---
title: "Pro-Russia Hacktivists Target US & Global Critical Infrastructure"
short_title: "Pro-Russia hacktivists exploit weak OT systems"
description: "Pro-Russia hacktivist groups like CARR and NoName057(16) exploit weak VNC connections to attack US and global critical infrastructure. Learn how to mitigate risks."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Cyber Attacks]
tags: [hacktivism, critical infrastructure, ot security, vnc vulnerabilities, russia]
score: 0.85
cve_ids: []
---
TL;DR
Pro-Russia hacktivist groups, including Cyber Army of Russia Reborn (CARR) and NoName057(16), are exploiting weakly secured Virtual Network Computing (VNC) connections to target US and global critical infrastructure. While their attacks are less sophisticated than those of advanced persistent threat (APT) groups, they have caused physical damage, operational disruptions, and financial losses in sectors like water, energy, and food agriculture. Organizations are urged to harden OT systems, segment networks, and implement strong authentication to mitigate risks.
---
Main Content
Introduction
A coalition of global cybersecurity agencies, including CISA, FBI, NSA, and Europol, has issued a joint advisory warning of opportunistic cyberattacks by pro-Russia hacktivist groups targeting critical infrastructure in the US and allied nations. These groups, such as CARR, NoName057(16), Z-Pentest, and Sector16, exploit poorly secured operational technology (OT) systems to gain access, disrupt operations, and amplify pro-Russia propaganda. While their tactics lack the sophistication of state-sponsored APTs, their attacks have real-world consequences, including physical damage, loss of productivity, and safety risks.
---
Key Points
- Who is behind the attacks? Pro-Russia hacktivist groups, including CARR, NoName057(16), Z-Pentest, and Sector16, are conducting low-sophistication but high-impact cyberattacks on critical infrastructure.
- How are they gaining access? These groups exploit weak or default passwords, exposed VNC connections, and unpatched OT devices to infiltrate systems.
- Which sectors are targeted? Primary targets include water and wastewater systems, food and agriculture, and energy sectors.
- What is the impact? Attacks have caused physical damage, loss of view (requiring manual intervention), operational disruptions, and financial losses due to downtime and remediation efforts.
- Why are these attacks significant? Despite their lack of technical expertise, these groups willingly cause harm, posing safety risks to communities and industries.
---
Technical Details
#### Groups Involved and Their Tactics
1. Cyber Army of Russia Reborn (CARR)
- Origin: Likely supported by Russian GRU military unit 74455 (also known as Sandworm Team).
- Tactics: Uses DDoS attacks, OT intrusions, and "hack and leak" operations to disrupt critical infrastructure.
- Notable Attacks: Intrusions at European wastewater facilities and US dairy farms in 2023.
2. NoName057(16)
- Origin: Created by Russia’s Center for the Study and Network Monitoring of the Youth Environment (CISM).
- Tactics: Primarily conducts DDoS attacks against NATO member states and countries supporting Ukraine.
- Collaboration: Worked with CARR to form Z-Pentest in 2024.
3. Z-Pentest
- Origin: Formed by CARR and NoName057(16) administrators in September 2024.
- Tactics: Specializes in OT intrusions, defacement attacks, and "hack and leak" operations to amplify pro-Russia messaging.
- Notable Attacks: Claimed intrusions into US energy infrastructure in 2025.
4. Sector16
- Origin: Emerged in January 2025 through collaboration with Z-Pentest.
- Tactics: Focuses on US energy infrastructure, aligning attacks with Russian geopolitical objectives.
---
#### Attack Methodology
Pro-Russia hacktivist groups use unsophisticated but effective tactics to exploit vulnerabilities in OT systems:
1. Reconnaissance
- Scan the internet for exposed VNC services on default ports (5900-5910) using tools like Nmap or OPENVAS.
- Target weak or default credentials to gain access.
2. Initial Access
- Use brute force attacks to compromise VNC-connected HMI (Human-Machine Interface) devices.
- Leverage temporary virtual private servers (VPS) to obfuscate their identities.
3. Lateral Movement and Impact
- Once inside, threat actors modify parameters, disable alarms, change credentials, or shut down devices to disrupt operations.
- Capture screen recordings or screenshots to exaggerate their successes and amplify propaganda.
4. Propagation
- Groups collaborate, amplify each other’s claims, and share tactics to maximize their reach and impact.
---
Impact Assessment
#### Operational and Financial Consequences
- Loss of View: Many attacks result in temporary loss of remote access, forcing operators to switch to manual control and increasing labor costs.
- Physical Damage: Some intrusions have caused physical damage to equipment, leading to costly repairs and downtime.
- Financial Losses: Organizations face substantial expenses for restoring systems, hiring specialists, and implementing remediation measures.
- Safety Risks: Attacks on water treatment facilities, energy grids, and food production plants pose potential safety hazards to communities.
#### Geopolitical and Psychological Impact
- Propaganda Amplification: These groups exaggerate their successes to garner media attention and promote pro-Russia narratives.
- Denial and Misdirection: By operating as non-state actors, these groups provide plausible deniability for the Russian government while advancing its strategic goals.
---
Mitigation Steps
For OT Asset Owners and Operators
1. Reduce Exposure to the Internet
- Disconnect OT assets from public-facing networks where possible.
- Use attack surface management tools to identify and secure exposed VNC systems.
- Implement network segmentation between IT and OT networks to limit lateral movement.
2. Strengthen Authentication
- Disable default credentials and enforce strong, unique passwords.
- Implement multi-factor authentication (MFA) for privileged accounts.
- Use allowlists to restrict access to authorized IP addresses.
3. Monitor and Log Activity
- Enable logging for all OT devices and monitor for unusual login attempts or configuration changes.
- Review setpoint ranges and tag values to detect unauthorized modifications.
4. Prepare for Incident Response
- Develop and regularly test business continuity and disaster recovery plans.
- Backup critical systems and ensure manual operation capabilities are in place.
- Report incidents to CISA, FBI, or local cybersecurity authorities.
---
For OT Device Manufacturers
1. Eliminate Default Credentials
- Ship devices with unique, strong passwords and disable default accounts.
2. Mandate MFA
- Require MFA for all privileged access to OT devices.
3. Adopt Secure-by-Design Principles
- Enable logging by default and use open standard formats for logs.
- Publish Software Bill of Materials (SBOMs) to help organizations track vulnerabilities.
4. Educate Users
- Provide clear guidance on securing devices and alert users to insecure configurations.
---
Conclusion
Pro-Russia hacktivist groups are exploiting weak security practices in critical infrastructure to disrupt operations, cause physical damage, and amplify propaganda. While their tactics are less sophisticated than those of state-sponsored APTs, their willingness to cause harm makes them a significant threat. Organizations must harden their OT systems, segment networks, and implement strong authentication to mitigate risks. Meanwhile, device manufacturers must adopt secure-by-design principles to prevent such attacks in the future.
The collaboration between global cybersecurity agencies highlights the urgency of addressing these threats and underscores the need for proactive measures to protect critical infrastructure from opportunistic and ideologically driven cyberattacks.
---
References
[^1]: CISA. "[Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a)". Retrieved 2025-01-24.
[^2]: Europol. "[Operation Eastwood: Global Operation Targets NoName057(16) Pro-Russian Cybercrime Network](https://www.europol.europa.eu/media-press/newsroom/news/global-operation-targets-noname05716-pro-russian-cybercrime-network)". Retrieved 2025-01-24.
[^3]: MITRE ATT&CK. "[Matrix for Enterprise](https://attack.mitre.org/versions/v18/matrices/enterprise/)". Retrieved 2025-01-24.