Synopsis

1. Russia continues to escalate its cyber campaigns—interfering with Polish elections and launching a new email-based cyber espionage operation. Ukraine consistently hits back. The PRC has hidden ‘kill switches’ in power inverters for solar grids and continues to escalate its global cyber espionage campaigns. Hacktivism is back—and more dangerous than ever.
2. It is our assessment that the three major cyber conflicts (Russia vs. Ukraine, Iran vs. Israel, and the People’s Republic of China) are the most likely sources for the creation of next-generation malware and/or the primary sources of cyberattacks. This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer ‘supporters’.

Russia

1. Russian Cyberattacks Interfering with Polish Elections. On May 16th, the Polish Prime Minister announced an ongoing cyberattack “against his Civic Platform (PO) party and two of its coalition partners, The Left (Lewica) and the Polish People’s Party (PSL).” Polish cybersecurity identified the attackers as NoName057(16). “Last week, Poland’s digital affairs minister, Krzysztof Gawkowski, warned of an ‘unprecedented attempt by Russia to interfere in the Polish elections.’ He said there had been cyberattacks against the IT systems of all candidates competing in Sunday’s election.” Polish cybersecurity also announced the identification of a large number of political ads on Facebook that were “likely funded from abroad”—a violation of Polish law. These ads supported right-wing candidates.
2. ESET Identifies New Russian Cyberespionage Campaign. Cybersecurity company ESET has named a newly identified Russian cyber operation ‘RoundPress.’ It is designed “to steal confidential data from specific email accounts.” The hackers, identified as the ‘Sednit cyberespionage group’ (also known as APT28), “target high-value webmail servers with XSS vulnerabilities.” The attack uses “spear-phishing emails leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.” Targeted webmail systems include RoundCube, Horde, MDaemon, and Zimbra. ESET noted: “Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.”
3. Ukrainian Hackers Regularly Hitting Russian IT Systems.

• During the week ending May 17th, pro-Ukrainian hacker group 4B1D claimed credit for a multi-day disruption at a Russian private hospital.
• On May 29th, Downdetector reported “ongoing disruptions to Russia’s tax service (FNS), as well as services for managing secure digital keys (Goskey) and documents (Saby), among others.” A large-scale DDoS attack has been confirmed.
• “Russian businesses also reported being unable to access a government service that controls the distribution and sale of alcoholic beverages, as well as the system that tracks the production of certain goods to prevent counterfeiting.”

People’s Republic of China (PRC)

1. Chinese-Made Power Inverters Contain Hidden ‘Kill Switches’. Technical experts have long warned about Chinese-made electronic devices containing backdoors, malware, or other hidden capabilities. The Times reported that experts discovered rogue devices—including hidden cellular radios—in Chinese-made power inverters used globally, including in the UK. Investigators found “kill switches” in equipment at US solar farms. These hidden cellular radios could allow Beijing to remotely disable power grids. Although firewalls can be configured to block internet connections, “in the past nine months, experts have found undocumented communication devices, such as cellular radios, in batteries from multiple Chinese suppliers,” bypassing conventional security measures.
2. PRC Cyberespionage Attacks Escalating Globally. Multiple cybersecurity organizations report new or intensified cyber espionage attacks from the PRC. According to GBHackers News:

• ESET identified ‘Mustang Panda,’ a PRC APT group compromising government entities and maritime transportation firms.
• EU government agencies were compromised by the ‘DigitalRecyclers’ group in attacks deploying HydroRShell, RClient, and GiftBox payloads.
• A Central European government organization was infected with the new NanoSlate backdoor by the ‘PerplexedGoblin’ gang.
• ESET researchers also revealed that a China-linked APT group, tracked as ‘UnsolicitedBooker,’ has repeatedly targeted government organizations in Asia, Africa, and the Middle East using spear-phishing emails to deliver malware. The group used a new backdoor called MarsSnake to target an international organization in Saudi Arabia in a multi-year campaign.
• On May 28th, the Czech government identified APT31, a PRC hacking group, as the perpetrators behind a breach of one of its foreign ministry networks.

1. This is a partial list of cyberattacks and does not include renewed activity by ‘Salt Typhoon’ and ‘Volt Typhoon,’ which continue to target global telecommunications and critical infrastructure. For example, Salt Typhoon was identified as the attacker behind the breach of Commvault, a data protection and management company. “In March, Microsoft observed Silk Typhoon targeting common IT solutions—like remote management tools and cloud applications—to gain initial access. The group then exploits Microsoft services to conduct espionage operations.”

The Return of Hacktivism

1. Over the last three years, Google Threat Intelligence Group (GTIG) has observed the resurgence and intensification of hacktivist activity, often used by states employing similar tactics. This revival is driven by conflicts such as Russia vs. Ukraine, Israel vs. Iran (and proxies), and, more recently, India vs. Pakistan. Governments increasingly leverage “hacktivist personas” to obscure their operations. Unlike earlier hacktivism, which focused on anti-establishment ideologies, a new wave of groups now targets organizations worldwide to advance geopolitical objectives. These actors combine cyberattacks, information operations, and even physical disruptions. The outlook is grim: “Hacktivism has evolved from an ideological movement into a multifaceted cyber threat with the potential for real-world consequences. … The new wave of hacktivism necessitates a new level of vigilance.”
2. Examples of Current Hacktivist Activity:

• “In Belarus, hackers operate with surgical precision and intense secrecy.” Cyber resistance groups in Belarus and Ukraine share a common mission: undermining authoritarian regimes. Belarusian President Alexander Lukashenko has admitted his growing fears of cyberattacks, telling ministers he is “more scared of cyber weapons than nuclear weapons,” and ordering them to return to paper if they can’t secure their systems.
• Russia’s Permanent Representative to the UN, Vasily Nebenzya, accused Ukraine’s IT Army of waging a coordinated disinformation campaign. Russian cybersecurity firm F6 identified the IT Army of Ukraine as the most active group targeting Russian digital infrastructure, reporting a 50% surge in DDoS attacks in 2024. However, Ukraine’s IT Army spokesperson stated that they now focus on “high-impact attacks that take valuable assets offline for days.”
• “Hacktivist groups began cyberattacks on India and Pakistan even before Operation Sindoor commenced on May 7.” The report India-Pakistan Hacktivist Insights, updated through May 9, states that 54 groups have declared attacks—12 pro-India, the rest pro-Pakistan. From May 6 to 8, government and public websites in India were the most targeted (28.4%). Other targets included defense, security, commercial, healthcare, education, finance, legal, judiciary, transport, and logistics networks.

1. Analyst Commentary: Hacktivists have evolved from being nuisances into potentially serious actors. The IT Army of Ukraine, for example, is a major cyber force multiplier. The rapid escalation of cyberwarfare between India and Pakistan is likely a preview of future conflict patterns. The danger of using decentralized cyber forces is their potential to escalate tensions unintentionally. Cyberattacks or disinformation campaigns can provoke visceral public reactions, which may, in turn, drive state-level escalation.