EMERGENCY MANAGEMENT association OF TEXAS

CISA, in partnership with the Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure.

This advisory, published as an addition to the joint fact sheet on Primary Mitigations to Reduce Cyber Threats to Operational Technology (OT) released in May 2025, details that pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate or gain access to OT control devices within critical infrastructure systems. 

The groups involved, including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, are taking advantage of the widespread prevalence of accessible VNC devices to execute attacks, resulting in varying degrees of impact, including physical damage.

These groups often seek notoriety by making false or exaggerated claims about their attacks. Their methods are opportunistic, leveraging superficial criteria such as victim availability and existing vulnerabilities. They attack a wide range of targets, from water treatment facilities to oil well systems, using similar tactics, techniques, and procedures.

Top Recommended Actions:

OT owners and operators and critical infrastructure entities should take the following steps to reduce the risk of attacks through VNC connections:

1.       Reduce exposure of OT assets to the public-facing internet.

2.       Adopt mature asset management processes, including mapping data flows and access points.

3.       Ensure that OT assets are using robust authentication procedures.

For more information on Russian state-sponsored threat actor activity, visit CISA’s Russia Cyber Threat Overview and Advisories page.