Pro‑Russia Hacktivists Escalate Opportunistic Attacks on Critical Infrastructure

On December 9, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, NSA, DOE, EPA, and international partners, issued advisory AA25‑343A warning of opportunistic cyberattacks by pro‑Russia hacktivist groups targeting critical infrastructure worldwide. This advisory underscores the rising risk posed by multiple loosely affiliated hacktivists exploiting weakly defended Operational Technology (OT) environments, particularly those with exposed Virtual Network Computing (VNC) services.

Background and Emergence of Hacktivist Actors

Since the 2022 Russia‑Ukraine war escalation, the number of pro‑Russia hacktivist groups has surged, characterized by ideological support rather than direct state affiliation. The advisory identifies several prominent groups:

Cyber Army of Russia Reborn (CARR): Initially backed by GRU Unit 74455, CARR carried out DDoS attacks against U.S. and European targets. Beginning October 2023, they expanded to ICS intrusions, claiming safe takeover of a wastewater treatment facility in Europe and two U.S. dairy farms. [cisa.gov]
NoName057 (16): Allegedly tied to Kremlin‑linked CISM, this group leveraged its proprietary DDoS tool “DDoSia” to launch attacks across NATO nations. Frequently collaborating with CARR, they integrated OT-targeting in mid-2024. [cisa.gov]
Z‑Pentest: Emerging in September 2024 from disillusioned actors within CARR and NoName057, Z‑Pentest focuses on OT system intrusions and hack-and-leak tactics while avoiding DDoS. [cisa.gov]
Sector16: Formed early 2025, this novice collective maintains a public Telegram presence, claiming symbolic attacks on U.S. energy systems with potential indirect Kremlin support. [cisa.gov]

These groups operate independently yet often coordinate tactics, amplifying each other’s propaganda and methodologies to maximize reach.

Tactics, Techniques & Attack Methodology

Despite their modest technical capabilities, these hacktivists exploit widely available OT/VNC access to impose disruption. According to AA25‑343A, their approach follows a clear pattern:

Reconnaissance: Scanning the internet using tools like Nmap or OpenVAS to locate devices accessible via open VNC ports (typically 5900–5910).
Credential Compromise: Deploying VPS-hosted brute-force tools against default or weak credentials to penetrate remote systems.
HMI Engagement: Once in, they access Human Machine Interfaces (HMIs) and manipulate settings—adjusting setpoints, changing device names, disabling alarms, or restarting operations.
Exfiltration, Propaganda, and Exit: After screen captures or recordings confirming the hack, attackers disconnect and typically post evidence—frequently exaggerating impact—to Telegram or other public channels.

Contracted techniques map to specific MITRE ATT&CK tactics ranging from T1595 (reconnaissance) to T0823 (graphical user interface execution) and T0816 (device shutdown).

Despite their rudimentary methods, consequences include “loss of view”—forcible switching to manual control—operational downtime, remediation costs, and in some cases physical damage.

Impact on Critical Infrastructure

The advisory identifies Water/Wastewater, Food & Agriculture, and Energy sectors as prominent targets. There is growing concern that continued incidents could escalate to more severe outcomes:

Operational Disruption: Attackers have caused temporary outages in HMI visibility and forced control handovers.
Financial and Labor Burden: Restoring systems often requires specialist intervention, time, and budget.
Physical Safety Risks: Although no injuries have been reported, alteration of critical parameters may introduce potential hazards.

While individual attacks have not led to major crises, the advisory highlights that repeated hacks amplify cumulative risks—particularly if systems remain unchanged.

Coordination Among Knowledge-Sharing Actors

Collaboration among these hacktivist entities has increased operational reach. Z‑Pentest, formed by former CARR and NoName057 members, propagates attack methods across Telegram, sometimes aligning with Sector16 to report incidents jointly. Mutual amplification boosts propaganda value and dissemination, raising concern over greater threat persistence.

Recommended Mitigation Strategies

CISA has outlined crucial preventative and defensive measures specifically for OT and ICS operators:

Restrict Internet Exposure: Immediately remove or block public-facing VNC access.
Asset Management: Maintain comprehensive inventories of OT devices and data flows; map asset connectivity to understand potential exposure.
Enforce Strong Authentication: Replace default passwords, deploy complex credentials, and, where viable, use multi-factor authentication mechanisms.

These foundational strategies align with best practices from the May 6, 2025 CISA–EC3 OT cybersecurity fact sheet, part of broader European Operation Eastwood efforts.

Vigilance Over Opportunistic Threats

While pro‑Russia hacktivist groups lack APT-level sophistication, their opportunistic exploitation of unsecured VNC interfaces poses real operational setbacks and growing risks to critical systems. This emphasizes persistent exposure and lack of basic security hygiene that continue to enable these attacks.

For OT stakeholders, the advisory is a call to action: systematically sanitize VNC usage, bolster access management, enforce strong credential policies and monitor for misconfiguration within control environments. Though isolated incidents may appear trivial, the compound effects of repeated intrusions, logistical disruption, and taunting propaganda can degrade overall resilience.

This advisory marks an urgent reminder: in our hyper-connected world, even non-state actors with limited technical prowess can inflict material damage. Sustained vigilance, cross-sector collaboration, and adherence to hardening protocols are indispensable for safeguarding critical infrastructure against an evolving threat landscape.

ThreatResponder – All-in-One Platform To Prevent Advanced Cyber Attacks

NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

NetSecurity’s ThreatResponder changes the game. Unlike point solutions, ThreatResponder delivers an all-in-one platform that combines:

EDR + ITDR — to detect endpoint and identity threats, including credential abuse that often follows perimeter compromises.
Threat Hunting & Forensics — enabling security teams to investigate post-exploitation activity and uncover stealthy ransomware behaviors.
Integrated Vulnerability Management — giving CISOs visibility into exposed assets and missing patches before attackers exploit them.
Threat Intelligence Feeds — enriched with global insights on adversary tactics, techniques, and procedures used by cybercrime groups.

With ThreatResponder, organizations gain unified visibility, proactive detection, and automated response to stop advanced ransomware attacks before they cause damage.

Start a Free Demo

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).