Cyberwarriors, hackers and collectives, this is today’s new world. In a hyper-connected historical reality, war fronts are also breaking out on the net where groups of people, whether under the control of entities or nations or for affinity of vision, decide to unite and take action to support a cause. These groups move with the common goal of coordinating in attacks on systems, obscuring or changing the facades of institutional sites, uncovering the shady dealings of companies and countries, and stealing sensitive e-mails.

These actions, which very often go unnoticed in comparison to the much more observed military actions, have different purposes, depending on who is behind them; for example, there are groups directly linked to countries that have the task of destabilising other states and spreading fake news by making citizens believe in fabricated news, there are hacker collectives detached from state realities, which are formed either for a common vision among their activists or to support a cause.

Hacktivists and APT: The Two Faces of Cyberwar

Understanding the difference between hacktivist and APT is crucial to grasping the nuances of the cyber landscape. On the one hand, we have thehacktivist: an ‘activist hacker’ who, motivated by political or social convictions, uses his cyber skills to protest, expose information or promote a cause. Think of Anonymous, which through actions such as DDoS attacks or the publication of sensitive data, seeks to draw attention to perceived injustices or to support movements.

On the other hand, we find APTs (Advanced Persistent Threats): these are not mere ‘threats’, but real, highly sophisticated, targeted and long-term attack campaigns, often conducted by state actors or well-funded criminal groups. The goal of an APT is not hype, but industrial espionage, the theft of state secrets or the destabilisation of critical infrastructures, maintaining hidden and persistent access to systems for months or years, as in the case of CozyBear. While hacktivists try to make noise for an ideal, APTs operate in the shadows with far-reaching strategic goals.

Anonymous: an example of a collective

An example of a collective that comes together thanks to shared values or causes is Anonymous, a collective founded in the early 2000s and which, driven by their ideas, has fought numerous companies, states and even other collectives. Their most famous and well-known battles are certainly their support for WikiLeaks in 2010, when the major international payment circuit companies blocked donations to it Anonymous responded with actions on the sites of major companies with DDoS attacks (the generation of such a large wave of data on a site that it became inaccessible), the operations againstISIS, which in 2015 through social networks recruited and propagated messages encouraging people to commit terrorist attacks, Anonymous in that case supported the authorities by flagging the social accounts of the terrorist group and carried out various cyber attacks targeting ISIS both in the Clear Web (What we all see when we access the internet through our devices) and in the Dark Web (The part of the internet accessible only through certain programmes or special web windows). Last but not least, every hacker group connected to Anonymous has been involved in a variety of operations aimed at exposing the propaganda of the Putin regime, purloining lists of companies that are secretly under the control of Oligarchs or people close to the Kremlin, tracing war material that is hidden under false names; they are also among those who have been responsible for putting out of business a hacker group directly linked to Moscow called Killnet, forcing its members to fragment into other collectives.

Groups related to foreign countries: NoName057 and CozyBear

Then we have the groups directly linked to foreign states, such as NoName057 or CozyBear (also called APT29), NoName057 was probably created after the fall of Killnet since its appearance was in 2022, after Anonymous’ announcement of their defeat, whereas CozyBear is believed to be closely linked to the SVR (Foreign Intelligence Service) and was born in connection with the second South Ossetian war.

Functions and objectives of NoName057 and CozyBear

Although they are both groups that are considered pro-Russian, they have different functions; CozyBear focuses on cyber espionage, while NoName057 focuses on DDoS attacks and have very different targets, if the former tends to target governments, high-tech companies and NGOs, the latter targets critical infrastructures and government agencies. An example of a hacker attack carried out by CozyBear was the one in 2023 on Microsoft systems, stealing sensitive data and compromising the corporate network, as well as generating a major breach in their systems. On the other hand, NoName057 can boast of having carried out numerous DDoS attacks, and Defacing (Replacing the screen of a government site with messages claiming the reason for such attacks and rendering the site unusable) both in Italy and abroad an example are the attacks that took place between 17 and 19 February 2025 on the sites of financial groups such as Mediobanca, Nexi, war companies such as Benelli and Fiocchi, not to mention the Danieli company specialising in steel plants, all to ‘punish’ Italy for Mattarella’s words in which he compared Putin’s Russia to the Third Reich.