Threat Groups

UserSec Collective

1. Overview

UserSec Collective is a pro-Russian hacktivist entity active since mid-2022. The group promotes itself as a decentralised digital army operating in support of Russian national interests and frequently targets government, financial, and public sector websites across NATO-aligned nations. Like other politically aligned hacktivist groups, UserSec primarily uses denial-of-service attacks and defacement tactics, alongside an active propaganda presence on Telegram and fringe social media platforms.

Although lacking the technical sophistication of state-sponsored advanced persistent threats (APTs), UserSec is disruptive in nature and part of a broader ecosystem of Russian-aligned hacktivism. It often collaborates with other collectives such as NoName057(16), XakNet Team, and Anonymous Russia.

2. Origin and Evolution

UserSec emerged during the height of Russia’s full-scale invasion of Ukraine in 2022. Initially operating as a fringe online group sharing memes and nationalist content, it quickly evolved into a loosely coordinated collective conducting cyber attacks under the guise of patriotic defence.

The group organises campaigns through Telegram channels, where it publishes target lists, attack instructions, and ideological statements. UserSec has since declared opposition to NATO, the European Union, Western media, and companies perceived as hostile to Russian interests. While the group’s visibility and output vary, it resurfaces during periods of political tension, elections, and symbolic dates.

3. Tactics, Techniques, and Procedures (TTPs)

UserSec’s primary mode of attack is disruptive rather than covert. It relies on publicly available or self-developed tools to launch denial-of-service attacks and post defacements. TTPs include:

  • Distributed Denial-of-Service (DDoS)
    High-volume HTTP, TCP, and UDP flood attacks using custom scripts and tools such as LOIC variants or user-submitted payloads (T1499).
  • Web defacement
    Exploitation of misconfigured or outdated web servers to post political statements, images, and propaganda content (T1491.001).
  • Telegram coordination
    Daily lists of targets, live updates on service disruption, and encouragement of follower participation in attacks using DDOS tools or botnets.
  • Psychological operations
    Propagation of fear and misinformation, often exaggerating the effectiveness or scale of their campaigns (T1585).
  • Shared infrastructure
    May reuse or share C2 infrastructure with other hacktivist collectives, and occasionally amplifies claims by groups like KillNet or NoName057(16).

4. Targeting Profile

UserSec targets institutions and services that symbolise opposition to Russian geopolitical interests. These typically include:

  • Government websites and ministries in NATO-aligned countries
  • Municipal and regional public services
  • Military and defence-adjacent platforms
  • Media organisations critical of Russian policy
  • Financial institutions and election infrastructure
  • Logistics, transport, and airport services

In the UK, targets have included government information portals, regional transport websites, and educational platforms. These attacks typically result in temporary disruptions rather than data breaches or long-term compromise.

5. Notable Campaigns and Victims

UserSec does not always operate independently, but it has claimed or contributed to several regional attacks, including:

  • Disruption of municipal websites in Poland and the Czech Republic
  • Participation in a multi-group DDoS campaign targeting UK Parliament and Scottish Government sites in 2023
  • Defacement of a German university site with anti-NATO propaganda
  • Amplification of fabricated leaks involving Baltic government documents
  • Support for KillNet-led attacks against healthcare and logistics systems in Eastern Europe

Its activity peaks during symbolic events, such as Victory Day (9 May), NATO summits, and elections in Eastern Europe.

6. Technical Indicators

Due to the group’s reliance on basic tools and publicly coordinated attacks, technical indicators vary, but commonly include:

  • DDoS traffic from residential proxies and VPN services
  • Payloads executed via browser-based flood tools
  • IP ranges associated with botnet-for-hire services
  • CMS exploit attempts against outdated WordPress and Joomla installations
  • Download links to denial-of-service tools shared via Telegram

Because most attacks are volumetric, defence depends on infrastructure resilience and proactive monitoring.

7. Defensive Measures and Recommendations

To mitigate threats from UserSec Collective and similar groups:

  • Deploy cloud-based DDoS mitigation solutions such as Cloudflare, Akamai, or Fastly
  • Monitor public channels for attack announcements that include your brand or infrastructure
  • Patch web servers and CMS plugins to prevent defacements
  • Implement web application firewalls and rate-limiting mechanisms
  • Prepare incident communication protocols in case of website disruption or defacement
  • Coordinate with national CERTs and sector-specific information sharing groups

Visibility into early-stage reconnaissance and proactive defence can reduce the likelihood and impact of opportunistic attacks.

8. Attribution and Alliances

UserSec is believed to operate from Russian-speaking regions, likely with informal coordination from Russian nationalist networks. There is no evidence of direct state sponsorship, but the group’s ideological alignment with the Kremlin suggests either passive tolerance or indirect support.

UserSec often cross-promotes content from KillNet, NoName057(16), Anonymous Russia, and other loosely affiliated collectives. Attribution is further complicated by the group’s decentralised structure and use of anonymous communications.

9. Conclusion

UserSec Collective represents a persistent and ideologically driven threat actor operating within the broader sphere of Russian-aligned hacktivism. While not technically advanced, its campaigns can disrupt public services, damage reputations, and contribute to information warfare objectives.

Organisations in the UK and other NATO-aligned states, particularly those operating public infrastructure or politically symbolic services, should take practical steps to defend against disruption and disinformation campaigns attributed to UserSec and similar threat actors.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025


				

				

		

				

				

							

			
						
		

						

				

				

				

							
    
							
  • 
											
													
										27 Views
									
    • 
						

						

				

				

				

							

							
					
						
											
				
							
					
						
											
				
							
					
						
											
				
							
					
						
											
				
							
					
						
											
				
							
					
						
											
				
					

						

				

				

				

							

			
						
		

						

				

				

					

				

		

					

		

				

				

					
you may also like
				

				

				

				

							

				

				

			

					

				

				

							

			
						
		

						

				

				

				

																
															
															

				

				

				

					
Kettering Health crippled by ransomware: 14 hospitals on emergency reroute
				

				

				

				

					On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.				

				

					

				

				

				

			

					

				

				

							

			
						
		

						

				

				

				

																
															
															

				

				

				

					
Pro-Russian Cyber Activity: Hybrid Threats and the UK Response
				

				

				

				

					An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.				

				

					

				

				

				

			

					

				

				

							

			
						
		

						

				

				

				

																
															
															

				

				

				

					
Donation-Based Ransomware Groups
				

				

				

				

					An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.				

				

					

				

				

				

			

					

				

				

							

			
						
		

						

				

				

				

																
															
															

				

				

				

					
Western Alliance Data Breach Tied to Cleo Software Flaw
				

				

				

				

					Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.				

				

					

				

				

				

			

					

				

				

							

			
						
		

						

				

				

				

																
															
															

				

				

				

					
DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers
				

				

				

				

					An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.				

				

					

				

				

				

			

					

				

				

							

			
						
		

						

				

				

				

																
															
															

				

				

				

					
Emerging Ransomware Threats and Securing Open-Source Email Infrastructure
				

				

				

				

					An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.				

				

					

				

				

				

		

					

							

			

							

						

				

				

					

				

		

					

				

				

					
Stay Informed.
Stay Secure.
				

				

				

				

									Subscribe to our newsletter. 								

				

				

				

							

			
			
			

							
			
			

								

												
														
											

								

					
				

			

		

						

				

					

				

				

				

			

					

		

				

				

																														

				

				

				

								
						
						

				

				

				

							

							
					
						Linkedin-in
											
				
					

						

				

				

				

				

							

			
						
		

						

				

				

				

									© 2025 CyberDefence