Defacement is no longer limited to teenage hackers vandalizing websites for bragging rights. In 2024-2025, state-sponsored and state-aligned hacktivist groups have weaponized defacement as a component of hybrid warfare. The US government attributed the Cyber Army of Russia Reborn (CARR) to GRU Unit 74455. CISA's December 2025 advisory documented pro-Russian hacktivists conducting defacement attacks against US and global critical infrastructure, including the defacement of industrial control system HMIs. The Handala Group (Iran-aligned) conducts website defacement combined with ransomware and data theft against Israeli targets. These groups operate at the intersection of cyber operations and propaganda, using defacement to signal capability, demoralize adversaries, and generate media attention. T1491 has two sub-techniques: Internal Defacement (T1491.001) and External Defacement (T1491.002).
T1491 falls under the Impact tactic (TA0040) with an integrity impact type. Unlike techniques focused on stealth or persistence, defacement is inherently visible — its purpose is to be seen. The technique covers any modification of visual content available to users, whether those users are internal employees encountering modified login screens or server banners, or external visitors finding altered public-facing websites. The motivations behind defacement range from political messaging and propaganda to intimidation of victims, false-flag operations designed to mislead attribution, and psychological pressure to comply with ransom demands.
The technique spans Windows, Linux, macOS, ESXi, and IaaS platforms. External defacement typically targets web servers (exploiting vulnerabilities in CMS platforms, web applications, or misconfigurations), while internal defacement may involve modifying desktop wallpapers, login screens, file names, or internal web portals after gaining access through other techniques.
The Two Sub-Techniques
T1491.001 — Internal Defacement
Adversaries deface systems internal to an organization to intimidate or mislead users. This takes several forms. Ransomware lock screens and ransom notes replace desktop wallpapers, modify login messages, or create prominent text files (README.txt, HOW_TO_DECRYPT.txt) in every directory. These are functionally defacement — they modify the visual content of the system to deliver a message and pressure compliance. The WhisperGate wiper deployed by Cadet Blizzard (GRU Unit 29155) in January 2022 overwrote the Master Boot Record with a fake ransomware note, displaying a ransom message on boot that was designed to look like criminal ransomware but was actually a destructive wiper with no recovery mechanism. RansomHub has used custom lock screens that display both ransom demands and threats to publish stolen data. The Qilin ransomware group modified internal systems following spear-phishing of a managed service provider's ScreenConnect admin, affecting downstream customers. ShrinkLocker abuse of BitLocker functionality changes the system boot screen to display a contact email, effectively defacing the boot experience itself.
Internal defacement also includes modifications to server login banners (modifying /etc/motd on Linux or Windows login message GPOs), internal wiki or SharePoint pages, desktop wallpapers set via Group Policy, and file names changed to threatening messages. The psychological impact of internal defacement can be significant: employees who see threatening messages on their work systems experience the intrusion as personal, which can accelerate panic and pressure organizational leadership into rash decisions like paying ransoms.
T1491.002 — External Defacement
Adversaries deface externally-facing systems, typically websites, to deliver messaging to a public audience. External defacement is the most visible form of cyber attack and has been a staple of hacktivist operations for decades. The technique targets web servers through SQL injection, CMS vulnerabilities (WordPress, Joomla, Drupal plugin exploits), stolen administrative credentials, file upload vulnerabilities, or misconfigured web hosting environments. The attacker replaces the homepage (or other pages) with their own content, which typically includes political messages, propaganda, group branding, and hashtags for social media amplification.
External defacement serves multiple strategic purposes beyond simple vandalism. It signals capability — demonstrating that the attacker can access and modify the target's infrastructure. It generates media attention, particularly when government or critical infrastructure websites are targeted. It undermines public trust in the target organization's security posture. And it can serve as a precursor or distraction for more serious operations, including drive-by compromise attacks that redirect visitors to exploit kits or malware delivery infrastructure. MITRE ATT&CK specifically notes that external defacement can be used as setup for future attacks such as Drive-by Compromise.
