CISA, the FBI, the NSA, and partner agencies released a joint Cybersecurity Advisory on December 9, 2025, warning that pro‑Russia hacktivist groups are exploiting minimally secured, internet‑facing VNC connections to access OT/ICS devices in critical infrastructure sectors including Water and Wastewater, Food and Agriculture, and Energy. The advisory names groups such as Cyber Army of Russia Reborn (CARR), NoName057(16), Z‑Pentest, and Sector16, highlights use of the DDoS tool DDoSia and destructive malware like HermeticWiper, and points to AttackIQ emulations for validating defenses. #CyberArmyOfRussiaReborn #Sandworm
Keypoints
- CISA, FBI, NSA and partners published a joint CSA on Dec 9, 2025, augmenting prior OT mitigation guidance and Operation Eastwood reporting.
- Authors assess pro‑Russia hacktivist groups are conducting lower‑sophistication but impactful intrusions against OT by exploiting exposed, minimally secured VNC services to access control devices.
- Named hacktivist groups include Cyber Army of Russia Reborn (CARR), NoName057(16), Z‑Pentest, and Sector16, which have used DDoS, OT intrusions, HMI defacements, and “hack and leak” tactics.
- Some groups have alleged ties or indirect support from Russian state actors—CARR is assessed to have been supported by GRU Unit 74455 (Sandworm) and NoName057(16) is linked to Kremlin‑backed CISM activities.
- AttackIQ recommends emulating long‑standing, high‑impact adversaries (notably Sandworm) and provides multiple emulations (e.g., Sandworm, Seashell Blizzard, Prestige Ransomware) to validate defenses and incident response.
- Continuous adversary emulation via AttackIQ AEV and CTEM alignment helps organizations evaluate controls, validate detection/prevention, and reduce operational risk against pro‑Russia behaviors.
MITRE Techniques
- [N/A ] No MITRE ATT&CK techniques explicitly mentioned – ‘The advisory does not reference MITRE technique IDs or technique names directly.’
Indicators of Compromise
- [Malware / Tool ] DDoS and destructive tools cited in incidents and reporting – DDoSia (pro‑Russia DDoS tool used by NoName057(16)), HermeticWiper (wiper linked to Sandworm)
- [Threat Actors ] Named groups and alleged supporting units used as identifying indicators in the advisory – Cyber Army of Russia Reborn (CARR), NoName057(16)
- [Campaign / Emulation Names ] Emulations and campaign identifiers referenced for testing and attribution – Seashell Blizzard, Prestige Ransomware
- [Network / Host IOCs ] IP addresses, domains, file hashes, and specific filenames – none provided in the article
Read more: https://www.attackiq.com/2025/12/10/response-to-aa25-343a/