DOJ and CISA warn of Russia-linked cyber attacks on US infrastructure

Federal agencies say multiple Russia-backed groups have targeted food, water, and regulatory systems.

What happened

The Department of Justice and the Cybersecurity and Infrastructure Security Agency issued a joint advisory warning that several Russia-linked hacking groups have carried out cyber attacks against US critical infrastructure organizations. According to reporting by Recorded Future News, the advisory attributes activity to CyberArmyofRussia_Reborn, NoName057(16), and related groups that have targeted the food, water, energy, and nuclear regulatory sectors since 2022. US officials said the attacks included a November 2024 incident at a meat processing facility in Los Angeles that spoiled large quantities of food and caused an ammonia leak.

Going deeper

Federal investigators said the groups relied on scanning the internet for poorly secured systems, particularly remote access services used to manage operational technology. In several cases, attackers accessed control systems tied to water and wastewater facilities, manufacturing plants, and food production sites. Prosecutors said one attack caused damage to controls and resulted in hundreds of thousands of gallons of drinking water being released. While the groups were described as having limited technical depth, officials said their lack of understanding did not prevent real-world operational impact. Authorities also linked the activity to efforts that expanded after Russia invaded Ukraine, with the groups increasingly coordinating attacks and sharing tooling.

What was said

Justice Department officials said indictments have been issued against individuals tied to the groups, including a member accused of participating in attacks on US water infrastructure. FBI cyber division leadership said the attacks have affected a wide range of victims, including small utilities and local organizations that may not consider themselves likely targets. Officials stressed that automated scanning means any exposed system can be identified, regardless of size or location. Government representatives declined to comment on potential diplomatic consequences but confirmed that reward offers and sanctions have been issued against individuals connected to the campaigns.

The big picture

According to Dark Reading, attacks against US critical infrastructure have become more frequent in recent years, driven by “political adversaries [who] are constantly looking for ways to disrupt various critical sectors through cyberattacks.” Analysts warn these incidents are not just disruptive to business operations but can carry “potentially devastating physical consequences on people’s lives,” especially when operational technology systems are involved.

CISA has warned that many of these environments still face “significant security challenges that warrant immediate attention,” particularly where OT systems remain exposed to the public internet or lack basic asset visibility. In its advisory, the agency urges operators to reduce internet-facing OT assets, adopt mature asset-management practices, and ensure systems use advanced authentication.

FAQs

Why are critical infrastructure systems being targeted?

They often rely on legacy technology and remote access tools that were not designed for modern threat environments, which makes them attractive to attackers seeking disruption.

Do these attacks require advanced technical skills?

Not always. Officials said many incidents involved basic scanning and misuse of exposed services rather than complex exploitation techniques.

Are small organizations at risk?

Yes. Federal investigators said automated discovery tools allow attackers to find vulnerable systems regardless of an organization’s size.

What sectors were most affected?

Reported targets included food production, water and wastewater systems, energy-related services, and government regulatory entities.

What steps can organizations take to reduce risk?

They can restrict remote access exposure, apply strong authentication, monitor industrial networks, and follow CISA guidance for securing operational technology.