CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose. Recent developments indicate that attackers are growing more interested in and accustomed to dealing with industrial machines, potentially leading to more sophisticated OT attacks. Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026, which require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions.

Timeline

  1. 09.02.2026 23:15 1 articles · 23h ago

    Attackers Demonstrate Advanced OT Attack Techniques at RSA Conference 2026

    Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026. These attacks require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions. The demonstration will show how attackers can weaponize S7comm, Siemens' proprietary protocol, to leak sensitive data and transmit attacks across devices.

    Show sources
    Open in new tab
  2. 19.01.2026 17:30 2 articles · 22d ago

    NCSC Warns of Increased Pro-Russia Hacktivist DDoS Attacks on UK

    The NCSC has issued a warning about continued disruptive cyber attacks against UK organisations, including local government bodies and operators of critical national infrastructure. Russian-aligned hacktivist groups are targeting UK and global organisations with denial-of-service (DoS) attacks to disrupt operations, take websites offline, and disable services. The NCSC highlights ongoing campaigns by Russian state-aligned hacktivist groups and urges organisations to review defences and strengthen cyber resilience. The NCSC co-sealed an advisory in December 2025 with international partners, warning that pro-Russian hacktivist groups have been conducting cyber operations worldwide. NoName057(16) has been active since March 2022 and has carried out frequent DDoS attempts against the UK local government and other European countries. The group operates through Telegram channels and uses platforms such as GitHub to host its DDoSia tool and share tactics and techniques with supporters. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose.

    Show sources
    Open in new tab
  3. 09.12.2025 14:00 4 articles · 2mo ago

    Pro-Russia Hacktivists Exploit VNC Connections to Target Critical Infrastructure

    Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing VNC connections to gain unauthorized access to OT control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. Recent developments indicate that attackers are growing more interested in and accustomed to dealing with industrial machines, potentially leading to more sophisticated OT attacks. Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026, which require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical OT Cybersecurity Gaps Identified in Energy Systems

A study by OMICRON has revealed significant cybersecurity vulnerabilities in the operational technology (OT) networks of substations, power plants, and control centers worldwide. The analysis, based on data from over 100 installations, highlights technical, organizational, and functional issues that leave critical energy infrastructure exposed to cyber threats. The findings underscore the growing attack surface in energy systems and the challenges operators face in securing aging infrastructure and complex network architectures. Vulnerabilities include unpatched devices, insecure external connections, weak network segmentation, and incomplete asset inventories. Organizational factors such as unclear responsibilities for OT security, limited resources, and departmental silos also contribute to these risks.

Open in new tab

Global Agencies Release OT Network Security Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and international partners have released a new set of security principles aimed at securing operational technology (OT) environments. The guidance addresses the growing risks associated with insecure connectivity in systems that support essential services, providing a framework to help organizations design and manage secure connectivity in OT networks. The document emphasizes the importance of embedding security into network design from the outset to reduce exposure to both highly capable and opportunistic adversaries, including nation-state actors. It highlights the increased interconnection between industrial systems and enterprise networks, which has improved efficiency but expanded the attack surface for cyber threat actors.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Hacktivist-Driven DDoS Attacks Dominate Public Sector Cyber Incidents

Distributed denial of service (DDoS) attacks, primarily driven by hacktivist groups, represented the majority of cybersecurity incidents in the public sector in 2024. Although DDoS attacks were the most frequent, data breaches and ransomware incidents caused significant disruption. The public sector, which manages large volumes of sensitive data and delivers critical services, remains a key target for cyber threats. The European Union Agency for Cybersecurity (ENISA) reported that 60% of cybersecurity incidents in the public sector were DDoS attacks, with 63% attributed to hacktivist groups. Cybercriminals and state actors were responsible for most of the remaining incidents, which included data breaches and ransomware attacks. The public sector's resilience to cyber threats is still not optimal, and ENISA warns of increased attacks in the mid- to long-term.

Open in new tab

Manufacturing Sector Faces Persistent OT Security Challenges

The manufacturing sector continues to grapple with significant operational technology (OT) security challenges, including legacy systems, lack of visibility, and human factors. The industry's focus on IT security often overshadows OT security, despite the growing attack surface and interconnected nature of modern manufacturing environments. Recent incidents, such as the ransomware attack on Asahi, highlight the financial and supply chain risks associated with OT breaches. Experts emphasize the need for better awareness, identity-focused security strategies, and comprehensive governance to improve OT security in manufacturing.

Open in new tab