NCSC warns rising wave of hacktivist disruptions is targeting services and urges urgent mitigation

Hacktivism sounds like graffiti for the internet. But this wave is closer to crowd-sourced service sabotage. The UK’s National Cyber Security Centre warned on January 19 that Russian-aligned groups are still targeting British organisations with denial-of-service attacks meant to knock websites and services offline, not quietly steal data. That matters because for a council, utility, or public-facing service, downtime is the harm. People cannot use the thing they need. (ncsc.gov.uk) ### What is the NCSC actually warning about? The warning is about disruptive cyberattacks by Russian-aligned hacktivist groups against UK organisations, especially local government and critical national infrastructure. The basic play is simple — flood a service with traffic until real users cannot get through. The NCSC’s point is not that this is novel malw(ncsc.gov.uk)ardening. (ncsc.gov.uk) ### Which group keeps coming up? One name sits near the center of this: NoName057(16). The NCSC says the group has been active since March 2022 and has run cyber operations against government and private-sector targets in NATO states and other European countries seen as hostile to Russian interests. It has als(ncsc.gov.uk)atable nuisance power. (ncsc.gov.uk) ### Why are these attacks still a problem if they’re “low sophistication”? Because low sophistication does not mean low impact. A successful DoS attack can make a website or online system unreliable or completely unavailable, and even a temporary outage can burn time, money, and staff attention. If the target is a public service, the damage lands first on a(ncsc.gov.uk)oken. That is enough for attackers chasing headlines or political signaling. (ncsc.gov.uk) ### Are these mostly about theft? Not usually. The NCSC warning is framed around disruption — taking websites offline, disabling services, and exhausting defenders — rather than the kind of quiet credential theft you see in espionage campaigns. That distinction matters. APT28, for example, was separately exposed by the NCSC in April 2026 for DNS hijacking aimed at stealing passwo(ncsc.gov.uk)and designed to be seen. (ncsc.gov.uk) ### Why now? Because this has become part of the background threat picture around Russia’s war and the wider confrontation with Western governments. The NCSC has been warning since 2024 that state-aligned groups sympathetic to Russia can launch destructive or disruptive attacks, including against operational technology. The January 2026 alert shows that this did not fade out. It settled into a durable pattern. (ncsc.gov.uk) ### What does the NCSC want organisations to do? The advice is practical, not exotic. Understand where your service can be overloaded. Know which protections your ISP already provides. Consider third-party DDoS mitigation and content delivery networks for web services. Build systems that can scale under pressure. And have a response plan you have actually tested. That is less glamorous than threat hunting, but for this problem it is the whole game. (ncsc.gov.uk) ### Why does this matter beyond one alert? Because defenders are not dealing with one clean category of threat anymore. The same NCSC that is telling organisations to brace for hacktivist outages is also tracking more serious state activity and a broader rise in nationally significant cyber incidents — 204 in the year to August 2025, up from 89 the year bef(ncsc.gov.uk)oblems. That pileup is the real story. (ncsc.gov.uk) ### Bottom line This warning is really about resilience. The attackers do not need to break in deeply if they can keep knocking the front door shut. For public services and infrastructure operators, that means boring mitigations now matter a lot more than elegant postmortems later. (ncsc.gov.uk)