Defacement in Geopolitical Conflicts
The Russia-Ukraine war and the Israel-Palestine conflict have transformed defacement from a nuisance technique into a weapon of hybrid warfare. The scale, coordination, and state sponsorship of modern defacement operations distinguish them from the opportunistic website vandalism of earlier decades.
Russia-Ukraine Conflict
Cadet Blizzard (GRU Unit 29155) defaced Ukrainian government websites in January 2022, weeks before Russia's ground invasion. The defacements were combined with the WhisperGate wiper deployment, creating a coordinated campaign of visible disruption (defacement) and covert destruction (data wiping). Microsoft identified Cadet Blizzard as a distinct GRU-affiliated group responsible for destructive attacks, espionage, hack-and-leak operations, and defacement. The group also operates the "Free Civilian" Telegram channel and dark web leak site for publishing stolen data.
Pro-Russian hacktivist groups have maintained sustained defacement campaigns throughout the conflict. NoName057(16), active since March 2022, coordinates DDoS and defacement attacks against NATO countries supporting Ukraine. The group uses the DDoSia tool to coordinate volunteer-driven attacks. Z-Pentest, established in September 2024 with members from CARR and NoName057(16), has gone beyond website defacement to deface industrial control system HMIs, changing system names to display pro-Russian messaging. CISA's December 2025 advisory confirmed that GRU Unit 74455 is "likely responsible for supporting the creation of CARR" and funded the tools used for its attacks. The #OpLithuania campaign in May 2025 saw seven pro-Russian groups attack Lithuanian financial networks and government sites after the Lithuanian foreign minister criticized Putin.
Israel-Palestine Conflict
Cambridge University researchers documented over 500 defacement attacks on Israeli websites in the week following the October 7, 2023 Hamas attack. More than 100 hacktivists participated, with the top 10 most active attackers responsible for nearly 80% of the defacements and a single hacktivist behind over 20% of all attacks. Over 300 defaced sites displayed messages supporting Palestine with hashtags including #opisrael, #freepalestine, and #savegaza. Unlike the Russia-Ukraine conflict, which saw attacks against both sides, the Israel-Palestine defacement campaign was overwhelmingly one-sided, with virtually no attacks identified against Palestinian websites.
The Handala Group, an Iranian hacktivist collective that emerged in December 2023, conducts website defacement combined with ransomware, data theft, and extortion against Israeli targets. The group exclusively targets Israeli organizations across transportation, healthcare, government, and technology sectors. During June 2025, the Iran-Israel escalation triggered coordinated attacks by over 35 pro-Iranian groups against Israeli infrastructure, demonstrating the speed at which hacktivist campaigns can scale in response to kinetic military events.
Expanding Theater
Defacement campaigns have expanded beyond the two primary conflicts. Pro-Russian and pro-Palestinian groups have formed alliances, with pro-Palestinian groups targeting Ukrainian allies and pro-Russian groups attacking Israel. India, Pakistan, Bangladesh, Thailand, Cambodia, the Philippines, and other nations have all been targeted by ideologically motivated defacement campaigns tied to regional tensions. Cyble documented India, Ukraine, and Israel as the most impacted countries by hacktivist activity in 2025. The 2024 Paris Olympics triggered defacement campaigns by at least eight hacktivist groups targeting event-related organizations. The arrest of Telegram CEO Pavel Durov in August 2024 sparked defacement and DDoS attacks against over 50 French organizations.
How Defacement Works
Web server exploitation. External defacement typically begins with exploiting a vulnerability in the target's web infrastructure. Common entry points include unpatched CMS platforms (WordPress, Joomla, Drupal), SQL injection in custom web applications, file upload vulnerabilities that allow overwriting web content, compromised administrative credentials (often reused or weak passwords), and misconfigured hosting environments that expose administrative interfaces. Once the attacker has write access to the web root directory, they replace index.html or the CMS homepage template with their own content. Sophisticated attackers may also modify database records to change content served by dynamic websites.
Hacktivist coordination. Modern hacktivist defacement campaigns are organized through Telegram channels where groups share target lists, coordinate timing for maximum impact, and publish proof-of-compromise screenshots. Tools like DDoSia (developed by NoName057(16)) allow volunteer participants to contribute bandwidth to attacks with minimal technical knowledge. Defacement attacks are often combined with DDoS to ensure the defaced content is visible while preventing the target from quickly restoring their website. Groups frequently claim credit through multiple channels simultaneously — Telegram announcements, posts on Zone-H (a defacement archive), and social media — to amplify the psychological and media impact.
Internal system modification. Internal defacement after compromise can involve overwriting the Master Boot Record (WhisperGate), modifying Group Policy Objects to change desktop wallpapers or login banners across the domain, dropping ransom notes in every accessible directory via scripted file creation, modifying internal web applications or intranet portals, and changing system hostnames or descriptions to display threatening messages. Ransomware operators have refined internal defacement into a deliberate pressure technique, with custom-designed lock screens that display countdown timers, threaten data publication, and provide contact channels.
ICS/OT defacement. An emerging trend documented by CISA in 2025 involves the defacement of industrial control system Human-Machine Interfaces (HMIs). Z-Pentest and affiliated groups have modified the display names and labels on HMI systems to show pro-Russian messaging, moving defacement from IT systems into operational technology environments. While these modifications may not directly affect physical processes, they demonstrate access to OT systems and create alarm about the potential for more destructive actions.
Why Defacement Matters
It signals deeper compromise. A defaced website or internal system demonstrates that the adversary has achieved write access to the target's infrastructure. In many cases, the defacement itself is the least dangerous aspect of the intrusion — the same access that enables defacement also enables data exfiltration, backdoor installation, and lateral movement. Cadet Blizzard's defacement of Ukrainian websites was accompanied by data wiping (WhisperGate), data exfiltration, and the establishment of persistent backdoors. Organizations that treat defacement as merely an aesthetic problem risk missing the deeper compromise.
It is a tool of information warfare. In geopolitical conflicts, defacement serves as a visible demonstration of cyber capability that can shape public perception, undermine confidence in government institutions, and demoralize adversaries. The timing of defacement relative to kinetic military operations (as seen with Cadet Blizzard's operations preceding Russia's invasion) suggests it is used as a component of coordinated hybrid warfare strategies.
It causes real business impact. While defacement is often dismissed as low-sophistication, the business impact can be substantial: reputational damage when customers encounter defaced websites, loss of revenue during outages, regulatory concerns about data integrity, incident response costs, and the indirect costs of lost trust. For government organizations, defacement of official websites can cause public confusion and undermine institutional credibility.
It is a precursor to more serious attacks. MITRE ATT&CK notes that external defacement can be used as setup for drive-by compromise, where the defaced page is replaced with content that delivers malware to visitors. Defacement may also serve as a distraction while the adversary conducts data exfiltration or deploys persistent access mechanisms elsewhere in the environment.
Real-World Case Studies
Cadet Blizzard / GRU Unit 29155 — Ukrainian Government Defacement and WhisperGate (January 2022)
In January 2022, Cadet Blizzard (GRU Unit 29155, also tracked as DEV-0586 and Ember Bear) conducted a coordinated campaign against Ukrainian government organizations that combined website defacement with the deployment of the WhisperGate wiper. The defacement campaign targeted Ukrainian government websites with messages designed to undermine public confidence. Simultaneously, WhisperGate was deployed to overwrite the Master Boot Record with a fake ransomware note, then destroy file system data. The ransom note was deliberately deceptive — it displayed a Bitcoin wallet and Tox messaging ID, mimicking criminal ransomware, but there was no recovery mechanism. The same ransom payload was used across all victims (unlike customized criminal ransomware), and the Bitcoin wallet showed only a small transfer. CISA, FBI, and NSA attributed the campaign to GRU Unit 29155 in a September 2024 advisory. These operations "prefaced multiple waves of attacks by Seashell Blizzard" that followed when Russia's ground invasion began a month later. Cadet Blizzard also operated the "Free Civilian" Telegram channel for hack-and-leak operations publishing stolen Ukrainian government data.
