Loosely organized pro-Russia hacktivist groups have been observed exploiting exposed virtual network computing connections to breach operational technology systems across multiple sectors.
According to a new report by CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and other national and international partners, the attacks are part of a surge in low-skilled but disruptive intrusions affecting entities in water treatment, food production and energy in the US.
According to the authoring organizations, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16) and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces.
Their activity, though less advanced than that of state-directed threat groups, has led to physical impacts in some cases.
CISA said these hacktivists typically seek visibility rather than strategic advantage, often overstating the scale of incidents they publicize online.
Even so, operators have faced temporary loss of view and costly manual recovery efforts after attackers altered parameters, disabled alarms or restarted devices.
The advisory outlined how several pro-Russia collectives have expanded since 2022, with some receiving indirect or direct support from Russian state-linked organizations.
CARR and NoName057(16) collaborated extensively before forming Z-Pentest in 2024, while Sector16 emerged in early 2025 through similar alliances. Each group relies on widely available tools to scan ports, brute-force weak passwords and record screenshots of compromised systems for online distribution.
Recommended Steps For Operators
The report stressed that owners of industrial and operational technology should tighten exposure and authentication practices. Suggested measures include:
-
Reducing public internet access to OT assets
-
Adopting stronger asset management, such as mapping data flows
-
Using robust authentication, including multi-factor authentication (MFA) where possible
The advisory also highlighted the importance of network segmentation, strict firewall policies, updated software and contingency plans that allow for rapid manual operation if systems are compromised.
It warned that organizations discovering exposed systems with weak credentials should assume compromise and initiate incident response immediately.
While these attacks remain relatively unsophisticated, the authoring agencies caution that continued activity could result in more severe consequences.
“The pro-Russia hacktivist groups highlighted in this advisory have demonstrated intent and capability to inflict tangible harm on vulnerable systems,” warned CISA executive assistant director for cybersecurity, Nick Andersen.
“In addition to implementing the recommended mitigations and rigorously validating their security controls, we are calling upon all OT device manufacturers to prioritize secure-by-design principles – because building in security from the start is essential to reducing risk and safeguarding the nation’s most vital systems.”