CISA, FBI, NSA and 23 international partner organizations published on December 9, 2025 a joint advisory detailing the activities of pro-Russia hacktivist groups targeting industrial control systems and critical infrastructure in the United States and globally. This publication follows Operation Eastwood conducted by the European Cybercrime Centre and the joint fact sheet of May 6, 2025 on cyber threats targeting operational technologies.
Threat Profile and Sophistication Level
The authoring organizations assess that pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks compared to traditional APT groups. These actors exploit poorly secured VNC connections exposed on the Internet to infiltrate OT control devices within critical infrastructure systems. The identified groups are Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), Sector16 and affiliated entities.
Targeted sectors primarily include Water and Wastewater Systems, Food and Agriculture, and Energy. Despite their limited technical capabilities, these groups have demonstrated their willingness to cause actual harm to vulnerable infrastructure.
Cyber Army of Russia Reborn: Origins and Evolution
The GRU Main Center for Special Technologies, military unit 74455, is likely responsible for supporting the creation of CARR in late February or early March 2022. Actors suspected to be from GRU unit 74455 likely funded the tools used by CARR to conduct DDoS attacks through at least September 2024.
In April 2022, the group began using a new Telegram channel named “CyberArmyofRussia_Reborn” to organize and plan their actions. The channel creators recruited actors to use CARR as an unattributable platform for conducting cyber activities beneath the level of APTs, aimed at deterring anti-Russia rhetoric. CARR presented themselves as a group of pro-Russia hacktivists supporting Russia’s stance on the Ukrainian conflict and quickly began claiming responsibility for DDoS attacks against the US and Europe.
In late 2023, CARR expanded their operations to industrial control systems, claiming an intrusion against a European wastewater treatment facility in October 2023. In November 2023, the group targeted HMI devices, claiming intrusions at two US dairy farms.
By late September 2024, CARR administrators became dissatisfied with the level of support and funding provided by the GRU. This dissatisfaction led CARR administrators and an administrator from NoName057(16) to create the Z-Pentest group, employing the same tactics, techniques and procedures as CARR but separate from GRU involvement.
NoName057(16) and Organizational Structure
The Center for the Study and Network Monitoring of the Youth Environment, established on behalf of the Kremlin, created NoName057(16) as a covert project within the organization. Senior executives and employees within CISM developed and customized the group’s proprietary DDoS tool DDoSia, paid for the network infrastructure, served as administrators on Telegram channels and selected DDoS targets.
Active since March 2022, NoName057(16) has conducted frequent DDoS attacks against government and private sector entities in NATO member states and other European countries perceived as hostile to Russian geopolitical interests. The group operates primarily through Telegram channels and used GitHub, along with various websites and repositories, to host DDoSia and share materials and TTPs with their followers.
In 2024, NoName057(16) began collaborating closely with other pro-Russia hacktivist groups, operating a joint chat with CARR by mid-2024. In July 2024, NoName057(16) jointly claimed with CARR an alleged intrusion against OT assets in the United States. The high degree of cooperation with CARR likely contributed to the formation of Z-Pentest in September 2024.
Z-Pentest and Sector16: New Specialized Entities
Established in September 2024, Z-Pentest is composed of members from CARR and NoName057(16). The group specializes in OT intrusion operations targeting globally dispersed critical infrastructure entities. The group also uses “hack and leak” operations and defacement attacks to draw attention to their pro-Russia messaging. Unlike other pro-Russia hacktivist groups, Z-Pentest largely avoids DDoS activities, claiming OT intrusions to attempt to garner more media attention.
Sector16 was formed in January 2025 as a novice pro-Russia hacktivist group that emerged through collaboration with Z-Pentest. The group actively maintains an online presence, including a public Telegram channel where they share videos, statements and claims of compromising US energy infrastructure. Sector16 members may have received indirect support from the Russian government in exchange for conducting specific cyber operations that further Russian strategic goals.
Technical Methodology and Attack Vectors
Pro-Russia hacktivist groups employ easily disseminated and replicated tactics, techniques and procedures across various entities, increasing the likelihood of widespread adoption and escalating the frequency of intrusions. These groups have limited capabilities and frequently misunderstand the processes they aim to disrupt. Their apparently low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact.
The groups target HMI devices connected via VNC. They are primarily seeking notoriety with their actions. While they have caused damage in some instances, they regularly make false or exaggerated claims about their attacks on critical infrastructure to garner more attention. They frequently misrepresent their capabilities and the impacts of their actions, portraying minor incursions as significant breaches.
