Pro-Russia hacktivists target infrastructure in global cyber attacks

On December 9, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners, released advisory AA25-343A, warning that pro-Russia hacktivist groups were conducting opportunistic cyberattacks against US and global infrastructure.

What happened

The groups, including the Cyber Army of Russia Reborn (CARR) and Z-Pentest, exploited minimally secured, internet-facing virtual network computing (VNC) connections to gain access to operational technology (OT) devices in sectors such as Water and Wastewater Systems, Food and Agriculture, and Energy.

These attacks, observed throughout 2024 and into 2025, were primarily aimed at gaining notoriety rather than causing large-scale disruption, yet resulted in temporary loss of view, manipulation of HMI settings, and operational costs for affected organizations.

Going deeper

• Groups include Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16.
• They exploit internet-facing VNC connections to access devices remotely.
• They often use weak, default, or stolen passwords to gain entry.
• Their attacks are opportunistic, targeting easily accessible systems rather than strategically important ones.
• They capture screenshots or record device activity to show intrusions.
• They change device settings, modify parameters, or disable alarms.
• They sometimes post videos or images of their intrusions on social media.
• They rarely cause large-scale damage but can disrupt operations and create extra costs.
• They cooperate with each other to share tactics and amplify their actions.
  
  

What was said

According to the Department of Justice, “The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her with her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her with her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matters on Feb. 3, 2026 and in the CARR matter on April 7, 2026.”

The bigger picture

The CISA advisory from December 9, 2025, fits into the larger history of pro-Russia hacktivist activity as a formal warning and guidance for infrastructure organizations following years of cyberattacks by groups like Cyber Army of Russia Reborn (CARR) and NoName057(16). These groups, active since at least 2022, carried out DDoS attacks, intrusions into OT, and manipulations of industrial control systems, often posting videos or images of their attacks to Telegram to claim credit.

The advisory complements the Department of Justice’s December 9, 2025, announcement of indictments against Victoria Dubranova for supporting CARR and NoName, which highlights the state-backed or state-sanctioned nature of these operations. It also aligns with previous US sanctions, such as those issued on July 19, 2024, against CARR members Yuliya Pankratova and Denis Degtyarenko.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Who are the pro-Russia hacktivist groups?

Groups like Cyber Army of Russia Reborn (CARR), NoName057(16), and Z-Pentest carry out cyberattacks supporting Russia’s geopolitical interests.

What types of attacks do they perform?

They conduct DDoS attacks, intrude into industrial control systems, manipulate OT devices, and post proof of attacks online.

How do they gain access to systems?

They exploit internet-facing VNC connections, use weak or default passwords, and sometimes perform password brute force attacks.