CISA: Pro-Russia Hacktivists Target US Critical Infrastructure - Dark Reading

THREAT INTELLIGENCE CYBERSECURITY OPERATIONS PHYSICAL SECURITY ICS/OT SECURITY NEWS Feds: Pro-Russia Hacktivists Target US Critical Infrastructure So far the attacks, which compromise virtual network computing (VNC) connections in OT systems, have not been particularly destructive, but this could change as they evolve. Elizabeth Montalbano,Contributing Writer December 10, 2025 6 Min Read SOURCE: YRI ARCURS VIA ALAMY STOCK PHOTO The US government is warning that unsophisticated pro-Russia hacktivists are targeting US critical infrastructure to gain access to operational technology (OT) control devices. These so-called "opportunistic" attacks so far have had limited impact, but could pose a more dire threat in the future. In conjunction with the warning, the FBI, the Cybersecurity Infrastructure Agency (CISA), the National Security Agency (NSA), and various international authorities have identified four specific groups — Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 — as well as their affiliates, which in the past several weeks have attacked minimally secured, Internet-facing virtual network computing (VNC) connections in OT systems, according to an advisory posted Tuesday. The groups are compromising these networks in attacks that primarily target water and wastewater systems, food and agriculture, and energy sectors. Related:DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike Unlike advanced persistent threats (APTs), these fringe groups, on the surface, appear to lack direct governmental ties, though they share the same support of the Russian agenda and similar targeting of Ukranian and allied infrastructure, according to the advisory. "However, among the increasing number of groups, some appear to have associations with the Russian state through direct or indirect support," according to CISA. CARR previously took credit for disrupting water supplies at US, Polish, and French facilities, which Mandiant revealed in 2024. "[The advisory] confirms our earlier assessment of ties between hacktivist front Cyber Army of Russia Reborn (CARR) and Russia's military intelligence service, the GRU," said John Hultquist, chief analyst at Google Threat Intelligence Group, in a media statement. "CARR carried out cyberattacks on US and European critical infrastructure but hid behind this false persona." He added, "The GRU is increasingly leaning into willing accomplices to hide their own hand in destabilizing physical and cyberattacks in Europe and the US. It’s important that we never take an adversary’s word for it when they tell us who they are. They frequently lie." In conjunction with the advisory, the Department of Justice also announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her actions supporting CARR and NoName057(16). Dubranova was extradited to the United States earlier this year.  How the Russian Hacktivist Attacks Work Related:SideWinder Espionage Campaign Expands Across Southeast Asia The attacks tend to all follow the same playbook: first, attackers scan for Internet-facing vulnerable devices with open VNC ports, then they use a temporary virtual private server (VPS) to execute password brute-forcing software.  Attackers then use VNC software to access hosts, confirm connections to the vulnerable device, brute-force the password, if required, and gain access to human-machine interface (HMI) devices, typically ones with default or weak passwords, or no passwords at all. Following this, threat actors log onto the vulnerable device using its IP address, port, and password; use the HMI graphical interface to capture screen recordings or intermittent screenshots; and modify various parameters, including usernames/passwords, device names, and instrument settings. They also disable alarms and create loss of view, which mandates local, hands-on operator intervention; additionally, they can shut down or restart devices. After causing disruption, attackers disconnect from the device, which ends the VNC connection, and proceed to research the target's other networks after the intrusion. So far the attacks have had "varying degrees of impact, including physical damage," according to the advisory. "Attacks have not yet caused injury; however, the attacks against occupied factories and community facilities demonstrate a lack of consideration for human safety," according to CISA. Related:Less Lucrative Ransomware Market Makes Attackers Alter Methods The incidents also can result in labor costs incurred from the need to hire an expert and/or technology to help restore operations, as well as costs associated with operational downtime or network remediation. Who Are the Critical Infrastructure Attackers? Though the groups are separate entities, they work together to reach a wider audience with online public support and by sharing tactics, techniques, and procedures (TTPs). "It is likely that these and similar groups will continue to iterate and share these methods to disrupt critical infrastructure organizations," according to CISA. Individually, however, the groups maintain distinct identities. CARR owes its creation to the Russian General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455, and also is known as "The People’s Cyber Army of Russia." It's been active since at least late February or early March of 2022, formed around the same time that Russia invaded Ukraine.  Indeed, this group supports Russia’s stance on the Ukrainian conflict and has claimed responsibility for distributed denial of service (DDoS) attacks against the US and Europe for supporting Ukraine. In late 2023, the group expanded operations to target industrial control systems (ICS), claiming attacks against a European wastewater treatment facility in October 2023 and intrusions at two US dairy farms the following month. Administrators from CARR and an administrator from NoName057 (16), unhappy with the level of support and funding from the GRU, in late September spun off from the original group to form the Z-Pentest group, which uses the same TTPs as CARR but without involvement from the GRU. This group "specializes in OT intrusion operations targeting globally dispersed critical infrastructure entities," according to CISA. Z-Pentest diverges from other pro-Russia hactivist groups by avoiding DDoS activities, and instead employs hack-and-leak operations and defacement attacks to gain further attention for their pro-Russia messaging, according to the advisory. NoName057 (16), active since March 2022, is a covert operation for the Center for the Study and Network Monitoring of the Youth Environment (CISM), which itself was established on behalf of the Kremlin. The group uses a proprietary DDoS tool, "DDoSia," that was paid for by senior executives and employees within CISM. These exectvies also funded the group’s network infrastructure, served as administrators on NoName057(16) Telegram channels, and selected DDoS targets. The newest of the group is Sector16, which formed in January 2025 in collaboration with Z-Pentest. The group, which may have received indirect support from the Russian government for conducting strategic cyber operations, maintains a public Telegram channel where they share videos, statements, and claims of compromising US energy infrastructure. These communications are in line with pro-Russia narratives, according to CISA.  Mitigation of Hacktivist Attacks on OT In recent years there have been numerous attacks on US critical infrastructure, and it's clear that US political adversaries are constantly looking for ways to disrupt various critical sectors through cyberattacks. These incidents not only can have significant business impact but also potentially devastating physical consequences on people's lives. In the meantime, this sector faces significant security challenges that warrant immediate attention to keep systems safe from intrusion. The CISA advisory includes various mitigations for OT asset owners and operators to help them avoid potentially disruptive or even destructive attacks. They include reducing the exposure of OT assets to the public-facing Internet; adopting mature asset-management processes; and ensuring OT assets use robust authentication procedures. Critical infrastructure providers also should enable control system security features that can separate and audit view and control functions to remove the potential for impact from an attack, as well as have comprehensive business-recovery and disaster-recovery plans in place should an attack occur, according to CISA. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE