An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Dec. 9, 2025

NSA, FBI, and Others Call Out Pro-Russia Hacktivist Groups Targeting Critical Infrastructure

FORT MEADE, Md.  –   FORT MEADE, Md. – The National Security Agency (NSA) is joining the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and over 20 others to release the Cybersecurity Advisory (CSA), “Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure,” and provide recommended mitigations to reduce the likelihood and impact of related incidents.

The authoring agencies have observed pro-Russia hacktivist groups—attributed to the Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—capitalizing on the widespread availability of inadequately secured virtual network computing (VNC) connections to infiltrate operational technology (OT) control devices within critical infrastructure systems and conduct cyber operations against organizations worldwide.

The groups’ ongoing opportunistic targeting methodology can lead to broad targeting and indiscriminate compromise of critical infrastructure entities, including those in Water and Wastewater, Food and Agriculture, and the Energy Sector. Further, their observed lack of strategic focus increases the likelihood of targeting of unintended victims, and tends to result in haphazard attacks with unanticipated damages.

These actors are primarily seeking notoriety with their actions, regularly self-attributing and exaggerating cyberattacks on social media and in group channels to garner attention from peers and the media. Despite this, and their lack of sophisticated ability, actors have been observed willfully causing damage to vulnerable critical infrastructure.

These actors utilize simple, cheap, and easy-to-replicate tactics, techniques, and procedures (TTPs) for the ease of dissemination and replication across various entities, increasing the risk of wide-spread adoption by other cyber actors and escalated frequency of attacks. The authoring agencies warn there is risk that continued attacks may result in further harm or consequences.

Critical infrastructure entities, OT asset owners and operators, and OT device manufactures are encouraged to become familiar with the outlined TTPs and apply the recommended mitigation strategies to reduce the likelihood and impact of incidents related to pro-Russia hacktivists. The report also provides incident response actions organizations should take if compromise is detected.

Read the full report here

Visit our full library for more cybersecurity information and technical guidance

 

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Critical Infrastructure virtual network computing malicious cyber actor Cyber Army of Russia Reborn CARR Z-Pentest NoName057 Sector16 GRU cyber_1ce_killer CIKR SCADA Category/Topics: Russia cybercriminal Operational Technology secure by design
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line number. Dial 988 then Press 1