Post-October 7 Hacktivist Defacement Wave (2023)
Cambridge University's Cybercrime Centre documented the hacktivist response to the October 7, 2023 Hamas attack on Israel. Within hours, hacktivists began defacing Israeli websites. Over 500 defacement attacks were launched by more than 100 hacktivists in the first week. The attacks peaked two days after Israel's declaration of war and again on October 13. Over 300 Israeli sites displayed pro-Palestine messages. The attack pattern mirrored the hacktivist surge following Russia's 2022 invasion of Ukraine, but was overwhelmingly one-sided — with virtually no attacks on Palestinian websites. The researchers found that defacement activity was highly centralized: the top 10 attackers were responsible for nearly 80% of all attacks, and a single individual conducted over 20% of defacements. Targets were primarily businesses rather than high-profile government sites, though a subdomain of the Israeli Defense Forces was among those affected.
Z-Pentest / CARR — ICS HMI Defacement (2025)
CISA's December 2025 joint advisory documented Z-Pentest, a pro-Russian hacktivist group established in September 2024 with members from CARR and NoName057(16), conducting defacement of industrial control system HMIs. Z-Pentest shared videos showing the modification of HMI system names and labels to display NoName057(16) and CARR references. Unlike traditional website defacement, ICS HMI defacement demonstrates access to operational technology environments, creating alarm about the potential for physical process manipulation. CISA assessed that GRU Unit 74455 "is likely responsible for supporting the creation of CARR" and funded its tools. The advisory noted that Z-Pentest "largely avoids DDoS activities, claiming OT intrusions as attempts to garner more attention from the media," suggesting deliberate escalation of defacement targets for maximum psychological impact.
Sandworm / Olympics Defacement Campaigns (2018-2024)
Russia's GRU has a documented history of using defacement against the Olympic Games. During the 2018 Winter Olympics in Pyeongchang, Sandworm (GRU Unit 74455) conducted destructive cyber operations that included defacement elements, and the UK NCSC exposed Russian cyber attacks against both the Olympic and Paralympic Games. During the 2024 Paris Olympics, at least eight hacktivist groups targeted event-related organizations with DDoS and defacement attacks, accusing organizers of "Russophobia" and expressing anti-Western and anti-Israel sentiments.
Ransomware as Internal Defacement — RansomHub, Qilin, ShrinkLocker
Modern ransomware increasingly incorporates sophisticated internal defacement. RansomHub deploys custom lock screens with ransom demands and data publication threats. Qilin affiliates spear-phished a managed service provider's ScreenConnect admin, then modified internal systems of downstream customers. ShrinkLocker abuses Windows BitLocker to encrypt systems and modifies the boot screen to display a contact email, effectively defacing the entire boot experience. These operations demonstrate that internal defacement is not separate from ransomware — it is an integral component of the extortion model, designed to maximize psychological pressure on victims.
Detection Strategies
Key Monitoring Points
| Data Source | What to Monitor | Detection Logic |
|---|---|---|
| File Integrity Monitoring | Web root file changes | Deploy file integrity monitoring (FIM) on all web-accessible directories. Alert on any modification to index.html, index.php, .htaccess, or CMS template files outside of authorized deployment windows. Hash-based monitoring catches unauthorized content changes even when file timestamps are manipulated |
| Application Logs | CMS/web application anomalies | Monitor CMS admin login logs for authentication from unusual IP addresses, brute-force attempts, and new admin account creation. Alert on file upload events that target web root directories or modify existing files |
| Network Traffic | SQL injection and exploit traffic | Deploy web application firewalls (WAF) with rules that detect SQL injection, file inclusion, and common CMS exploit payloads. Monitor for traffic patterns consistent with automated vulnerability scanning tools |
| External Monitoring | Website content changes | Use external website monitoring services that periodically screenshot and hash public-facing pages. Automated comparison against known-good baselines can detect defacement within minutes, even when internal monitoring is bypassed |
| Group Policy / Registry | Internal defacement indicators | Monitor for unauthorized changes to GPO settings that control desktop wallpapers, login banners, or startup scripts. Alert on modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext and /etc/motd |
| Threat Intelligence | Hacktivist campaign targeting | Monitor hacktivist Telegram channels and social media for campaign announcements, target lists, and proof-of-compromise posts that may indicate your organization is being targeted or has been defaced before internal detection triggers |
Splunk Detection Queries
Query 1: Web Root File Modification Detection
Detects unauthorized changes to critical web server files, the primary indicator of external defacement.
