FBI/CISA Warn: Pro-Russia Hacktivists Target Critical Infrastructure Via Unsecured VNC HMIs
Ddos 
A coalition of international cybersecurity agencies, led by the FBI, CISA, and the NSA, has issued a stark warning regarding a surge in opportunistic attacks against critical infrastructure by pro-Russia hacktivist groups. In a joint Cybersecurity Advisory released on December 9, 2025, officials detailed how these groups—while technically unsophisticated—are leveraging basic security lapses to inflict physical damage on water systems, energy grids, and food production facilities worldwide.
Unlike the stealthy, surgical strikes of elite state-sponsored APTs, these hacktivist operations are characterized as brute-force vandalism. The advisory notes that “Pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups”.
However, their lack of sophistication makes them dangerously unpredictable. The report warns that “their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact”.
The primary weapon in these groups’ arsenal is not a zero-day exploit, but the exploitation of poor hygiene on Virtual Network Computing (VNC) connections. Hackers are scanning the internet for Human-Machine Interfaces (HMIs)—the digital dashboards used to control industrial machinery—that have been left exposed without robust passwords.
“These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems”.
Once inside, the attackers manipulate settings wildly: modifying device names, changing physical parameters (like pump speeds or chemical levels), disabling alarms, and initiating “loss of view” conditions that blind operators to what is happening on the factory floor.
The advisory unmasks several key groups, revealing direct links to the Russian state apparatus:
- Cyber Army of Russia Reborn (CARR): Assessed to be supported by the Russian GRU’s Unit 74455. Originally focused on DDoS attacks, they expanded to industrial control systems (ICS) in late 2023.
- NoName057(16): Linked to the Kremlin-backed Center for the Study and Network Monitoring of the Youth Environment (CISM). Senior executives at CISM reportedly developed the group’s “DDoSia” attack tool.
- Z-Pentest: A hybrid group formed in September 2024 by dissatisfied administrators from CARR and NoName057(16). They specialize in OT intrusions and “hack and leak” operations to garner media attention .
- Sector16: A novice group formed in January 2025 through collaboration with Z-Pentest, claiming responsibility for attacks on U.S. energy infrastructure.
The coalition urges Operational Technology (OT) owners to take immediate action to close these digital backdoors. The primary recommendation is simple but critical: “Reduce exposure of operational technology (OT) assets to the public-facing internet”.
Additionally, operators are advised to implement robust authentication procedures and maintain offline backups of engineering logic to ensure they can recover manual control if their digital systems are compromised.
Donate