The US government is warning that unsophisticated, pro-Russia hacktivists are targeting US critical infrastructure to gain access to operational technology (OT) control devices. These so-called "opportunistic" attacks so far have had limited impact, but could pose a more dire threat in the future.
In conjunction with the warning,
The FBI, Cybersecurity Infrastructure Agency (CISA), National Security Agency (NSA), and various international authorities have identified four specific groups — Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 — as well as their affiliates, which in the last several weeks have attacked minimally secured, Internet-facing virtual network computing (VNC) connections in OT systems, according to an advisory posted Tuesday. The groups are compromising these networks in attacks that primarily target water and wastewater systems, food and agriculture, and energy sectors.
Unlike advanced persistent threat (APTs), these fringe groups on the surface appear to lack direct governmental ties, though they share the same support of the Russian agenda and similar targeting of Ukranian and allied infrastructure, according to the advisory. "However, among the increasing number of groups, some appear to have associations with the Russian state through direct or indirect support," according to the CISA.
Related:Packer-as-a-Service Shanya Hides Ransomware, Kills EDR
CARR previously took credit for disrupting water supplies at US, Polish, and French facilities, which Mandiant revealed in 2024.
"[The advisory] confirms our earlier assessment of ties between hacktivist front Cyber Army of Russia Reborn (CARR) and Russia’s military intelligence service, the GRU,” said John Hultquist, chief analyst at Google Threat Intelligence Group, in a media statement. “CARR carried out cyberattacks on US and European critical infrastructure but hid behind this false persona.”
He added, “The GRU is increasingly leaning into willing accomplices to hide their own hand in destabilizing physical and cyberattacks in Europe and the US. It’s important that we never take an adversary’s word for it when they tell us who they are. They frequently lie."
In conjunction with the advisory, the Department of Justice also announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her actions supporting CARR and NoName057(16). Dubranova was extradited to the United States earlier this year.
How the Russian Hacktivist Attacks Work
... continue reading