A coalition of U.S. and international cybersecurity agencies issued a stark warning this week about pro-Russia hacktivists exploiting exposed Virtual Network Computing (VNC) connections to infiltrate operational technology (OT) systems in critical infrastructure.
The joint advisory, released December 9, 2025, highlights groups like Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 targeting water, food, and agriculture, and energy sectors through rudimentary but effective tactics.
These groups have evolved amid geopolitical tensions since Russia’s 2022 invasion of Ukraine. CARR, initially backed by Russia’s GRU military unit 74455, shifted to OT attacks by late 2023, claiming hits on European wastewater plants and U.S. dairy farms.
NoName057(16), tied to a Kremlin-linked youth monitoring center, specializes in DDoS but collaborates on intrusions. Newer outfits like Z-Pentest, formed in September 2024 from CARR and NoName057(16) defectors and Sector16, launched in January 2025, prioritize “hack and leak” operations for publicity, often exaggerating impacts via Telegram videos.
VNC Connections Exploited
Unlike sophisticated APTs, these actors lack deep expertise, opting for opportunistic strikes on internet-facing human-machine interfaces (HMIs) with weak VNC protections.
They scan ports like 5900 using Nmap or OpenVAS, deploy VPS-hosted brute-force tools against default or simple passwords, then manipulate GUIs to alter parameters, disable alarms, or rename devices, causing “loss of view” that forces manual overrides.
The advisory details MITRE ATT&CK techniques, from reconnaissance (T1595.002) to impact (T0829: Loss of View). Attackers log credentials, screenshot changes, and post proofs online, aiming for media buzz rather than espionage.
Victims face downtime, remediation costs, and rare physical damage, such as disrupted factory processes. One April 2025 case saw simultaneous DDoS aiding SCADA access, underscoring propagation via shared TTPs among allies.
Agencies note no injuries yet, but warn of escalating risks to occupied sites. Impacts include reprogramming fees and operational halts, amplified by actors’ disregard for safety.
Critical infrastructure owners must act swiftly. Top priorities: eliminate internet-exposed OT, segment IT/OT networks, enforce multifactor authentication (MFA), and ban defaults.
Use attack surface tools to hunt VNC exposures, audit firewalls for egress, and enable view-only modes. Manufacturers should ship “secure by design” devices with no defaults, SBOMs, and free logging.
Backup HMIs, test manual failsafes, and monitor anomalies like odd logins. Incident response: isolate, hunt, reimage, reprovision credentials, report to CISA/FBI.
This advisory builds on prior alerts, like CISA’s May 2025 OT mitigations, urging global vigilance. As hacktivists iterate, forging alliances and amplifying claims, defenders can’t afford complacency. Proactive hardening thwarts these low-barrier threats before they evolve.
