Pro-Russia Hacktivist Groups Conducting Opportunistic OT/ICS Attacks Against Critical Infrastructure

The Security Substrate

3 min read

Pro-Russia Hacktivist Groups Conducting Opportunistic OT/ICS Attacks Against Critical Infrastructure

Severity: High | CVSS: N/A

The Situation

Pro-Russia hacktivist groups—including Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16—are conducting unsophisticated but persistent attacks against operational technology (OT) and industrial control systems (ICS) in critical infrastructure sectors. These actors exploit internet-exposed virtual network computing (VNC) devices using basic reconnaissance tools, default credentials, and password brute-force techniques to gain remote access to human-machine interface (HMI) devices.

Why It Matters

While individual attacks lack sophistication, the widespread availability of exposed VNC services and weak authentication mechanisms enable broad targeting across water, wastewater, food and agriculture, and energy sectors. Successful intrusions have resulted in physical damage, operational disruption, and loss of view incidents requiring manual intervention. The groups' collaborative structure and active knowledge-sharing amplify attack propagation and increase incident frequency across critical infrastructure globally.

Technical Details (IOCs)

  • Attack Vector: Internet-exposed VNC services on default ports 5900 and adjacent ports (5901-5910)
  • Initial Access Method: Vulnerability scanning using Nmap and OpenVAS to identify exposed VNC devices; password brute-force attacks using temporary virtual private servers (VPS)
  • Credential Exploitation: Default credentials, weak passwords, and password spraying against HMI devices
  • Post-Access Manipulation: Modification of usernames/passwords, parameter changes, instrument settings alterations, alarm suppression, device name changes, and system restarts via HMI graphical user interface
  • Threat Actor Groups: CARR (GRU unit 74455-linked), NoName057(16) (Kremlin-affiliated CISM project), Z-Pentest (CARR/NoName057(16) merger), Sector16 (emerged January 2025)
  • Targeting Methodology: Opportunistic, non-strategic selection based on device availability and existing vulnerabilities rather than operational significance
  • Impact Tactics: Loss of view (credential lockout), parameter manipulation, alarm disabling, defacement, and operational disruption to generate media attention and demonstrate capability
  • MITRE ATT&CK Techniques: T0883 (Internet Accessible Device), T1595.002 (Vulnerability Scanning), T1583.003 (VPS Acquisition), T1021.005 (VNC Remote Services), T1110.003 (Password Spraying), T0812 (Default Credentials), T0859 (Valid Accounts), T0823 (GUI Interaction), T0836 (Parameter Modification), T0892 (Credential Change), T0878 (Alarm Suppression), T0829 (Loss of View)

Remediation / Mitigation

  • Network Exposure Reduction:
    • Eliminate internet-facing VNC connections; implement network segmentation between IT and OT networks with demilitarized zones (DMZ)
    • Deploy attack surface management services to identify exposed VNC systems within owned IP ranges
    • Implement firewall/VPN with default-deny policies; restrict inbound/outbound traffic to authorized destinations and protocols only
    • Disable public exposure by default; implement time-limited remote access windows
    • Configure strict egress filtering to prevent unauthorized data exfiltration and command-and-control callbacks
  • Asset Management and Inventory:
    • Maintain complete asset inventory mapping data flows and access points for OT/IT systems
    • Keep VNC and remote access services updated to latest versions with security patches
    • Reference CISA/partner guidance on OT Cybersecurity Asset Inventory for critical asset identification
  • Authentication Hardening:
    • Eliminate all default credentials; mandate strong, unique passwords for operator-accessible services
    • Implement multi-factor authentication (MFA) where feasible; establish IP allowlists restricted to authorized addresses and operator working hours
    • Disable unused authentication methods, default keys, and high ephemeral ports
    • Monitor and alert on unsuccessful automated login attempts and non-allowlist access attempts
    • Require authentication before authorizing access to field controller state, logic, programs, or filesystems
  • Control System Security Features:
    • Separate and audit view-only versus control functions; limit remote/default accounts to read-only access
    • Enable logging at no additional cost using open standard formats to track safety-impacting changes
    • Review and alert on setpoint range deviations to maintain safe operational parameters
  • Business Continuity and Recovery:
    • Develop and practice disaster recovery/business continuity plans including manual operation scenarios
    • Create and regularly test backups of HMI engineering logic, configurations, and firmware
    • Maintain redundancy, fail-safe mechanisms, and islanding capabilities for rapid recovery
  • Monitoring and Detection:
    • Collect and monitor OT asset and network device traffic for unusual logins, unexpected protocols, and ICS management protocol changes
    • Audit firewall rulesets regularly; monitor outbound traffic patterns for beaconing and anomalous protocol usage
  • Procurement and Secure by Design:
    • Follow CISA/partner guidance on Secure by Design when selecting OT digital products
    • Require manufacturers to eliminate default credentials, mandate MFA for privileged users, and publish Software Bill of Materials (SBOMs)
    • Demand secure-by-default design principles with user notification of insecure states
  • Incident Response Protocol:
    • Isolate/quarantine compromised hosts immediately upon discovery of weak/default credentials
    • Initiate threat hunting to scope intrusion; collect running processes, authentications, and network connections
    • Reimage compromised hosts and provision new credentials
    • Report compromise to CISA, FBI, NSA, or regional cybersecurity authorities
    • Harden network per mitigation guidance to prevent additional malicious activity

Disclaimer: This is automated threat intelligence. Verify patches in a staging environment before deploying to production. Report suspicious activity to CISA (contact@cisa.dhs.gov, 1-844-729-2472), FBI field offices, or NSA (CybersecurityReports@nsa.gov).