Hacktivist groups supporting the Russian government are trying to breach critical infrastructure using low-level tactics that could nonetheless cause serious harm, the U.S. and its allies said on Tuesday.
Cyber Army of Russia Reborn, Sector16, NoName057(16) and Z-Pentest have exploited poorly secured remote connections to industrial equipment to hack organizations in the energy, food and agriculture and water sectors, “resulting in varying degrees of impact, including physical damage,” according to an advisory from 26 agencies representing the U.S. and more than a dozen other countries.
“These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt,” the advisory says. “Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure.”
The Justice Department on Tuesday announced dual indictments against a Ukrainian national, Victoria Eduardovna Dubranova, for her role in attacking critical infrastructure as part of two of the pro-Russian groups. Dubranova was arrested and extradited to the U.S. earlier this year and will be tried in early 2026.
Nick Andersen, CISA’s executive assistant director for cybersecurity, said in a statement that the pro-Russian hacktivist groups “have demonstrated intent and capability to inflict tangible harm on vulnerable systems.” He urged the makers of operational technology devices to “prioritize secure-by-design principles” in their development processes.
Six U.S. agencies — the Cybersecurity and Infrastructure Security Agency, the FBI, the NSA, the Department of Energy, the Environmental Protection Agency and the Department of Defense Cyber Crime Center — co-issued the report with agencies from Australia, Canada, the Czech Republic, Europol, France, Germany, Italy, Latvia, Lithuania, New Zealand, Romania, Spain, Sweden and the U.K.
The new advisory lists the steps that these attackers typically take, including password spraying; remotely accessing Human Machine Interface (HMI) devices that control industrial equipment; sending authorized commands to HMIs; and changing passwords to lock out infrastructure operators. The officials also recommend that operators take mitigation steps, including reducing the internet accessibility of operational technology, using strong authentication, monitoring network activity and practicing incident-response and disaster-recovery processes.
“The single most important thing people can do to protect themselves is to reduce the number of OT devices or operational technology exposed to the public-facing internet,” Chris Butera, the acting deputy executive assistant director of CISA’s cyber division, told reporters during a briefing on Wednesday.
“The cumulative impact of this malicious cyber activity,” Butera added, “poses a persistent and disruptive threat to essential services.”
Hacktivist groups with Russian military ties
The joint advisory summarizes the activities of the four pro-Russia hacktivist groups it accuses of conducting the attacks, including Cyber Army of Russia Reborn (CARR), which the document says the Russian military likely helped establish.
These groups “have successfully targeted supervisory control and data acquisition (SCADA) networks using basic methods, and in some cases, performed simultaneous DDoS attacks against targeted networks to facilitate SCADA intrusions,” the advisory says.
CARR leaders took instructions from a Russian military intelligence officer when deciding which targets to attack, according to the DOJ, which said the Kremlin “financed CARR’s access to various cybercriminal services, including subscriptions to DDoS-for-hire services.”
The hacktivists sometimes work together, including by amplifying each other’s social media posts bragging about their attacks, according to the joint advisory, which alludes to one intrusion that two of the groups said they conducted together.
While the hacktivists’ attacks could pose a serious threat, the advisory says, the groups’ main goal is notoriety and they “regularly make false or exaggerated claims about their attacks on critical infrastructure to garner more attention,” including by misrepresenting their degree of access to targeted networks.
The pro-Russian groups named in the advisory have been the target of law-enforcement scrutiny before. Last July, authorities from the U.S. and 11 other countries dismantled computer infrastructure belonging to NoName057(16) and issued arrest warrants for seven of the group’s members.
An unusual arrest
During Wednesday’s briefing, officials declined to discuss whether the arrest of Dubranova, the hacktivist who supported two of the groups, resulted from any cooperation with the Russian government. Moscow has consistently refused to help Western governments apprehend its nationals accused of committing cybercrime.
The U.S. continues to share “law enforcement and national security information” with the Russian government when it believes “there’s an opportunity to mitigate a threat to the homeland here,” said Brett Leatherman, assistant director of the FBI’s Cyber Division.
Leatherman did, however, highlight the recent increase in the number of arrests of cybercriminals by both traditional U.S. allies and countries that aren’t used to participating in such operations. “That increased operational tempo,” he said, should “serve as a deterrent to anybody who might engage in these kind of attacks.”
Dubranova faces four charges, including what Leatherman said was the first-ever charge of conspiracy to tamper with a public water system.