Pro-Russia Hacktivists Target OT/ICS — GRU-Linked CARR, Z-Pentest VNC Attacks

Threat ID: TL-2026-0125 | Severity: CRITICAL | Status: ACTIVE

Actors: CARR / Z-Pentest / NoName057(16) / Sector16 | Nation: Russia | Motivation: HACKTIVISM

MITRE Techniques: 27 | Detections: 9 | Attribution Confidence: HIGH

Pro-Russia hacktivists are targeting water treatment plants, power grids, and oil pipelines. The attacks are crude. The targets are real. On December 9, 2025, the FBI, CISA, NSA, DOE, EPA, and over 20 international partners published joint advisory AA25-343A documenting these ongoing operations against OT/ICS systems worldwide. The groups — Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 — exploit unsecured, internet-exposed VNC connections to manipulate HMI devices, suppress alarms, and cause physical damage to critical infrastructure. Below: the campaign analysis, MITRE ATT&CK mapping across both Enterprise and ICS frameworks, and production-ready detection queries.

CISA Joint Cybersecurity Advisory AA25-343A — FBI, NSA, and international partners documenting pro-Russia hacktivists targeting US and global critical infrastructure via VNC exploitation.

Executive Summary

What: Pro-Russia hacktivist groups exploit internet-exposed VNC connections to access HMI devices across critical infrastructure OT/ICS environments, modifying setpoints, suppressing alarms, and causing operational disruption
Who: CARR, Z-Pentest, NoName057(16), and Sector16 — assessed with HIGH confidence as linked to GRU Unit 74455 (Sandworm/APT44)
Impact: Physical damage confirmed at US dairy farms and European wastewater treatment facilities; operational downtime requiring manual intervention across water, energy, and agriculture sectors
Status: Advisory AA25-343A issued December 9, 2025; Operation Eastwood takedown of NoName057(16) infrastructure on February 20, 2026; attacks ongoing
Detection: 9 production-ready detections available on Threadlinqs Intelligence

Timeline

Date	Event
2022-02-24	CARR established with GRU Unit 74455 support during Ukraine invasion
2022-03-01	NoName057(16) begins operations; DDoSia tool developed
2023-10-01	CARR expands from DDoS to ICS/OT attacks; European wastewater facility targeted
2023-11-01	CARR compromises HMI devices at two US dairy farms
2024-05-01	CISA issues initial OT defense fact sheet for pro-Russia hacktivists
2024-07-01	NoName057(16) and CARR jointly claim US critical infrastructure intrusions
2024-09-01	Z-Pentest formed by dissatisfied CARR members
2025-01-01	Sector16 emerges through Z-Pentest collaboration
2025-05-06	CISA publishes updated OT threat mitigation fact sheet
2025-12-09	FBI/CISA/NSA publish joint advisory AA25-343A
2026-02-20	Europol Operation Eastwood: NoName057(16) infrastructure takedown

The GRU's Hacktivist Layer

These groups are not independent actors. Our analysis of overlapping TTPs and infrastructure confirms what intelligence assessments have established: CARR links directly to GRU Unit 74455 — the same military unit behind Sandworm, NotPetya, the Ukraine power grid attacks of 2015-2016, and Olympic Destroyer. CARR was established in late February 2022, days after Russia's full-scale invasion of Ukraine, with documented GRU technical support.

The relationship follows a five-phase disruptive playbook attributed to Sandworm by Mandiant: Living on the Edge, Living off the Land, Going for the GPO, Disrupt and Deny, and Telegraphing Success. CARR and its affiliates represent that final phase — lower-sophistication operations conducted through hacktivist personas that provide strategic deniability while advancing Russian state objectives.

By September 2024, internal friction within CARR led to the formation of Z-Pentest by dissatisfied members seeking more direct OT intrusion operations. Sector16 emerged in January 2025 through Z-Pentest collaboration, claiming compromises of US energy infrastructure. NoName057(16), active since March 2022 and allegedly created by the Kremlin-affiliated CISM organization, developed the proprietary DDoSia tool and collaborates closely with all three groups.

Technical Analysis — VNC as the Entry Point

The attack methodology is deliberately unsophisticated but effective against poorly secured OT environments. Crude attacks. Real consequences. The groups target internet-exposed VNC servers on standard ports 5900 and 5901-5910 using commodity scanning tools — a spray and pray approach that works because so many ICS environments still run with default creds baked into the appliance.

Attack Chain

Reconnaissance — Nmap and OPENVAS scans identify open VNC ports across internet-facing IP ranges. Shodan and Censys queries supplement automated scanning
Initial Access — Brute-force password spraying from temporary VPS infrastructure against discovered VNC connections using default or weak credentials
Confirmation — Attackers document the compromised IP, port, and password, then verify HMI access via the graphical interface
OT Manipulation — Through the HMI GUI, operators modify credentials (locking out legitimate users), alter setpoints and process parameters, disable alarms, rename devices to hacktivist identifiers, and force device restarts
Propaganda — Attackers capture screenshots and screen recordings of compromised HMI panels, then post embellished claims to Telegram channels
Amplification — Content is cross-posted across hacktivist networks, TTPs are shared with partner groups, and simultaneous DDoS attacks using DDoSia amplify operational disruption

[Recon]     →  [Initial Access]  →  [OT Manipulation]  →  [Propaganda]  →  [Amplification]
 T1595.002      T1110.003            T0836, T0878          T1113            T1498
 Nmap/VNC       VPS brute-force      Setpoint change       Screenshots      DDoSia DDoS
 port scan      default creds        Alarm suppress        Telegram         Cross-post

A distinctive operational pattern combines volumetric DDoS attacks with simultaneous SCADA intrusions — the DDoS draws defender attention to network availability while the actual OT manipulation proceeds through VNC.

Confirmed Physical Impact

The advisory documents confirmed physical consequences:

Two US dairy farms experienced HMI compromise, leading to unauthorized parameter modifications and operational downtime
A European wastewater treatment facility suffered alarm suppression and setpoint manipulation requiring manual intervention
Energy sector HMI devices were accessed and credentials modified, causing loss of operational visibility
Attacks against occupied factories demonstrate disregard for human safety at compromised industrial sites

Actor Profiles

Group	Established	Focus	GRU Link
CARR	Feb 2022	DDoS + ICS attacks	Direct GRU Unit 74455 support
NoName057(16)	Mar 2022	DDoS via DDoSia tool	Kremlin-affiliated CISM
Z-Pentest	Sep 2024	OT intrusion, hack-and-leak	Former CARR members
Sector16	Jan 2025	Energy infrastructure	Z-Pentest collaboration

Known aliases for the GRU nexus: APT44, Sandworm, FROZENBARENTS, Seashell Blizzard, IRIDIUM, Voodoo Bear, Telebots, GRU Unit 74455, GTsST, Military Unit 74455.

Mandiant/Google Cloud research — 'Unearthing APT44: Russia's Notorious Cyber Sabotage Unit Sandworm' — detailing GRU Unit 74455's hacktivist proxy operations.

Detection

The low sophistication of these attacks makes detection achievable with standard network and endpoint telemetry. What makes this concerning is the target selection, not the sophistication. ICS systems. No authentication. The key challenge is monitoring OT/ICS segments that often lack adequate logging.

Based on our tracking of pro-Russia hacktivist groups across the platform, Threadlinqs Intelligence tracks 9 production-ready detections for this threat across SPL, KQL, and Sigma.

Splunk SPL — VNC Brute Force and Unauthorized HMI Access

Catching spray and pray VNC brute-force from single sources and unauthorized connections from non-OT networks to HMI ports:

SPLindex=firewall OR index=network sourcetype=firewall OR sourcetype=pan:traffic
dest_port IN (5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909, 5910)
| eval is_external=if(cidrmatch("10.0.0.0/8", src_ip) OR cidrmatch("172.16.0.0/12", src_ip) OR cidrmatch("192.168.0.0/16", src_ip), 0, 1)
| where is_external=1
| stats count AS attempt_count dc(dest_ip) AS target_count earliest(_time) AS first_seen latest(_time) AS last_seen by src_ip
| where attempt_count > 10 OR target_count > 3
| eval duration_min=round((last_seen - first_seen) / 60, 1)
| sort -attempt_count

External IPs making repeated VNC connection attempts across multiple OT hosts — that is the signature pattern of the hacktivist scanning phase.

Splunk SPL — SCADA Setpoint Tampering and Alarm Suppression

Correlating SCADA audit events for setpoint modifications, alarm suppression, and credential changes within OT environments:

SPLindex=scada OR index=ot sourcetype=scada_audit OR sourcetype=hmi_log
(action="setpoint_change" OR action="alarm_disable" OR action="credential_modify" OR action="device_rename" OR action="param_modify")
| eval suspicious=case(
    action="alarm_disable" AND alarm_count > 5, "bulk_alarm_suppress",
    action="setpoint_change" AND abs(new_value - old_value) / old_value > 0.2, "extreme_setpoint_change",
    action="credential_modify", "cred_tampering",
    action="device_rename" AND match(new_name, "(?i)(carr|z-pentest|noname|sector16|russia)"), "hacktivist_defacement",
    1=1, "normal"
)
| where suspicious != "normal"
| stats count values(action) AS actions values(suspicious) AS indicators by src_ip, device_name, _time

Microsoft KQL — VNC Reconnaissance and OT Service Discovery

Scanning for VNC services and unauthorized external connections in Defender for Endpoint — the hacktivist reconnaissance phase is noisy if you are watching the right ports.

KQLlet vnc_ports = dynamic([5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909, 5910]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (vnc_ports) or LocalPort in (vnc_ports)
| where ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")
| extend IsExternal = not(ipv4_is_private(RemoteIP))
| where IsExternal == true
| summarize ConnectionCount = count(), TargetDevices = dcount(DeviceName),
    FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by RemoteIP
| where ConnectionCount > 5 or TargetDevices > 2
| sort by ConnectionCount desc

Sigma — VNC Brute Force from External IPs

Multiple VNC authentication failures from external addresses against OT infrastructure — that pattern is unmistakable.

SIGMAtitle: VNC Brute Force Against OT/ICS HMI Devices
id: 8a4c3e7f-2b1d-4f9a-bc6e-1d5a8e3f7c2b
status: experimental
description: Detects multiple VNC authentication failures from external IPs targeting OT HMI devices on ports 5900-5910, consistent with CARR/Z-Pentest brute-force operations per CISA AA25-343A
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
    - https://intel.threadlinqs.com/#TL-2026-0125
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.credential_access
    - attack.t1110.003
    - attack.t1078.001
    - cve.aa25-343a
logsource:
    category: firewall
    product: any
detection:
    selection:
        dst_port|range: 5900-5910
        action: denied
    filter_internal:
        src_ip|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter_internal | count(src_ip) by dst_ip > 10
    timeframe: 15m
falsepositives:
    - Operators mistyping VNC passwords
    - Misconfigured VNC clients with wrong credentials
    - Authorized OT security team scans
level: critical

Sigma — DDoSia Tool Execution and Telegram C2

DDoSia tool execution and Telegram-based phone-home traffic from OT network segments — if you see this, someone is coordinating an attack from inside your ICS environment.

SIGMAtitle: DDoSia Tool Execution and Telegram C2 from OT Segments
id: 3f7a9c2e-5d4b-4e1a-8c6f-2a9b1d3e5f7a
status: experimental
description: Detects DDoSia tool execution patterns and Telegram API communication originating from OT network segments, indicating NoName057(16) coordination activity
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
    - https://intel.threadlinqs.com/#TL-2026-0125
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.impact
    - attack.t1498
    - attack.resource_development
    - attack.t1583.003
logsource:
    category: dns
    product: any
detection:
    selection_telegram:
        query|contains:
            - 'api.telegram.org'
            - 't.me'
    selection_ddosia:
        query|contains:
            - 'ddosia'
            - 'noname057'
    condition: selection_telegram or selection_ddosia
falsepositives:
    - Legitimate Telegram bot integrations for OT alerting systems
    - Security researchers analyzing DDoSia samples
level: high

Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

NSA and FBI joint press release calling out pro-Russia hacktivist groups — Cyber Army of Russia Reborn, Z-Pentest, and Sector16 — targeting OT/ICS systems.

Indicators of Compromise

Behavioral Indicators

Pattern	Description	MITRE
VNC brute-force from VPS	Multiple auth failures on ports 5900-5910 from cloud/VPS IPs	T1110.003
HMI device renaming	Devices renamed to CARR, Z-Pentest, or hacktivist identifiers	T1491.002
Bulk alarm suppression	Multiple alarms disabled or auto-acknowledged in rapid succession	T0878
Setpoint deviation	Process parameters modified beyond normal operating ranges	T0836
Screen capture on OT hosts	ffmpeg, scrot, or ImageMagick execution on HMI workstations	T1113
DDoSia L7 flood	High-volume HTTP requests coinciding with OT anomalies	T1498
Telegram API from OT	Outbound connections to api.telegram.org from OT segments	T1583.003

The advisory does not provide specific network IOCs (IPs, domains, hashes) for these groups, as the attackers use temporary VPS infrastructure and commodity tools. Detection should focus on behavioral patterns rather than static indicators.

MITRE ATT&CK Mapping

Enterprise Framework

Tactic	Technique	ID	Context
Reconnaissance	Active Scanning: Vulnerability Scanning	T1595.002	Nmap/OPENVAS scans for VNC ports
Reconnaissance	Gather Victim Org Information	T1591	Target identification via Shodan/Censys
Resource Development	Acquire Infrastructure: VPS	T1583.003	Temporary VPS for brute-force and DDoS
Credential Access	Brute Force: Password Spraying	T1110.003	VNC credential brute-force
Lateral Movement	Remote Services: VNC	T1021.005	Primary access method to HMI devices
Initial Access	Valid Accounts: Default Accounts	T1078.001	Default/weak VNC credentials
Initial Access	External Remote Services	T1133	Internet-exposed VNC
Collection	Screen Capture	T1113	Telegram propaganda screenshots
Impact	Network Denial of Service	T1498	DDoSia L7 floods
Impact	Defacement: External Defacement	T1491.002	HMI device renaming
Impact	Service Stop	T1489	Device restart/shutdown

ICS Framework

Tactic	Technique	ID	Context
Initial Access	Internet Accessible Device	T0883	Exposed HMI/VNC endpoints
Credential Access	Valid Accounts	T0859	Compromised VNC credentials
Credential Access	Default Credentials	T0812	Factory-default passwords
Lateral Movement	Remote Services	T0886	VNC lateral movement in OT
Execution	Graphical User Interface	T0823	HMI manipulation via GUI
Inhibit Response	Alarm Suppression	T0878	Bulk alarm disable
Impair Process Control	Modify Parameter	T0836	Setpoint tampering
Impair Process Control	Unauthorized Command Message	T0855	Unauthorized PLC commands
Impact	Loss of Productivity/Revenue	T0828	Operational downtime
Impact	Loss of View	T0829	Credential lockout
Impact	Manipulation of Control	T0831	Process parameter alteration
Inhibit Response	Device Restart/Shutdown	T0816	Forced HMI restarts

Full MITRE ATT&CK mapping: View coverage on Threadlinqs

TL-2026-0125 on Threadlinqs Intelligence — pro-Russia hacktivist OT/ICS attacks on critical infrastructure with active exploitation status.

Recommendations

Close the ports. Change the passwords. Segment the network.

Remove all OT/ICS devices from direct internet exposure. Audit for open VNC ports (5900-5910) on public-facing IP ranges and close them immediately
Eliminate default and weak credentials across all HMI, PLC, and SCADA devices. Enforce unique, strong passwords and implement phishing-resistant MFA for remote OT access
Deploy ICS-aware network monitoring (Claroty, Dragos, Nozomi Networks) with alerting on VNC brute-force attempts, unauthorized connections from external IPs, and anomalous setpoint changes
Segment IT and OT networks with a DMZ for control data exchange. Restrict VNC traffic to authenticated, VPN-connected operator workstations only
Maintain manual override capabilities and engineering logic backups. Test recovery procedures for scenarios where HMI credentials are locked and alarms are suppressed

References

CISA Joint Advisory AA25-343A: Pro-Russia Hacktivists Conduct Opportunistic Attacks — CISA/FBI/NSA, December 2025
NSA Press Release: Pro-Russia Hacktivist Groups Targeting Critical Infrastructure — NSA, December 2025
Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity — DoD/CISA, May 2024
APT44: Unearthing Sandworm — Mandiant/Google, April 2024
MITRE ATT&CK for ICS — MITRE
MITRE ATT&CK T1021.005 - Remote Services: VNC — MITRE
AttackIQ Response to CISA Advisory AA25-343A — AttackIQ, December 2025

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0125.