Pro-Russia hackers declare war on Britain

The head of Z-Pentest, a pro-Russia hacking group, was speaking idiomatically, using an anti-British proverb from the 19th century.

But in an interview, his message was clear: Britain was a target. “As long as the British government continues to foster anti-Russian sentiment and pursue pro-Ukrainian policies, we will continue to attack them,” the hacker said in a series of messages exchanged with The Observer last week.

Z-Pentest is one of a new wave of “patriotic” hacking groups connected to Russia and China whose aim is to destabilise the west. Unlike many hackers who had previously limited themselves to disabling “enemy” websites, Z-Pentest and others are increasingly targeting critical infrastructure.

The group, which formed last year, claims to have hacked into a hospital in Poland, a commercial ventilation system in Romania, an unnamed sterilisation unit in the UK and a food storage system in Ukraine. In May it posted a video showing its hackers in Poland apparently raising temperatures at the warehouses of the global supermarket Lidl to “a scorching desert”.

The Observer has seen videos purporting to show these attacks but has not verified them independently. A spokesperson for Lidl said all its warehouses in Poland were operating normally but that it treats reports of hacking with “utmost seriousness”.

“Hacktivists are increasingly targeting critical infrastructure,” Kaustubh Medhe, vice-president of research at monitoring organisation Cyble, said. “It’s a growing concern. Critical infrastructure needs to be much better secured.”

Last week the National Cyber Security Centre (NCSC) warned that such groups were a rising threat: “Russia’s invasion of Ukraine and the ongoing Israel-Gaza conflict have inspired a growing number of pro-Russia hacktivist groups seeking to target the UK, Europe, US and other Nato countries. They choose their targets based on what is vulnerable, which makes their activities less predictable.”

In August, Z-Pentest released a video. Set to the music of a Moscow-based punk band, it showed operatives apparently taking control of a Norwegian dam. The attackers remotely opened a floodgate and released 500l of water a second for four hours until the incident was detected and stopped.

At the time Beate Gangas, the head of Norway’s security police force, linked the dam attack to the Russian state. It was the first time since 2022 that officials have publicly suggested that pro-Russia hackers successfully targeted critical water infrastructure in Europe.

“Over the past year, we have seen a change in activity from pro-Russian cyber actors,” she said. “Our Russian neighbour has become more dangerous.”

“The Norwegian hack was ridiculously simple,” the Z-Pentest leader told The Observer. “Our goal is to inflict maximum ­damage on European countries.”

But British authorities have been hamstrung in their ability to combat such foreign cyberthreats because of a new influx of homegrown hackers. Many are teenagers motivated more by bragging rights than by ideology.

Scattered Spider, a loose collective of such English-speaking hackers, has been named in connection with cyber-attacks this year on Marks & Spencer, the Co-op and Harrods – as well as the damaging hack on Transport for London (TfL) in 2024.

The group has also claimed involvement in August’s crippling attack on Jaguar Land Rover, which shut down global manufacturing at the luxury car maker. In July the National Crime Agency (NCA) arrested four suspected members, aged from 17 to 20. A 19-year-old from east London and an 18-year-old from the West Midlands have since been charged in connection with the TfL attack. “A generation of young people has grown up to this point of readiness,” Paul Foster, head of the NCA’s national cyber crime unit, has said. “They’ve lived their lives online. They had an accelerator period during the Covid lockdown. [They got] a crash course in online life.”

Dealing with these homegrown hackers has impeded the NCA’s ability to proactively target cyberthreats abroad. It marks a regression for the agency, which in 2024 successfully took down a huge ­ransomware group called LockBit.

That year the agency was able to say cybercrime had plateaued. This year the mood is bleaker. “I think it's reasonable to suggest that the threat will increase,” Foster said.

Figures bear this out. Last week, NCSC revealed it had dealt with 429 cyber-incidents in the past 12 months. Almost half were classified as “nationally significant”, a 129% rise on last year. The picture is similar outside the UK. In Europe, Russian cyber-operations against Nato states increased by 25% year on year, according to a Microsoft report. Vladimir Putin is using cyberwarfare as part of a wider hybrid campaign against Nato, including drone incursions, sabotage and cyber-attacks often carried out by third parties.

Last year the head of MI5, Ken McCallum, said “Russian state actors” were “turning to proxies for their dirty work, including private intelligence operatives and criminals from both the UK and third countries”.

In a follow-up speech last Thursday, McCallum said state threats from Russia, China and Iran were escalating, with MI5 seeing a 35% increase in the number of individuals it is investigating in the last year. “Anyone watching the news can see that Russia is committed to causing havoc and destruction,” he said. “Our partners across Europe are dealing with it every day, from cyber-attacks to sabotage.”

Security experts continue to believe that hackers working directly for countries like China and Russia pose a more serious threat than independent groups, even ones like Z-Pentest or Scattered Spider.

Chinese state-sponsored hackers from the Salt Typhoon group are thought to have penetrated UK critical national infrastructure as well as US telecoms networks. “I would assume China is trying to penetrate, or has already penetrated, systems important for our national security,” said Jamie MacColl, a senior research fellow at the Rusi thinktank.

Asked if he agreed with another security expert’s assessment of 2025 being a “golden age” for Chinese hacking, MacColl said: “Yes. It seems to have been golden for about 10 years now.”

MacColl said the UK has fallen behind the EU in terms of introducing regulations to safeguard cyber-security. “Other countries have pulled ahead,” he said. “We have very capable intelligence agencies, good law enforcement, and the NCSC puts out extremely good guidance. The problem is it’s voluntary and it’s not being followed.”

The attack on Jaguar Land Rover had shown “how vulnerable the economy and society is to cyber-attacks”, MacColl said. “We haven’t worked through the seriousness of what could happen in a wartime setting.”

Z-Pentest denies any links to the Kremlin, calling themselves a “community of patriots with various technical skills”. But the lines demarcating these groups are becoming increasingly blurred.

On 7 October Z-Pentest issued a statement unconnected to any hack. The group congratulated Putin on his birthday and wished him “inexhaustible energy and good health”.

Photograph by Kirill Kudryavtsev/AFP/Getty Images