Pro-Russia Hacktivist Attacks on Critical Infrastructure via Exposed VNC and OT Systems
Pro-Russia hacktivist groups, including Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16, have escalated their operations from DDoS attacks to targeting operational technology (OT) systems in critical infrastructure sectors such as water, food, agriculture, and energy. These groups exploit exposed Virtual Network Computing (VNC) connections with weak security, using tools like Nmap and brute-force attacks to gain access to human-machine interfaces (HMIs). Once inside, they manipulate system parameters, disable alarms, and cause operational disruptions, often publicizing their actions for propaganda purposes. The U.S. and international cybersecurity agencies have issued joint advisories detailing these tactics, highlighting the opportunistic nature of these attacks and the use of MITRE ATT&CK techniques ranging from reconnaissance to impact, including "loss of view" scenarios that force manual intervention.
Recent U.S. government indictments and sanctions confirm that CARR was founded and directed by Russian military intelligence (GRU) as a means to conduct unattributable disruptive operations. Notable incidents attributed to these groups include attacks on public drinking water systems, resulting in water spills, and a Los Angeles meat processing facility, which suffered spoiled products and an ammonia leak. While the technical sophistication of these actors is limited, their ability to cause downtime, remediation costs, and occasional physical damage underscores the persistent risk posed by exposed OT systems and weak remote access protections in critical infrastructure environments.
Timeline
Dec 18, 2025
Agencies publish mitigation guidance for exposed OT environments
The joint advisory urged critical infrastructure operators to remove internet-exposed OT assets, segment networks, enforce MFA, and eliminate default or weak credentials. It also called on manufacturers to adopt secure-by-design practices to reduce the impact of these intrusions.
Dec 18, 2025
Joint advisory warns of VNC-based OT intrusions by pro-Russia groups
U.S. and international cybersecurity agencies issued a joint advisory warning that groups including CARR, Z-Pentest, NoName057(16), and Sector16 were exploiting internet-exposed VNC connections to access OT devices in water, food, agriculture, and energy sectors. The advisory said the attacks caused downtime, remediation costs, and in rare cases physical damage, though no injuries were reported.
Dec 18, 2025
Z-Pentest emerges as CARR splinter focused on OT disruption
After CARR was viewed by its handlers as ineffective, a splinter group called Z-Pentest was formed with a stronger focus on operational technology disruption. U.S. and partner agencies later identified it alongside other pro-Russia groups targeting critical infrastructure.
Dec 18, 2025
CARR escalates from DDoS to OT intrusions
CARR evolved from conducting distributed denial-of-service attacks to targeting operational technology environments. Its operators used exposed remote access services and weak credentials to access OT systems and manipulate human-machine interfaces.
Dec 18, 2025
GRU backs CARR to conduct disruptive cyberattacks
The U.S. government revealed that Russia's GRU funded and directed CyberArmyofRussia_Reborn (CARR) to carry out disruptive attacks against critical infrastructure, including U.S. water systems, meat processing facilities, and election infrastructure. The activity marked the use of nominally hacktivist fronts for state-backed operations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Sources
Related Stories
Pro-Russia Hacktivist Attacks on Global Critical Infrastructure via Exposed VNC
Pro-Russia hacktivist groups have launched a series of opportunistic cyberattacks targeting critical infrastructure entities in the United States and globally. These groups, including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain access to operational technology (OT) control devices. The attacks are characterized by their relatively low sophistication and impact compared to advanced persistent threat actors, but have resulted in varying degrees of disruption, including physical damage to systems such as water treatment facilities and oil well operations. The hacktivists often seek publicity by exaggerating the effects of their attacks, and their targeting is largely opportunistic, based on the availability of vulnerable systems rather than strategic selection. Authorities including CISA, the FBI, NSA, Department of Energy, and international partners have issued joint advisories warning OT owners and operators to reduce the exposure of OT assets to the public internet, implement robust authentication, and adopt mature asset management practices. These advisories emphasize the importance of mapping data flows and access points to mitigate the risk of similar attacks. The guidance is part of a broader effort to address the growing threat posed by hacktivist groups leveraging accessible VNC devices to compromise critical infrastructure worldwide.
