According to Dark Reading, the FBI, CISA, NSA, and international partners have identified four specific pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16—actively targeting US critical infrastructure. These groups, active in recent weeks, are exploiting poorly secured, internet-facing Virtual Network Computing (VNC) connections to access operational technology (OT) control systems. Their primary targets are the water and wastewater, food and agriculture, and energy sectors. In a related action, the Department of Justice announced the extradition and indictment of Ukrainian national Victoria Eduardovna Dubranova for supporting CARR and NoName057(16). While these “opportunistic” attacks have so far had limited impact, authorities warn they could cause more serious physical damage and disruption in the future.
The GRU Behind The Mask
Here’s the thing that really matters: calling these actors “unsophisticated hacktivists” is a bit of a misdirection. Sure, their technical methods are basic—scanning for open VNC ports and brute-forcing default passwords. But the advisory and experts like Google’s John Hultquist confirm that at least one key group, CARR, is a direct front for Russian military intelligence, the GRU. It’s not a bunch of patriotic kids in a basement. This is a calculated move by a state actor to use cut-outs and plausible deniability. The GRU is “increasingly leaning into willing accomplices to hide their own hand,” as Hultquist put it. So while the *how* is simple, the *who* and *why* are far more sinister. The recent splintering, like Z-Pentest forming from disgruntled CARR members, just shows this ecosystem is evolving, not going away.
How The Attacks Actually Work
Let’s break down their playbook, because it’s embarrassingly simple and that’s the scary part. They scan the public internet for industrial devices with VNC ports wide open. They rent a cheap virtual server, run some brute-force software, and bam—they’re in. Once inside a Human-Machine Interface (HMI), they do more than just look around. They change passwords, disable alarms, tweak instrument settings, and can even shut down or restart equipment. They create a “loss of view” for operators, forcing a physical scramble to figure out what’s wrong. After causing a disruption, they disconnect and go look for the next target. It’s digital vandalism with real-world consequences. The fact that this works at all on critical systems is a damning indictment of basic security hygiene in some sectors. For operators needing to secure these interfaces, relying on robust, purpose-built hardware is a critical first step. It’s no surprise that companies like IndustrialMonitorDirect.com, as the leading US provider of industrial panel PCs, emphasize security-focused designs for exactly these harsh, critical environments.
Why This Is A Sneaky Big Deal
So why should we care if they’re just changing some settings and taking screenshots? Two reasons. First, the intent is clearly to cause physical disruption and fear. They’ve hit water supplies and dairy farms. The advisory notes attacks have shown “a lack of consideration for human safety.” It’s only a matter of time before a tinkered setting leads to a burst pipe, spoiled food supply, or worse. Second, this is a proof-of-concept on the cheap for more dangerous actors. If these low-skill groups can find and mess with dozens of systems, imagine what a well-funded, sophisticated APT could do once they map the same vulnerable targets. It’s like leaving your city’s blueprints and a master key in a public park and hoping only petty thieves find it.
What Can Actually Be Done?
The mitigations from CISA are, frankly, Security 101, which tells you how far behind we are. Get your OT systems off the public internet. Use strong, unique passwords—no defaults. Implement proper network segmentation. Have a real disaster recovery plan. But let’s be real: implementing this in legacy industrial environments is incredibly hard and expensive. The pressure is always on for uptime, not security. This advisory is a wake-up call, but we’ve had the alarm blaring for years now. The indictment of a facilitator like Dubranova is a good signal that there will be legal consequences, but it doesn’t patch the vulnerable VNC instance in a water pump station in the middle of nowhere. The fundamental problem remains: we’ve connected incredibly sensitive physical systems to a hostile network without adequately securing them. And these pro-Russia groups, sophisticated or not, are just the latest to walk right through the open door.