Pro-Russia hacktivists use an opportunistic targeting methodology. They leverage superficial criteria, such as victim availability and existing vulnerabilities, rather than focusing on strategically significant entities. Their lack of strategic focus can lead to a broad array of targets, ranging from water treatment facilities to oil well systems.
Observed Attack Sequence
As recently as April 2025, threat actors used the following unsophisticated methods to access networks and conduct SCADA intrusions. The sequence begins by scanning for vulnerable devices on the Internet with open VNC ports. Actors initiate a temporary virtual private server to execute password brute force software, use VNC software to access hosts, confirm connection to the vulnerable device and brute force the password if required.
Actors gain access to HMI devices, typically with default, weak, or no passwords. They log the confirmed vulnerable device IP address, port and password. Using the HMI graphical interface, they capture screen recordings or intermittent screenshots while conducting various actions intending to affect productivity and cause additional costs.
Actions conducted include modifying usernames and passwords, modifying parameters and device names, modifying instrument settings, disabling alarms, creating loss of view necessitating local hands-on operator intervention, and device restart or shutdown. Actors then disconnect from the device, ending the VNC connection, and research the compromised device company after the intrusion.
Propagation of Tactics and Techniques
To reach a wider audience, pro-Russia hacktivist groups work together, amplify each other’s posts, create additional groups to amplify their own posts and likely share TTPs. Z-Pentest jointly claimed intrusion of a US system with Sector16. Sector16 later began posting additional intrusions for which the group claimed sole responsibility. It is likely that these and similar groups will continue to iterate and share these methods to disrupt critical infrastructure organizations.
Reconnaissance and Initial Access
The threat actors’ intrusion methodology is relatively unsophisticated, inexpensive to execute and easy to replicate. These pro-Russia hacktivist groups abuse popular internet-scraping tools, such as Nmap or OPENVAS, to search for visible VNC services and use brute force password spraying tools to access devices via known default or otherwise weak credentials. Threat actors typically search for these services on the default port 5900 or other nearby ports (5901-5910). Their goal is to gain remote access to HMI devices connected to live control networks.
Once threat actors obtain access, they manipulate available settings from the graphical user interface on the HMI devices, such as arbitrary physical parameter and setpoint changes, or conduct defacement activities. Because pro-Russia hacktivist groups seem to lack sector-specific expertise or cyber-physical engineering knowledge, they currently cannot reliably estimate the true impact of their actions.
Observed Operational Impact
While pro-Russia hacktivist groups currently demonstrate limited ability to consistently cause significant impact, there is a risk that their continued attacks will result in further harm or grievous physical consequences. The attacks have not yet caused injury, however the attacks against occupied factories and community facilities demonstrate a lack of consideration for human safety.
Victim organizations reported that the most common operational impact caused by these threat actors is a temporary loss of view, necessitating manual intervention to manage processes. Any modifications to programmatic and systematic procedures can result in damage or disruption, including substantial labor costs from hiring a programmable logic controller programmer to restore operations, costs associated with operational downtime and potential costs for network remediation.
MITRE ATT&CK Mapping
The advisory documents techniques used according to the MITRE ATT&CK for Enterprise framework, version 18. Observed tactics cover reconnaissance with gathering victim organization information and active vulnerability scanning, resource development via virtual private server acquisition, initial access through internet accessible devices, persistence through valid accounts, credential access through password spraying, lateral movement via default credentials and VNC remote services, execution through graphical user interface, inhibit response function including device restart and alarm suppression, impair process control through parameter modification and unauthorized command messages, and impact through loss of productivity, loss of view and manipulation of control.
Incident Response Considerations
If organizations discover exposed systems with weak or default passwords, they should assume threat actors compromised the system. Appropriate incident response protocols include determining which hosts were compromised and isolating them by quarantining or taking them offline, initiating threat hunting activities to scope the intrusion, collecting and reviewing artifacts such as running processes/services, unusual authentications and recent network connections, reimaging compromised hosts, provisioning new account credentials and reporting the compromise to CISA, FBI and/or NSA.
The joint advisory published on December 9, 2025 represents an unprecedented coordinated effort between 25 government and intelligence cybersecurity organizations worldwide. This collaboration reflects the international recognition of the persistent threat posed by pro-Russia hacktivist actors against critical infrastructure, particularly in the context of the ongoing Russia-Ukraine conflict and its repercussions on the security of industrial control systems globally.
Source:
CISA Agency: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
