With geopolitical tensions increasingly spilling into the cyber-domain, Richard Hummel, Director of Threat Intelligence at NETSCOUT outlines how hacktivist groups such as Keymous+ and NoName057 translate political grievances into disruptive DDoS attack campaigns.
I’m Richard Hummel and I serve as Director of Threat Intelligence at NETSCOUT.
My primary focus today is DDoS threats, though my background spans several areas of cyber-operations.
I began my career tracking nation-state activity with the United States Army, followed by a period of contracting work supporting various government agencies.
From there, I transitioned into cyber-crime investigations, concentrating on ransomware, point-of-sale malware and some early DDoS activity. Eventually, I moved fully into the DDoS space.
In a sense, I’ve had exposure to the ‘hat trick’ of major cyber-threats – nation-state operations, financially motivated cyber-crime and large-scale DDoS campaigns.
Each domain is uniquely challenging and fascinating in its own way. DDoS, in particular, is a different kind of beast.
Unless you’re directly engaged in mitigating these attacks, it’s difficult to fully appreciate how disruptive and insidious they can be.
It’s a dynamic field, no two days are exactly alike and that’s part of what makes the work so engaging.
Keymous+ is an ideologically motivated hacktivist group whose messaging is predominantly pro-Palestinian.
While we don’t have definitive attribution regarding their geographic origin or operational nexus, though there are indicators that suggest a possible Russian connection, their public-facing narrative is consistent and clear.
Across social media platforms and Telegram channels, their commentary is centred on pro-Palestinian themes.
They frequently criticise Israeli and U.S. policies and actions that they perceive as opposing their cause. That ideological lens heavily influences their targeting decisions.
When they select targets, whether government entities, private organisations or public-facing websites, it is almost always aligned with that perspective.
A news article, a public statement from an ambassador or politician or a policy decision by a country viewed as unsympathetic to their position can be enough to trigger activity. And when that line is crossed, they do follow through with attacks.
We’ve observed them operating independently as well as participating in broader coalitions.
But at its core, their modus operandi is ideologically driven, reactive and closely tied to geopolitical developments that intersect with their stated cause.
You know, it’s an interesting question and it’s something we’re always trying to keep a pulse on.
Because if these groups did, in fact, start working together in massive coalitions, you can imagine how chaotic that would get.
Even a single one of these groups can create a massive headache for organisations.
Take NoName057, for instance. They operate somewhat alongside Keymous+ and have been all over the place – national news, international reporting, law enforcement actions trying to take them down – you name it. They’ve become very high profile.
Now imagine if several of those high-profile groups banded together and started working in concert against the same targets. Things could get manic, really fast. But at the moment, we’re not seeing that.
Most of the time, when these coalitions form, they’re pretty haphazard – very ad hoc.
The groups may share a similar ideology or goal, but they’re not necessarily coordinating in any meaningful way.
Occasionally, at the onset of these coalitions, you’ll see a bit of alignment: Groups saying: “We have a shared purpose.”
You might see some light coordination around targets or even some shared infrastructure that briefly increases the bandwidth or throughput of the attacks.
But that phase usually doesn’t last long. Even when they publicly claim to be working together, the cohesion and coordination tend to break down pretty quickly.
Before long, they revert to their usual cadence and go back to pursuing their typical targets.
These coalitions also tend to exaggerate their scale. You’ll often see them boasting about having 10 or 15 groups lined up and ready to go after certain organisations.
In reality, those claims rarely translate into a meaningful, exponential increase in capability.
That’s not to say it couldn’t happen, especially with the rise of AI and the role it’s starting to play in these spaces.
If these groups were ever able to genuinely pool resources and coordinate effectively, the impact could be significant. But so far, we haven’t seen that materialise.
At a high level, these are opportunistic actors. For most of them, this isn’t a traditional 9 to 5 job, it’s not something they’re doing from sunup to sundown.
NoName057 is a bit of an exception. Based on previously released information, they appear to operate on something closer to a standard Russian business schedule – Monday through Friday, typical working hours.
Activity tends to drop off at night and on weekends, which suggests this may function more like a day job or at least a structured operation tied to regular working hours.
That level of consistency isn’t common across most hacktivist groups.
In many cases, you might notice general diurnal patterns that hint at geographic location based on when attacks occur. But beyond that, there’s rarely real cohesion or sustained coordination.
Activity tends to be sporadic and opportunistic rather than organised and methodical.
To me, that reinforces the idea that most of these groups are loosely organised, very vocal and active on platforms like Telegram, but operationally, they’re all over the place.
