Judgement 3

Why it matters – the global view

Hacktivism usually seeks to cause disruption to business, sector, or state to promote political or social causes. The goal of hacktivist groups is visibility rather than financial gain, but their activities can still undermine trust, damage reputations, and disrupt services.

Unlike state actors or organised cybercriminals, hacktivists often rely on basic but noisy techniques. Issue-motivated cyber actors rarely seek payment or issue demands and frequently claim responsibility for the activity. Their actions may not cause long-term harm, but they can create operational headaches and public embarrassment.

Examples

In the 2024/25 year pro-Ukrainian and pro-Russian hacktivist groups both conducted global distributed denial-of-service (DDoS) campaigns against financial institutions and government sites, including in New Zealand.
In the same period, environmental and social-justice hacktivists targeted energy companies and public agencies globally to amplify their causes.

Tactics and techniques

Hacktivists will commonly use distributed denial-of-service (DDoS) attacks and website defacements to cause visible disruption.

DDoS attacks cause an excess of traffic to a network, which can lead to the degradation or inaccessibility of the target network, and sometimes data corruption.

Attack tools are widely available, lowering barriers to entry.

In many cases, actors command sizable botnet infrastructure to orchestrate and sustain DDoS attacks.

Hacktivists will usually target sectors with the highest potential for significant and visible disruption, such as government services, banks and other financial institutions, news media, transport, utilities and retail.

However, the NCSC has observed that hacktivist groups sometimes use opportunistic criteria for target selection, such as existing vulnerabilities and victim availability, rather than a strategic focus on particular organisations.

Large organisations generally engage managed service providers for DDoS mitigation, limiting impact. Smaller businesses, such as those that openly support particular political views or conflict-related activities, could be vulnerable because they often do not have mitigation services in place.

The line between state-sponsored cyber operations and hacktivism has increasingly blurred, with state involvement ranging from direct to indirect. For example:

Proxies are employed directly to act.
‘True believer’ but independently motivated individuals or organisations conduct attacks aligned with foreign state interests.
States may turn a blind eye to activity emanating from within their borders.

The New Zealand landscape

The NCSC is aware of activity associated with hacktivist groups affecting New Zealand organisations during the 2024/25 period. These incidents have often coincided with political activities or statements:

In October 2024, the NCSC recorded DDoS attacks against a range of financial sector organisations. This occurred at a similar time to multiple pro-Russian campaigns targeting Western governments.
In June 2025, when the New Zealand Government pledged more financial support to Ukraine, the NCSC recorded DDoS campaigns against organisations in the government, transport, and water sector.

While there has been an increase in the frequency of ideologically motivated cyber incidents in New Zealand, they have had varied success to date.

Nevertheless, disruption can affect customer trust, even if the technical impact is minimal.

There has also been a handful of low-impact New Zealand cyber incidents against operational technology (OT) claimed by hacktivist groups. In situations where OT is less protected, actors setting out to create a nuisance may end up causing significant damage beyond what they expected, escalating tensions and causing unintended consequences.

Although by definition a hacktivist group is motivated by its beliefs, some activity that appears as hacktivism may have other motives.

Hacktivist campaigns may overlap with state or criminal activity, complicating attribution and defence.

At least two known hacktivist groups active against New Zealand were likely created as an unattributable platform for conducting state-sponsored malicious cyber activities.

The actors behind these kinds of cyber incidents probably view DDoS attacks as harder to attribute, plausibly deniable, and unlikely to trigger an escalatory response from the countries affected.

The NCSC anticipates this type of ideologically motivated malicious cyber activity is likely to continue if geostrategic competition trends continue internationally. We assess that the government, financial, news, utilities, IT and retail sectors are most likely to be targeted, due to the potential for noticeable disruption. Cyber actors conducting this kind of activity will target sectors most impacted by digital disruption, as this will help amplify their message.

Case study 3: Hacktivism with unclear motives

In April 2025, a New Zealand organisation in the health sector began experiencing a high-volume DDoS attack early one morning, causing service outages. Later that same day, the organisation received an extortion email that claimed the attack was being orchestrated by a known hacktivist group. The email threatened to increase the severity of the attack unless a Bitcoin payment was made. However, the email did not specify why this particular organisation had been targeted.

By the evening of the attack, the impacted organisation was able to implement security measures to mitigate the attack and return traffic to normal levels. The following morning, the organisation received another note claiming the attack had been a demonstration, and that the attack would resume with greater severity if the ransom payment was not received. The impacted organisation ensured that adequate security measures had been implemented, and maintained a state of readiness to respond to further attacks. However, no further DDoS activity was observed.

Implications for organisations

The targets of hacktivism are usually symbolic, for example a media organisation, bank or telecommunications company taking a particular stance on a contentious issue, or associated with a certain country. In such cases, an organisation with a New Zealand connection could inadvertently become a target if hacktivists oppose New Zealand Government policy.

Organisations should consider whether they could be targeted by hacktivists for any reason, and what the impact of a typical hacktivist attack would be on the organisation’s business continuity and reputation.

DDoS attacks are much easier to defend against if controls are in place already, rather than trying to mitigate once an attack is underway. Web application firewalls can then be tuned when incidents occur, to limit the impact. Smaller organisations that struggle to afford the support of a managed service provider could consider one of the free plans that are on offer from some providers.

Readiness considerations

Three questions leaders should be asking:

Have we assessed our risk profile in relation to hacktivism?
Are our websites and online services resilient to denial-of-service attacks?
Do we have a plan for communication and reputation management if our organisation becomes a symbolic target?

Resources

Key cyber security terms and their definitions can be found in our glossary:

Glossary | Rarangi kupu

Read Judgement 4

Threat actors are exploiting supply chains, hidden dependencies and organisational blind spots to cause impact