CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose.

Timeline

  1. 19.01.2026 17:30 2 articles · 1d ago

    NCSC Warns of Increased Pro-Russia Hacktivist DDoS Attacks on UK

    The NCSC has issued a warning about continued disruptive cyber attacks against UK organisations, including local government bodies and operators of critical national infrastructure. Russian-aligned hacktivist groups are targeting UK and global organisations with denial-of-service (DoS) attacks to disrupt operations, take websites offline, and disable services. The NCSC highlights ongoing campaigns by Russian state-aligned hacktivist groups and urges organisations to review defences and strengthen cyber resilience. The NCSC co-sealed an advisory in December 2025 with international partners, warning that pro-Russian hacktivist groups have been conducting cyber operations worldwide. NoName057(16) has been active since March 2022 and has carried out frequent DDoS attempts against the UK local government and other European countries. The group operates through Telegram channels and uses platforms such as GitHub to host its DDoSia tool and share tactics and techniques with supporters. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose.

    Show sources
    Open in new tab
  2. 09.12.2025 14:00 3 articles · 1mo ago

    Pro-Russia Hacktivists Exploit VNC Connections to Target Critical Infrastructure

    Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing VNC connections to gain unauthorized access to OT control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Hacktivist-Driven DDoS Attacks Dominate Public Sector Cyber Incidents

Distributed denial of service (DDoS) attacks, primarily driven by hacktivist groups, represented the majority of cybersecurity incidents in the public sector in 2024. Although DDoS attacks were the most frequent, data breaches and ransomware incidents caused significant disruption. The public sector, which manages large volumes of sensitive data and delivers critical services, remains a key target for cyber threats. The European Union Agency for Cybersecurity (ENISA) reported that 60% of cybersecurity incidents in the public sector were DDoS attacks, with 63% attributed to hacktivist groups. Cybercriminals and state actors were responsible for most of the remaining incidents, which included data breaches and ransomware attacks. The public sector's resilience to cyber threats is still not optimal, and ENISA warns of increased attacks in the mid- to long-term.

Open in new tab

Hacktivist Intrusions Target Canadian Water and Energy Facilities

Hacktivists have breached critical infrastructure systems in Canada, tampering with industrial controls at a water treatment facility, an oil & gas firm, and an agricultural facility. These incidents highlight the risks of poorly secured Industrial Control Systems (ICS) and the need for stronger security measures. The breaches resulted in degraded service, false alarms, and potentially unsafe conditions. The attacks were opportunistic and aimed at causing media attention and undermining trust in Canadian authorities. No catastrophic consequences were reported, but the incidents underscore the vulnerabilities in ICS components such as PLCs, SCADA systems, HMIs, and industrial IoTs.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

Open in new tab

UK NCSC Reports Significant Increase in Nationally Significant Cyber Incidents

The UK’s National Cyber Security Centre (NCSC) reported 204 “nationally significant” cyber incidents between September 2024 and August 2025, representing a 130% increase from the previous year. The NCSC received 1727 incident tips, with 429 elevated to incidents requiring support. Recent high-profile attacks on Marks & Spencer, the Co-op Group, and Jaguar Land Rover highlighted the real-world impact of cyber threats. The NCSC emphasized the need for urgent action from business leaders to enhance cybersecurity defenses. The UK government has urged senior executives to better prepare for cyber-attacks, noting that cybersecurity has been a concern for middle management for too long. The NCSC's 2025 Annual Review included a letter from the CEO of the Co-op Group, emphasizing the responsibility of senior leaders in protecting their businesses. The NCSC launched the Cyber Action Toolkit to help small organizations improve their cyber defenses.

Open in new tab

Manufacturing Sector Continues to Face Heightened Ransomware Threats

Manufacturing remains the top target for ransomware attacks, with 22% of all reported incidents between April 2024 and March 2025. The sector's critical role in global supply chains makes it an attractive target for attackers who exploit security gaps and leverage AI to enhance their tactics. Recent high-profile incidents, such as the attack on Jaguar Land Rover, highlight the severe disruption and financial losses caused by these attacks. The manufacturing industry's reliance on legacy systems and the convergence of IT and OT environments create significant security challenges. Experts emphasize the need for robust patch management, network segmentation, and proactive third-party risk management to mitigate these threats.

Open in new tab