1 months ago
Pro-Russian Hacktivist Group TwoNet Compromises Water Treatment Facility Honeypot
Pro-Russian hacktivist group TwoNet recently targeted what they believed to be a real water treatment facility, which was in fact a sophisticated honeypot set up by cybersecurity researchers at Forescout. The group, previously known for distributed denial-of-service (DDoS) attacks, has shifted its focus to targeting operational technology (OT) in critical infrastructure, marking a significant escalation in their tactics. TwoNet gained initial access to the decoy plant by exploiting default credentials on the human-machine interface (HMI), specifically using 'admin/admin' to log in. Once inside, the attackers attempted to enumerate databases and succeeded after refining their SQL queries, demonstrating a methodical approach to reconnaissance. They created a new user account named 'Barlati' and exploited a known cross-site scripting (XSS) vulnerability, CVE-2021-26829, to display a defacement message on the HMI. Beyond defacement, TwoNet engaged in actions intended to disrupt plant operations, including disabling real-time process updates by removing programmable logic controllers (PLCs) from the data source list and altering PLC setpoints, which could have had dangerous consequences in a real facility. The attackers also attempted to disable logs and alarms, further indicating their intent to cause operational disruption and evade detection. Forescout researchers observed that the attackers did not attempt privilege escalation or exploitation of the underlying host, focusing their efforts on the web application layer. The entire attack sequence, from initial access to disruptive action, unfolded in approximately 26 hours, highlighting the group's efficiency and determination. TwoNet publicly claimed responsibility for the attack on their Telegram channel, falsely asserting it was a successful breach of real critical infrastructure. This incident is notable as it is the first time a hacktivist group has claimed an attack that researchers can confirm occurred on a honeypot. The event underscores the evolution of Russian hacktivism from DDoS attacks to more sophisticated OT intrusions with potential physical-world consequences. Security experts, including those from Deepwatch, have warned that such activities represent a growing asymmetric warfare capability, with hacktivist groups seeking to establish reputations as credible threats to critical infrastructure. The attack also involved attempts to manipulate the Modbus protocol, a common industrial control system protocol, further demonstrating the attackers' technical knowledge. While there is no direct evidence linking TwoNet's actions to Russian state direction, their tactics and public claims serve to amplify their perceived threat. The incident provides valuable insight into the methods and motivations of modern hacktivist groups targeting critical infrastructure. It also highlights the importance of honeypots in understanding adversary behavior and improving defensive measures for real-world OT environments. The rapid progression from access to disruption in this case serves as a warning to operators of critical infrastructure about the need for robust security controls and monitoring.
1 months ago
UK NCSC Warning on Pro-Russian Hacktivist DDoS Threat to Local Government and Critical Infrastructure
The UK’s **National Cyber Security Centre (NCSC)** issued a renewed warning that **Russian-aligned hacktivist groups** continue to target UK **local authorities** and **critical national infrastructure (CNI)** with disruptive **denial-of-service (DoS/DDoS)** activity intended to take public-facing websites and online services offline. The alert emphasizes that while these attacks are often technically simple, they can still create significant operational disruption and recovery costs, and the NCSC urged organizations—especially those providing essential services—to review and implement its publicly available DoS resilience guidance. The NCSC highlighted the ongoing activity of **NoName057(16)**, an ideologically motivated pro-Russian actor associated with the **DDoSia** crowdsourced DDoS platform, noting that prior international law-enforcement disruption (including server takedowns and arrests under **Operation Eastwood**) did not eliminate the threat and the group has resumed operations. The warning also aligns with broader international advisories that have named additional pro-Russian hacktivist groups (including **Cyber Army of Russia Reborn (CARR)**, **Z-Pentest**, and **Sector16**) as part of the wider DoS threat to Western organizations and critical services.
1 months ago