They strike when the opportunity presents itself, not as part of a disciplined, full-time campaign.
Financially, there’s also little indication of meaningful backing.
Most rely on homegrown tools, free ‘booter’ or stressor services or very low-cost attack-for-hire platforms.
Take Keymous+ as an example. They’ve been observed using DDoS-for-hire services and many of their attacks rely heavily on IP spoofing.
You might see telemetry showing four million ‘unique’ IP addresses involved in an attack, but that doesn’t mean they control a botnet of that size.
Those addresses are largely spoofed, so it’s more about inflating volume than demonstrating real capability.
Overall, these aren’t particularly sophisticated operations. Reconnaissance is often minimal and targets aren’t necessarily chosen based on technical vulnerability.
It’s more a case of, “Let’s hit this site and see what happens,” regardless of whether it’s protected.
In environments with even basic DDoS mitigation in place, these attacks typically fail to make much of an impact.
So, while they’re loud, ideological and persistent in their messaging, the technical execution behind most of these campaigns just isn’t especially sharp.
Let me give you an example. In September 2025, we observed a noticeable spike in activity, not just in claimed attacks, but in verified incidents that directly impacted or were adjacent to our customers.
A significant portion of that activity targeted Morocco. The timing wasn’t random. It coincided with Morocco’s announcement of a $2.3 billion infrastructure development initiative tied to a broader digital transformation effort.
At the same time, diplomatic tensions surrounding the Western Sahara territorial dispute were playing out on the global stage during the United Nations General Assembly.
In other words, there was a convergence of high-visibility political and economic events.
That’s often all it takes. Sometimes it’s a major policy announcement.
Sometimes it’s a single public statement by a government official – perhaps signalling support for Ukraine or taking a position on a polarising issue.
From there, the country or organisation can quickly become a target. The threshold for action is low.
These actors tend to operate with a kind of hair-trigger mentality – constantly scanning for something that justifies a response. It doesn’t take much to set them off.
Part of the reason is the absence of meaningful consequences.
There’s little fear of retaliation or accountability, which creates an environment where they feel free to act whenever they see fit.
As a result, when you analyse spikes in hacktivist activity, you can frequently map them to major geopolitical moments.
In fact, I conducted research a few years ago examining large-scale deviations in attack activity across countries worldwide – roughly 267 significant outliers.
I mapped each one against contemporaneous geopolitical events to see how often they aligned.
Approximately 98% coincided with a relevant political development on the same date.
That correlation underscores an important point: These groups are closely attuned to the geopolitical landscape.
Their operations may not always be technically sophisticated, but they are highly reactive to the political environment and their activity often mirrors the global news cycle.
The bottom line is this: You need to have some level of protection in place.
You can’t assume you’re safe simply because you’re not in the political spotlight. That’s no longer how this works.
Take recent threats tied to botnets like Aisuru and Kimwolf.
These are global botnets capable of launching multi-terabit-per-second or multi–gigapacket-per-second attacks.
And one of their primary tactics isn’t to focus on a single IP it’s to execute carpet-bombing attacks.
In a carpet-bombing scenario, they may target an entire /24 bloc-256 IP addresses or even larger segments.
So, if their real target is just one IP address, but they flood 1,000 IPs across a network with massive volumes of traffic, that leaves 999 systems as collateral damage.
Even if you’re not the intended target, you can still go down simply because you share infrastructure.
That’s why leaders can’t afford to operate without protection.
You need to understand what’s defending your website and services.
If you run on-premises infrastructure and require high availability, what safeguards are in place locally?
What’s your actual bandwidth capacity?
If you can handle 5 Gbps but an attack hits at 10 Gbps, your upstream link will saturate before your internal defences even have a chance to respond.
In many cases, that means thinking beyond on-prem solutions and considering hybrid models – working with a cloud mitigation provider or your upstream service provider to absorb large-scale traffic before it reaches your network.
Now, if you’re a very small business and you decide you can tolerate a couple of days of downtime, that’s a business decision.
But it still represents lost revenue, lost customer trust and potential reputational damage.
The reality today is that every organisation should assume a DDoS attack is possible and ask a simple question: What are we doing about it?
Preparation is most of the battle. Awareness that you could be impacted, even indirectly, is critical. And while many attacks are linked to geopolitical events, you don’t have to be politically vocal to be seen as a political target.
Simply operating in a particular country can be enough.
For some hacktivists, geography alone makes you part of the narrative.
From their perspective, it doesn’t matter whether you intended to take a stance – you’re associated by default.
So, the question isn’t whether you’re high-profile. It’s whether you’re prepared.
