NETSCOUT: Understanding Political Hacktivism & Cybercrime

As cyber threats grow more coordinated and politically charged, intelligence has become a frontline defence for organisations worldwide.

With a career spanning more than 15 years, Richard Hummel has focused on identifying and countering the digital risks shaping today’s global cybersecurity environment.

In his role as Director of Threat Intelligence at NETSCOUT, he heads the company’s ASERT team, examining distributed denial-of-service (DDoS) activity and tracking adversary tactics worldwide.

His background includes service as a signals intelligence analyst in the US Army, followed by senior positions at FireEye and iSIGHT Partners – where he developed extensive expertise in analysing how threat actors coordinate, adapt and capitalise on emerging technologies.

In this conversation, Richard discusses the growing alignment between hacktivist groups, the increasingly blurred boundary between ideology and financial motivation and the practical steps organisations can take to remain resilient against fast-evolving adversaries.

How does growing collaboration between distinct hacktivist groups amplify the danger to global organisations?

Cybercriminals are largely joining forces with like-minded groups to boost their efficacy and firepower.

NETSCOUT’s research clearly illustrates this in the case of the hacktivist group Keymous+, which publicly teamed up with fellow hacktivist group, DDoS54. 

Their combined attacks became nearly four times more powerful than when they worked in isolation. 

However, while hacktivists working in tandem do have an initial amplifying effect, it is largely opportunistic in nature.

Even still, for businesses, these informal partnerships mean threat levels can change overnight. 

An organisation might prepare its defences to handle one specific attacker, but if that hacktivist suddenly calls in backup, the sheer size of the attack can easily overwhelm standard security measures. 

It can turn a manageable nuisance into a critical emergency. 

Is the line between political hacktivism and for-profit cybercrime becoming increasingly blurred?

Absolutely. In the past, we could usually tell if an attacker was a political activist trying to send a message or a criminal trying to make money. But hacktivist groups like Keymous+ confuse this distinction. 

On the one hand, these groups act like mercenaries for hire, attacking a huge variety of unconnected targets – from banks and hotels to transport companies.

On the other hand, they focus heavily on specific countries in the Middle East and North Africa, which seems to suggest a political agenda. 

This blurring is challenging for defenders because it makes it hard to predict who their next target will be. 

A company might think, “we aren't involved in politics, so we’re safe,” only to be hit by a mercenary group simply because their business is in a specific region or sector.

What strategic advantage does a hacktivist group like Keymous+ gain by synchronising its campaigns with the start of the business day?

Our analysis shows that these attacks aren't random – they are timed with human precision to inflict the most damage possible. 

For instance, Keymous+ launches a third of its major attacks between 7am and 9am in its target countries. 

This is the ‘digital rush hour’ – the exact moment government offices open, stock markets start trading and employees log in to work. 

By attacking during this window, the group ensures maximum chaos because IT teams are already busy handling the morning surge of legitimate traffic. 

It’s also a time when security teams might be changing shifts, creating a small window of vulnerability. 

By striking when the victim is busiest, threat actors make it much harder for defenders to figure out what is real customer traffic and what is an attack.

This isn’t a new phenomenon as we’ve seen many various hacktivist groups attempt to launch attacks during normal business operations for their target. 

In other situations, you’ll see that a hacktivist group might keep their own “working hours”, the typical 9 to 5, in their own time zone. 

Does the use of widely available tools suggest that the barrier to entry for launching disruptive attacks is lower than ever?

Yes, and that is one of the most concerning findings. 

Keymous+ proves that you don't need to be a computer genius or build your own complex systems to launch a massive attack. Instead, they made use of off-the-shelf tools and rented services that are widely available on the dark web.

From February to September 2025, Keymous+ executed 249 DDoS attacks across 15 countries, targeting 21 industries with conventional yet effective methods. 

The group utilised everything from standard cloud servers to compromised smart home devices to flood their targets. We even found that modern attack platforms have simple dropdown menus that let users choose who to impersonate. 

This means that powerful, disruptive capabilities are now accessible to almost anyone for a small fee. 

It has turned cyberattacks into a commodity, allowing unskilled actors to cause professional-level damage.

Does the concentration of attacks in specific regions point to a political agenda or simply opportunistic targeting?

It appears to be a mix of both, which is what makes it so complex. 

While the group has attacked targets all over the world – including in the US and Europe – the data shows they kept coming back to the same specific places: Morocco, Saudi Arabia, Sudan, India and France. 

If they were purely opportunistic criminals, you would expect the attacks to be evenly spread out. 

The fact that the group hammered these specific regions so frequently suggests there is a deeper reason, likely political or regional tension, driving the campaign. It implies that, while they have the tools to attack globally, their orders – or their personal motivations – are directing them to destabilise specific parts of the world.

What is the most effective high-level defence strategy for organisations facing such a versatile and adaptive adversary?

Because this adversary uses a varied approach – switching between different attack styles to find a weakness – companies cannot rely on a single lock on the front door. 

The most effective strategy is a layered defence. 

Firstly, organisations need comprehensive end-to-end network visibility that spots unusual traffic patterns instantly. 

Secondly, they need edge protection that can automatically block known bad actors. 

Finally, for the massive attacks that are too big for local networks to handle, organisations need high-throughput scrubbing that filters out the junk traffic before it ever reaches their network. 

Since groups like Keymous+ change tactics constantly, relying on just one of these layers isn't enough – organisations need all three working together to stay safe.