Threat Research

Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure

CISA
Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure

U.S. and international agencies assess that pro‑Russia hacktivist groups—including Cyber Army of Russia Reborn (CARR), NoName057(16), Z‑Pentest, and Sector16—are conducting opportunistic intrusions against critical infrastructure by scanning for internet‑facing VNC services and exploiting default or weak credentials to access HMI/OT devices. These unsophisticated but impactful operations involve VPS‑based brute‑force attacks, GUI manipulation of setpoints and alarms, and publicizing compromises; the advisory outlines incident response steps and mitigations such as reducing internet exposure, network segmentation, strong authentication, and backups. #CyberArmyofRussiaReborn #Z-Pentest

Keypoints

  • Authoring organizations (FBI, CISA, NSA and international partners) report pro‑Russia hacktivist targeting of OT/ICS, especially VNC‑connected HMI devices in Water and Wastewater, Food and Agriculture, and Energy sectors.
  • Primary TTPs include internet scanning for VNC services, VPS‑hosted brute‑force password attacks, and use of VNC viewers to interact with HMI GUIs.
  • Groups named include Cyber Army of Russia Reborn (CARR), NoName057(16), Z‑Pentest, and Sector16, with varying degrees of alleged links to Russian state resources.
  • Impacts observed range from loss of view and manual switchover to potential parameter changes, alarm suppression, device restarts, increased remediation costs, and risk of physical harm.
  • Threat actors commonly publicize and exaggerate intrusions on Telegram and other channels, sometimes sharing TTPs and cooperating to amplify operations.
  • Recommended mitigations include reducing OT internet exposure, network segmentation, strong/unique credentials and MFA where possible, allowlisting, patching VNC services, backups of HMI logic, and regular validation/testing of controls.

MITRE Techniques

  • [T1591 ] Gather Victim Organization Information – Threat actors use internet-available information to identify systems they believe they compromised and post to social media. (‘Threat actors use information available on the internet to determine what systems they believe they have compromised and post the information on their social media.’)
  • [T1595.002 ] Active Scanning: Vulnerability Scanning – Actors use open‑source tools to search for visible VNC services on common ports. (‘Threat actors use open source tools to look for IP addresses in target countries with visible VNC services on common ports.’)
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Actors initiate temporary VPS instances to run password brute‑force software and obfuscate identifiers. (‘Initiate temporary virtual private server (VPS) to execute password brute force software.’)
  • [T0883 ] Internet Accessible Device – Actors gain access through less secure HMI devices exposed to the internet, often via VNC. (‘Threat actors gain access through less secure HMI devices exposed to the internet.’)
  • [T0859 ] Valid Accounts – Threat actors obtain access using legitimate accounts on HMI devices through credential guessing or default credentials. (‘Threat actors use password guessing tools to access legitimate accounts on the HMI devices.’)
  • [T1110.003 ] Brute Force: Password Spraying – Actors employ tools to rapidly guess common or simple passwords against exposed services. (‘Threat actors use tools to rapidly guess common or simple passwords.’)
  • [T0812 ] Default Credentials – Actors seek and leverage known default passwords for control devices to access accounts. (‘Threat actors seek and build libraries of known default passwords for control devices to access legitimate user accounts.’)
  • [T0886 ] Remote Services – Actors leverage VNC and other remote services to access HMI devices over the internet. (‘Threat actors leverage VNC services to access system HMI devices.’)
  • [T1021.005 ] Remote Services: VNC – Actors hunt for VNC‑enabled devices and connect using remote viewer software to interact with HMIs. (‘Threat actors hunt VNC-enabled devices visible on the internet and connect with remote viewer software.’)
  • [T0823 ] Graphical User Interface – Actors interact with HMI GUIs to modify device settings, capture screenshots, and record actions. (‘Using the HMI graphical interface, capture screen recordings or intermittent screenshots while conducting the following actions…’)
  • [T0892 ] Change Credential – Actors change usernames/passwords on HMI devices to lock out operators and create loss of view. (‘Modify usernames/passwords…’)
  • [T0836 ] Modify Parameter – Actors attempt to change operational upper and lower limits and setpoints via the HMI. (‘Threat actors attempt to change upper and lower limits of operational devices as available from the HMI.’)
  • [T0831 ] Manipulation of Control – Actors change instrument settings or setpoints to affect process efficiency or safety. (‘Threat actors change setpoints in processes, impacting the efficiency of operations for those specific processes.’)
  • [T0878 ] Alarm Suppression – Actors use HMI interfaces to clear or disable alarms to conceal activity. (‘Threat actors use HMI interfaces to clear alarms caused by their activity and alarms already present on the system at the time of their intrusion.’)
  • [T0829 ] Loss of View – Actors cause operator loss of remote view (often by changing credentials), forcing manual intervention. (‘Threat actors change credentials on HMI devices, preventing operators from modifying processes remotely.’)
  • [T0816 ] Device Restart/Shutdown – Actors may cause device restarts or claim to power off HMIs, potentially leading operators to take systems offline. (‘Device restart or shutdown’)
  • [T0855 ] Unauthorized Command Message – Actors attempt to send unauthorized commands to control system assets outside intended functionality. (‘Threat actors attempt to send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, causing possible impact.’)
  • [T0828 ] Loss of Productivity and Revenue – Actors purposefully attempt to impact productivity and create additional costs for affected entities. (‘Threat actors purposefully attempt to impact productivity and create additional costs for the affected entities.’)

Indicators of Compromise

  • [Tool ] DDoS and attack tooling – example: DDoSia (proprietary DDoS tool used by NoName057(16)); used to conduct DDoS campaigns and host materials.
  • [Network Ports ] VNC service ports – example: 5900 and range 5901-5910 (threat actors scan default VNC ports to find exposed HMIs).
  • [Channels/Domains ] Messaging channels for claims and coordination – example: Telegram channels ‘CyberArmyofRussia_Reborn’ and NoName057(16) channels used to post compromises and coordinate activity.
  • [Credentials ] Default/weak passwords – context: HMI devices with default or weak credentials are commonly brute‑forced or password‑sprayed (e.g., default credentials and weak operator passwords).

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint