(TLP:CLEAR) Joint Cybersecurity Advisory – Pro-Russia Hacktivists Conduct Opportunistic Attacks Against U.S. and Global Critical Infrastructure

Summary: This Week, CISA, in collaboration with other U.S. and international partners, published a joint cybersecurity advisory on pro-Russia hacktivist groups conducting less sophisticated, low-impact attacks against critical infrastructure entities. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to gain access to operational technology (OT) control devices within critical infrastructure systems. Given the increased targeting of hacktivist groups against water and wastewater utilities, WaterISAC members are strongly encouraged to read this advisory and apply the recommended mitigations.

Analyst Note: Over the past several years, pro-Russia hacktivist groups have been observed conducting cyber operations against numerous organizations and critical infrastructure sectors worldwide. The escalation of the Russian-Ukrainian conflict in 2022 significantly increased the number of these pro-Russia groups. WaterISAC’s 2025 “Threat Analysis Report” noted that hacktivists have increasingly sought to attack water and wastewater utilities OT devices. In a Forescout Report “The Rise of State-Sponsored Hacktivism”, which analyzed 780 hacktivist attacks in 2024, water utilities made up the largest group targeted .

Pro-Russia hacktivist groups seek notoriety, often making false or exaggerated claims about their attacks on critical infrastructure. “The targeting methodology of these groups is opportunistic, leveraging superficial criteria such as victim availability and existing vulnerabilities. With an opportunistic approach, this group has a broad array of targets, ranging from water treatment facilities to oil well systems, all of which are compromised using similar tactics, techniques, and procedures,” according to the advisory.

Actions in this advisory that will help organizations reduce the risk of being targeted through VNC connections include:

• Reduce exposure of OT assets to the public-facing internet.
• Adopt mature asset management processes, including mapping data flows and access points.
• Ensure that OT assets are using robust authentication procedures.

Critical infrastructure owners and operators are strongly recommended to review this advisory and implement recommended actions and mitigations to reduce the risk of pro-Russia hacktivists targeting control networks through VNC connections.

Accompanying this advisory, the U.S. Department of Justice (DOJ) announced on Tuesday that it indicted a Ukrainian national for her role in conducting cyber attacks against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Concurrent with DOJ’s actions, the U.S. Department of State announced rewards for up to $2 million for information on individuals associated with Cyber Army of Russia Reborn hacktivist group and up to $10 million for information on individuals associated with the NoName hacktivist group.

Original Source: https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia-hacktivists-attack-us-and-global-critical-infrastructure  

Additional Reading:

• Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups
• (TLP:CLEAR) Canada’s Cyber Centre Warns of Internet-Accessible ICS Abused by Hacktivists, Water Facility Breach
• (TLP:AMBER) Gate 15 Threat Awareness & Resilience Guidance Report: State-Sponsored Hacktivism 2025 (3 September 2025)
• (TLP:GREEN) Forescout Report – The State of State-Sponsored Hacktivist Attacks

Mitigation Recommendations:

• Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity
• Security considerations for industrial control systems

Related WaterISAC PIRs: 6, 6.1, 7, 8, 10, 10.2