering and phishing to gain access.\r\nTactic Technique Explainer\r\nReconaissance\r\nT1595\r\nActive Scanning\r\nScans for vulnerable public-facing\r\ninfrastructure, especially energy and\r\ngovernment systems.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 8 of 11\n\nTactic Technique Explainer\r\nT1589\r\nGather Victim Identity\r\nInformation\r\nTargets social media and public records to\r\nidentify key personnel.\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nUses spoofed domains for phishing and\r\nmalware delivery.\r\nT1583.006\r\nAcquire Infrastructure: Web\r\nServices\r\nLeverages dark web forums and Telegram\r\nfor coordination.\r\nInitial Access\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nSends malware-laced documents via\r\nspoofed emails.\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nTargets misconfigured DNS and\r\nvulnerable routers.\r\nExecution\r\nT1059\r\nCommand and Scripting\r\nInterpreter\r\nUses PowerShell and Bash scripts for\r\npayload execution.\r\nT1203\r\nExploitation for Client\r\nExecution\r\nExploits browser and document reader\r\nvulnerabilities.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys\r\nEnsures malware persistence on\r\ncompromised systems.\r\nT1136\r\nCreate Account\r\nCreates rogue accounts on compromised\r\nsystems.\r\nPrivilege\r\nEscalation\r\nT1068\r\nExploitation for Privilege\r\nEscalation\r\nUses known exploits to gain admin\r\naccess.\r\nDefense Evasion\r\nT1070.004\r\nIndicator Removal on Host:\r\nFile Deletion\r\nDeletes logs and artefacts post-attack.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 9 of 11\n\nTactic Technique Explainer\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nDisables antivirus and monitoring tools.\r\nExfiltration\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nSends stolen data through encrypted C2\r\nchannels.\r\nT1048.003\r\nExfiltration Over Alternative\r\nProtocol: Custom Protocol\r\nUses custom DNS tunnelling for stealth.\r\nImpact\r\nT1499\r\nEndpoint Denial of Service\r\nLaunches DDoS attacks on government\r\nand energy sites.\r\nT1491.001\r\nDefacement: Internal\r\nWebsite Defacement\r\nDefaces websites to intimidate victims.\r\nMitigation tips\r\nThwarting a potential RuskiNet breach relies on good cybersecurity hygiene, including zero-trust architecture.\r\nAccording to the CISA, here is how you should react when facing cyber incidents from a Russian-allied\r\nadversary:\r\nTo stop a DDoS attack, identify the source address via SIEM or another logging service. If the attack is\r\nlaunched from a single pool of IP addresses, these can be blocked manually. Enabling firewalls, restricting\r\nthe amount of IP traffic, and notifying your internet service provider can prevent DDoS interference.\r\nSecure your backups offline to restore after website defacements. Scanning all backup data with an\r\nantivirus program can be useful to ensure backups are free of malware.\r\nRegularly update the web-server backend software to prevent exploitation with common CVEs.\r\nEnsure that your website Content Management System (CMS) is not accessible from the internet and is\r\nregularly updated. Attackers often use vulnerabilities in plugins and extensions to gain a foothold.\r\nStop advanced persistent threats with CybelAngel\r\nCyber espionage groups continue to grow and persist. RuskiNet, while elusive, has proven its effectiveness in\r\ndisrupting daily business and harming countries across the globe.\r\nThwart hacktivist groups before they cause disruption and damage with our Cyber Threat Intelligence platform.\r\nCybelAngel can detect potential breaches within your ecosystem early, preventing exploitation, reputational\r\ndamage, and regulatory penalties.\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 10 of 11\n\nSource: https://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nhttps://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/\r\nPage 11 of 11\n\nmalware network, infecting 4. Recycled data more than 300,000 attacks victim computers globally.   \nIn June 2025, a threat actor under the alias “YK3” claimed to have leaked data belonging to 38,000 employees of\nSAP Israel. The threat actor‘s claim was reposted by RuskiNet on X, linking the hacker group to the breach.\n  Page 6 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/"
	],
	"report_names": [
		"ruskinet-hacktivism-apt-threats"
	],
	"threat_actors": [],
	"ts_created_at": 1775791230,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5641ccdd87b21afcc8fce523343f731265cb2dcf.pdf",
		"text": "https://archive.orkl.eu/5641ccdd87b21afcc8fce523343f731265cb2dcf.txt",
		"img": "https://archive.orkl.eu/5641ccdd87b21afcc8fce523343f731265cb2dcf.jpg"
	}
}