CISA, in partnership with the Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners, has published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure.
This advisory, published as an addition to the joint fact sheet on Primary Mitigations to Reduce Cyber Threats to Operational Technology (OT) released in May 2025, details that pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate or gain access to OT control devices within critical infrastructure systems.
The groups involved include:
- Cyber Army of Russia Reborn.
- Z-Pentest.
- NoName057(16).
- Sector16.
The groups are reportedly taking advantage of the widespread prevalence of accessible VNC devices to execute attacks, resulting in varying degrees of impact, including physical damage.
These groups often seek notoriety by making false or exaggerated claims about their attacks. Their methods are opportunistic, leveraging superficial criteria such as victim availability and existing vulnerabilities. They attack a wide range of targets, from water treatment facilities to oil well systems.
CISA recommends the following actions:
- Reduce exposure of OT assets to the public-facing internet.
- Adopt mature asset management processes, including mapping data flows and access points.
- Ensure that OT assets are using robust authentication procedures.
For more information on Russian state-sponsored threat actor activity, visit CISA’s Russia Cyber Threat Overview and Advisories page.