index=fim sourcetype=file_integrity
(file_path="*/www/*" OR file_path="*/html/*" OR file_path="*/htdocs/*"
OR file_path="*/public_html/*")
(file_name IN ("index.html", "index.php", "index.asp", "default.html",
".htaccess", "web.config"))
action=modified
| where NOT user IN ("deploy_svc", "www-data", "apache")
| table _time host file_path file_name action user process_name
| sort -_timeQuery 2: Mass File Creation (Ransom Note Distribution)
Detects rapid creation of identically-named files across multiple directories, a signature of ransomware internal defacement.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(TargetFilename="*README*" OR TargetFilename="*DECRYPT*"
OR TargetFilename="*RECOVER*" OR TargetFilename="*ransom*"
OR TargetFilename="*.hta")
| bin _time span=5m
| stats count dc(TargetFilename) as unique_files
values(TargetFilename) as files by _time host process_name
| where count > 20
| sort -countQuery 3: Login Banner / Wallpaper Policy Modification
Detects modifications to Windows login message settings, which adversaries use for internal defacement.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
(TargetObject="*legalnoticetext*" OR TargetObject="*legalnoticecaption*"
OR TargetObject="*Wallpaper*" OR TargetObject="*LockScreenImage*")
| table _time host user TargetObject Details process_name
| sort -_timeKnown Threat Actors
State-Sponsored / State-Aligned Groups
| Actor | Attribution | T1491 Usage |
|---|---|---|
| Cadet Blizzard (Unit 29155) | Russia (GRU) | Ukrainian government website defacement (January 2022) + WhisperGate wiper; "Free Civilian" hack-and-leak Telegram channel |
| Sandworm (Unit 74455) | Russia (GRU) | Olympics-related defacement campaigns; supported creation and funding of CARR hacktivist group |
| CARR (Cyber Army of Russia Reborn) | Russia (GRU-supported) | Defacement of US and global critical infrastructure including OT/ICS HMIs; DDoS and defacement against NATO countries |
| NoName057(16) | Russia-aligned | Sustained DDoS and defacement campaigns against Ukraine and NATO allies since March 2022; DDoSia coordination tool |
| Z-Pentest | Russia-aligned (CARR/NoName members) | ICS HMI defacement (2025); OT intrusion operations against global critical infrastructure |
| Handala Group | Iran-aligned | Website defacement + ransomware + data theft against Israeli targets across transportation, healthcare, government, and tech sectors (December 2023-present) |
| Indian Cyber Force | India-aligned | Defacement and data theft campaigns against countries perceived as hostile to Indian interests |
Ransomware Groups Using Internal Defacement
| Group | T1491.001 Usage |
|---|---|
| WhisperGate (Cadet Blizzard) | Fake ransomware MBR overwrite displaying ransom note; actually a destructive wiper |
| RansomHub | Custom lock screens with ransom demands and data publication threats |
| Qilin | MSP compromise with downstream internal system modifications |
| ShrinkLocker | BitLocker abuse modifying boot screen to display attacker contact email |
| Black Basta | Custom desktop wallpaper and ransom note deployment across compromised environments |
Defensive Recommendations
1. Deploy file integrity monitoring on all web-accessible content
File integrity monitoring (FIM) is the most direct defense against external defacement. Monitor all files in web root directories, CMS template directories, and configuration files. Alerts should trigger on any modification outside of authorized deployment windows. Use hash-based comparison rather than timestamp-based monitoring, as attackers can manipulate file modification times. Ensure FIM covers not just HTML files but also .htaccess, web.config, and CMS database entries that control rendered content.
