On December 9, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners, released advisory AA25-343A, warning that pro-Russia hacktivist groups were conducting opportunistic cyberattacks against US and global infrastructure.
The groups, including the Cyber Army of Russia Reborn (CARR) and Z-Pentest, exploited minimally secured, internet-facing virtual network computing (VNC) connections to gain access to operational technology (OT) devices in sectors such as Water and Wastewater Systems, Food and Agriculture, and Energy.
These attacks, observed throughout 2024 and into 2025, were primarily aimed at gaining notoriety rather than causing large-scale disruption, yet resulted in temporary loss of view, manipulation of HMI settings, and operational costs for affected organizations.
According to the Department of Justice, “The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her with her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her with her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matters on Feb. 3, 2026 and in the CARR matter on April 7, 2026.”
The CISA advisory from December 9, 2025, fits into the larger history of pro-Russia hacktivist activity as a formal warning and guidance for infrastructure organizations following years of cyberattacks by groups like Cyber Army of Russia Reborn (CARR) and NoName057(16). These groups, active since at least 2022, carried out DDoS attacks, intrusions into OT, and manipulations of industrial control systems, often posting videos or images of their attacks to Telegram to claim credit.
The advisory complements the Department of Justice’s December 9, 2025, announcement of indictments against Victoria Dubranova for supporting CARR and NoName, which highlights the state-backed or state-sanctioned nature of these operations. It also aligns with previous US sanctions, such as those issued on July 19, 2024, against CARR members Yuliya Pankratova and Denis Degtyarenko.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Groups like Cyber Army of Russia Reborn (CARR), NoName057(16), and Z-Pentest carry out cyberattacks supporting Russia’s geopolitical interests.
They conduct DDoS attacks, intrude into industrial control systems, manipulate OT devices, and post proof of attacks online.
They exploit internet-facing VNC connections, use weak or default passwords, and sometimes perform password brute force attacks.