// TEMPLARSEC //
[ 2026-02-14 ] -- /posts/critical-infrastructure-hacktivists

Critical Infrastructure Under Attack

Pro-Russia hacktivist groups are actively targeting critical infrastructure entities in the United States and globally. These groups, including Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16, are conducting opportunistic attacks against sectors such as water and wastewater, food and agriculture, and energy.

While their methods are often less sophisticated than those of state-sponsored Advanced Persistent Threat (APT) groups, they are still capable of causing disruption and damage. These groups primarily seek notoriety, frequently exaggerating the impact of their attacks.

Impact

These hacktivist groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate operational technology (OT) control devices within critical infrastructure systems. Successful intrusions can lead to:

  • Disruption of Services: Altering parameters, disabling alarms, or restarting devices can cause temporary loss of view and costly manual recovery efforts for operators. Websites and public portals may go offline.
  • Physical Impacts: In some instances, the attacks have resulted in tangible harm to vulnerable systems.
  • Reputational Damage: Even minor incursions, when publicized, can lead to a loss of trust and require resources to remediate systems.
  • Compromised SCADA networks: Successful targeting of supervisory control and data acquisition (SCADA) networks can occur using basic methods, sometimes coupled with DDoS attacks.

Remediation

To mitigate the threat posed by these pro-Russia hacktivist groups, organizations should take the following steps:

  • Secure VNC Connections: Ensure that all VNC connections are properly secured with strong passwords and multi-factor authentication.
  • Monitor for Vulnerable Devices: Scan for vulnerable devices on the internet with open VNC ports.
  • Assume Compromise: If exposed systems with weak credentials are found, assume a compromise has occurred and initiate incident response procedures immediately.
  • Implement a Layered Security Approach: Employ a robust cybersecurity framework, including regular software updates, comprehensive end-user education, advanced threat detection systems, and rigorous access controls.
  • Assess Third-Party Security: Evaluate the security protocols of third-party vendors and suppliers, and enforce strong contractual agreements that prioritize cybersecurity.
  • Monitor and Detect: Implement behavioral detection across your hybrid environment (including Identity, Cloud, Network, IOT/OT) to detect misuse of legitimate access.
  • Prepare for DDoS Attacks: Implement web application security to protect against DDoS and deeper application layer attacks.
[ BACK TO BLOG ]