First it was tanks and drones, now it’s keyboards and code. The British military is facing a new kind of frontline, and this one’s being fought in cyberspace.
A shadowy coalition of pro-Russian and pro-Palestinian hackers, calling themselves the Holy League, has been launching weekly cyberattacks against UK military, intelligence, and infrastructure targets, according to alarming new reports.
Made up of around 90 hacktivist groups, the Holy League claims to be united by a shared mission: to disrupt the allies of Ukraine and Israel, including the United Kingdom. But this isn’t just loose online activism. Some members are reportedly linked to Russia’s GRU military intelligence and others have received training from Iran’s Islamic Revolutionary Guard Corps (IRGC), a level of coordination that’s ringing alarm bells across Whitehall.
The Times revealed that cyberattacks have recently hit the British Army, the Royal Navy, and even the Office for Nuclear Security. The group also claims to have targeted the website of MI6, Britain’s foreign intelligence service. In one chilling message posted to the group’s Telegram channel, a hacker known as “Mr Hamza”, believed to be operating out of Morocco, issued a stark warning:
“This is just a warning … and worse is yet to come.”
The attacks are typically DDoS (Distributed Denial of Service) in nature, simple but disruptive. They work by flooding websites with overwhelming traffic until they crash. While the damage is often temporary, these strikes can leave systems exposed to more sophisticated breaches.
The UK government is taking the threat seriously. According to GCHQ, the surge in state-aligned hacktivist activity is widening the gap between the UK’s current cyber defences and the evolving tactics of its adversaries.
The National Cyber Security Centre (NCSC), GCHQ’s cyber defence wing, highlighted the rising risk in its latest review. It specifically named Russia and Iran as key players behind politically motivated cyberattacks on critical national infrastructure. One of the most dangerous actors identified? The Cyber Army of Russia Reborn (Carr), a Holy League affiliate described as “an active threat to poorly defended systems.”
Carr is suspected of operating under the GRU’s elite cyberwarfare division, APT44 (also known as Sandworm). In fact, Google’s Threat Intelligence team recently traced Carr’s YouTube activity to IP addresses controlled by APT44.
In July last year, Carr made global headlines after two of its members, Yuliya Pankratova and Denis Degtyarenko, both Russian nationals, were sanctioned by the US for breaching water facility systems in the United States and Poland. Carr also claimed responsibility for a cyberattack on Britain’s M6 motorway in December, working alongside the pro-Russian group NoName057(16). Incidentally, the group’s founder is believed to be Pankratova’s husband.
At the centre of the Holy League operation is a figure calling himself Abu Omar, who told Russian state media that he coordinates from within a network spread across Russia, Belarus, North Africa, and the Middle East. He also claimed his faction, the Cyber Islamic Resistance, has been trained by the IRGC-aligned Badr Organisation in Iraq.
While the government has not commented on specific incidents, a spokesperson stated:
“The government is committed to using all of its levers to disrupt cyberthreats and to keep the public safe.”
But with this rise in hybrid warfare, where ideology, politics and tech collide, it’s clear the UK’s enemies are no longer just on distant shores. Some of the fiercest battles are now being waged in the digital shadows.
