Flash Report: United Kingdom Issues Alert on Russian-Linked Hacktivism

Key Findings

• On January 19, 2026, the National Cyber Security Centre (NCSC)—a part of the United Kingdom’s Government Communications Headquarters (GCHQ)—issued an alert highlighting the persistent targeting of UK organizations by Russian state-aligned hacktivist groups aiming to disrupt networks.
• In the alert, the NCSC highlighted ongoing activity from Russian-linked hacktivist collectives, including coordinated attacks across NATO and European countries.
• On January 12, 2026, ZeroFox observed that “NoName057(16)” and “DarkStorm Team” claimed on their respective official Telegram channels to have conducted distributed denial-of-service (DDoS) attacks targeting multiple organizations based in Poland.
• As tensions between Russia and the West remain, it is very likely that pro-Russia and anti-West hacktivist collectives will continue to target Western institutions throughout 2026.

Details

On January 19, 2026, the NCSC issued an alert highlighting the persistent targeting of UK organizations by Russian state-aligned hacktivist groups aiming to disrupt networks.¹ The alert urges UK organizations—particularly local authorities and operators of critical national infrastructure (CNI)—to strengthen their resilience against denial-of-service (DoS) attacks.

• DoS and DDoS attacks—the most commonly used by Russian hacktivist collectives to cause disruption—typically require relatively low technical skill to conduct. However, they often cause severe financial and operational losses.
• The alert notes that Russian-aligned hacktivist collectives are largely targeting victims whom they perceive support Ukraine and are operating independently of direct state control.

In the alert, the NCSC highlighted ongoing activity from Russian-linked hacktivist collectives (including coordinated attacks across NATO and European countries) and warned of continuous malicious cyber activity linked to Russia since the invasion of Ukraine in 2022. 

• Hacktivism combines hacking and activism and is carried out by a diverse array of actors leveraging digital tools and offensive cyber tactics, techniques, and procedures (TTPs) to promote or achieve political, social, or ideological causes.

On January 12, 2026, ZeroFox observed that NoName057(16) and DarkStorm Team claimed on their respective official Telegram channels to have conducted DDoS attacks targeting multiple organizations based in Poland. Both collectives posted updates in the following days claiming they had targeted additional Poland-based institutions.

• NoName057(16) is a pro-Russian threat collective that has claimed responsibility for multiple attacks against the United States, Ukraine, and other European entities.
• DarkStorm Team is a pro-Palestinian threat collective that has historically targeted victims whom they perceive to be pro-Western.
• In response to geopolitical events and growing tensions, hacktivist collectives often form alliances with other collectives that share perceived injustices underpinned by ideological, religious, political, or national beliefs.
• The coordinated targeting of NoNamed057(16) and DarkStorm Team against Poland-based victims demonstrates how threat collectives with mutual targets collaborate to enhance their intended impact.

Regional conflict very likely leads to an increase in hacktivist activity, and new alliances are often formed in response. ZeroFox has observed this threat actor reaction to several conflicts in recent years, including Ukraine-Russia, Israel-Hamas, and Israel-Iran. Future conflicts will almost certainly elicit a similar response from the hacktivist community and lead to malicious cyberattacks—largely in the form of DDoS and DoS—as well as the formation of new alliances between hacktivist collectives who share perceived injustices underpinned by ideological, religious, political, or national beliefs. As tensions between Russia and the West remain, it is very likely that pro-Russia and anti-West hacktivist collectives will continue to target Western institutions throughout 2026.

Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated TTPs.

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 7:00 AM (EST) on January 22, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

1. hXXps://www.ncsc.gov[.]uk/news/ncsc-issues-warning-over-hacktivist-groups-disrupting-uk-organisations-online-services