CISA Warns Pro-Russia Hacktivists Attacking US Water and Energy

A coalition of US and international security agencies has issued an urgent advisory warning that pro-Russia hacktivist groups are actively compromising industrial control systems at American water utilities, energy facilities, and food production operations. The attacks, while less sophisticated than state-sponsored intrusions, have successfully manipulated operational technology systems.

The Advisory

On December 9, 2025, CISA, FBI, NSA, Department of Energy, EPA, and international partners released joint advisory AA25-343A: "Pro-Russia Hacktivists Conduct Opportunistic Attacks Against U.S. and Global Critical Infrastructure."

This marks one of the most significant warnings about hacktivist threats to critical infrastructure in recent years.

Threat Groups Identified

The advisory identifies four primary pro-Russia hacktivist organizations:

Cyber Army of Russia Reborn (CARR)

Likely supported by GRU military unit 74455, CARR began targeting industrial control systems in late 2023. The group has demonstrated capability to access and manipulate SCADA systems.

NoName057(16)

Reportedly created by the Kremlin-affiliated "Center for the Study and Network Monitoring of the Youth Environment," this group has been active since March 2022, primarily conducting DDoS attacks against Western targets.

Z-Pentest

Formed in September 2024 from former CARR and NoName057(16) members, Z-Pentest specializes in OT intrusions and "hack and leak" operations. They maintain operational partnerships with other hacktivist groups.

Sector16

An emerging group formed in January 2025 through collaboration with Z-Pentest. They maintain a public Telegram channel where they share claims of compromising U.S. energy infrastructure.

Attack Methodology

Unlike sophisticated APT groups, these hacktivists employ opportunistic, low-sophistication techniques—but they're proving effective against poorly secured infrastructure.

Initial Access

Scanning the internet for exposed VNC devices on standard ports
Exploiting default or weak credentials
Targeting minimally secured, internet-facing OT systems

Attack Execution

Once inside, attackers use graphical user interfaces to:

Modify operational parameters
Suppress alarms
Change operator credentials (locking out legitimate users)
Restart or shutdown devices
Cause loss of operational visibility

Combined Operations

In some cases, groups have performed simultaneous DDoS attacks to distract defenders while conducting SCADA intrusions.

Targeted Sectors

The advisory specifically calls out three critical infrastructure sectors:

Water and Wastewater Systems - Municipal water treatment and distribution
Energy Sector - Power generation and distribution facilities
Food and Agriculture - Processing and production facilities

Real-World Impact

While the advisory doesn't detail specific incidents, the warning is clear: these groups have successfully accessed and manipulated control systems. The potential consequences include:

Disruption of water treatment processes
Manipulation of chemical dosing systems
Power distribution interference
Food safety system compromise
Public safety incidents

Why This Matters

These attacks represent a concerning evolution in hacktivist capabilities:

OT Targeting: Moving beyond website defacement and DDoS to actual industrial control system manipulation
Coordination: Multiple groups sharing tactics and working together
Persistence: Sustained campaign rather than one-off attacks
Physical Impact Potential: Unlike data breaches, OT compromises can cause real-world harm

Defensive Recommendations

The advisory provides extensive mitigation guidance for critical infrastructure operators:

Immediate Actions

Reduce OT exposure to the public internet
Implement robust asset management and data flow mapping
Enforce strong authentication across all systems

Key Mitigations

Network segmentation between IT and OT environments
Multi-factor authentication where technically feasible
Firewall implementation with default-deny policies
Elimination of default passwords on all devices
Regular updates and patches for VNC and remote access systems
Comprehensive access logging and monitoring
Business continuity and disaster recovery planning

For Device Manufacturers

CISA calls on OT vendors to:

Eliminate default credentials in products
Mandate MFA for privileged access
Publish Software Bills of Materials (SBOMs)
Implement secure-by-design principles

Reporting

Organizations that identify potential compromises should report to:

CISA: cisa.gov/report
FBI: Local field office or ic3.gov
Sector-specific ISACs

The Geopolitical Context

These attacks are explicitly tied to Russia's broader information warfare campaign. The groups amplify their activities through Telegram channels, seeking to demonstrate Western infrastructure vulnerabilities and undermine public confidence.

While individual incidents may cause limited damage, the cumulative effect serves Russian strategic objectives—and the techniques being refined today could enable more destructive attacks tomorrow.

Resources

Critical infrastructure operators should review the full advisory and implement recommended mitigations immediately. The threat is active and ongoing.