Cyber Army of Russia Reborn (CARR) is a pro-Russian hacktivist group that conducts disruptive cyberattacks on critical infrastructure and financial systems, blending DDoS, ICS manipulation, and information operations to advance Russian interests. It has ties to Sandworm within the GRU and coordinates via Telegram, operating within the High Society alliance while facing sanctions on key members. #CyberArmyOfRussiaReborn #Sandworm #GRU #HighSociety #HolyLeague #NotPetya #WaterUtilities #IndustrialControlSystems
Keypoints
- The Cyber Army of Russia Reborn (CARR) targets entities opposing Russian interests, including NATO-associated and Ukraine-supporting actors.
- CARR uses large-scale Distributed Denial of Service (DDoS) attacks to disrupt services and overwhelm networks.
- The group has links to Sandworm (GRU) and may be created or supported by this former Kremlin cyber unit.
- Targets include critical infrastructure in the U.S. and Europe, notably water utilities and energy sectors, with ICS manipulation observed.
- Coordination and propaganda are conducted via Telegram, enabling attack planning and disinformation campaigns.
- CARR operates within the High Society alliance, alongside other pro-Russian hacker groups, and has expanded to Italian targets as part of broader operations.
- U.S. sanctions have been imposed on CARR members for cyberattacks on U.S. critical infrastructure.
MITRE Techniques
- [T1593.001] Information Gathering from Social Media – Reconnaissance by collecting information about targets through social media platforms. ‘Collecting information about targets through social media platforms.’
- [T1049] System Network Connections Discovery – Identifying active network connections on a system. ‘Identifying active network connections on a system.’
- [T1016] System Network Connections Discovery – Gathering information about network connections to identify potential targets. ‘Gathering information about network connections to identify potential targets.’
- [T1071] Application Layer Protocol – Using application layer protocols for command and control communications. ‘Using application layer protocols for command and control communications.’
- [T1498] Network Denial of Service – Executing denial of service attacks to disrupt network availability. ‘Executing denial of service attacks to disrupt network availability.’
- [T1499] Endpoint Denial of Service – Targeting endpoints to render them unusable through denial of service. ‘Targeting endpoints to render them unusable through denial of service.’
- [T0831] Manipulation of Industrial Control Systems – Interfering with ICS to disrupt essential services. ‘Interfering with ICS to disrupt essential services.’
- [T1565] Data Manipulation – Altering data within systems to achieve malicious objectives. ‘Altering data within systems to achieve malicious objectives.’
- [T1547] Boot or Logon Autostart Execution – Establishing persistence through autostart mechanisms. ‘Establishing persistence through autostart mechanisms.’
Indicators of Compromise
- [Threat Actor] context – Sandworm, Cyber Army of Russia Reborn, and High Society (examples of involved threat actors)
- [Malware/Tool] NotPetya – NotPetya malware (historical reference associated with Sandworm lineage)
- [Communication Channel] Telegram – Coordination, propaganda dissemination, and recruitment
- [Target/Asset] Water utilities and Industrial Control Systems (ICS) – Disruptions to water storage and hydroelectric facilities
- [Coalition/Group] Holy League – Broader pro-Russian hacktivist coalition including CARR
- [Sanction/Regulatory] U.S. sanctions on CARR members – Yuliya Pankratova and Denis Degtyarenko named
Read more: https://socradar.io/dark-web-profile-cyber-army-of-russia-reborn/