2. Harden web applications and CMS platforms
Patch CMS platforms (WordPress, Joomla, Drupal) and all plugins/themes promptly. Disable unused plugins and themes. Enforce strong, unique passwords on all administrative accounts with MFA enabled. Restrict administrative interfaces to specific IP addresses or VPN connections. Deploy a web application firewall (WAF) that detects and blocks SQL injection, file inclusion, and common exploit payloads. Disable file upload functionality unless explicitly required, and validate all uploaded files against an allowlist of expected types.
3. Implement external website monitoring
Use external monitoring services that periodically access your public-facing websites and compare the rendered content against known-good baselines. This provides detection of defacement that bypasses internal monitoring (for example, if the attacker also disables internal FIM or modifies the monitoring agent). External monitoring can detect defacement within minutes and trigger incident response before significant reputational damage occurs.
4. Monitor hacktivist Telegram channels and threat intelligence feeds
Hacktivist groups announce campaigns, share target lists, and publish proof of compromise on Telegram before, during, and after operations. Threat intelligence monitoring of relevant channels provides early warning of campaigns targeting your organization or industry. This is particularly important during periods of geopolitical tension, when hacktivist activity spikes in response to military operations, diplomatic actions, or high-profile events.
5. Maintain offline backups of website content and configurations
Rapid recovery from defacement requires clean, verified backups of all website content, configurations, and databases. Store backups offline or in immutable storage that cannot be modified by an attacker who has compromised the web server. Test restoration procedures regularly to ensure recovery can be completed in minutes rather than hours. Version-controlled deployments (Git-based workflows) provide built-in rollback capabilities.
6. Segment web infrastructure from internal networks
Web servers should be isolated in DMZ segments with strict firewall rules preventing lateral movement to internal networks. If an attacker compromises a web server to conduct defacement, network segmentation prevents them from pivoting to internal systems, databases, or other sensitive infrastructure. This limits the impact of defacement to the aesthetic damage and prevents it from serving as an entry point for deeper compromise.
7. Prepare a defacement incident response playbook
Defacement incidents require rapid public communication alongside technical remediation. Prepare a playbook that includes immediate website takedown or restoration from backup, forensic preservation of the defaced content and access logs, root cause analysis to identify the initial access vector, public communication addressing the incident (particularly for government organizations), assessment of whether the defacement indicates deeper compromise requiring broader incident response, and review of threat intelligence to determine if the defacement is part of a larger campaign.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1491 |
| Technique Name | Defacement |
| Tactics | Impact (TA0040) |
| Platforms | Windows, Linux, macOS, ESXi, IaaS |
| Impact Type | Integrity |
| Sub-Techniques | T1491.001 Internal Defacement, T1491.002 External Defacement |
| Data Sources | Application Log (Content), File (Creation, Modification), Network Traffic (Content) |
| Mitigations | Data Backup (M1053) |
| Version | 1.4 (last modified October 2025) |
| MITRE Reference | attack.mitre.org/techniques/T1491 |
Sources and References
- MITRE ATT&CK — T1491 Defacement: attack.mitre.org
- CISA/FBI/NSA — Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure (December 2025): cisa.gov
- CISA/FBI/NSA — Russian Military Cyber Actors Target US and Global Critical Infrastructure (September 2024): cisa.gov
- Microsoft — Cadet Blizzard Emerges as Novel and Distinct Russian Threat Actor (June 2023): microsoft.com
- Forescout — The Rise of State-Sponsored Hacktivism (April 2025): forescout.com
- Cyble — Hacktivists Escalate Critical Infrastructure Attacks in 2025 (January 2026): cyble.com
- Cambridge University — Hacktivist Attacks Against Israeli Websites Mirror Ukraine Pattern: computerweekly.com
- Trend Micro — Rising From the Underground: Hacktivism in 2024: trendmicro.com
- Cognyte LUMINAR — The Influence of Regional Conflicts on the Hacktivist Landscape: cognyte.com
- Cybernews — Hacktivist Armies Fueling the Cyber Front of Russia-Ukraine War (July 2025): cybernews.com