Actions for Operational Technology Owners and Operators to Take Today to Mitigate Cyber Threats Related to Pro-Russia Hacktivists Activity
-
Reduce exposure of operational technology (OT) assets to the public-facing internet.
-
Adopt mature asset management processes, including mapping data flows and access points.
-
Ensure that OT assets are using robust authentication procedures.
Summary
Note: This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood
, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally.
FBI, CISA, National Security Agency (NSA), and the following partners—hereafter referred to as “the authoring organizations”—are releasing this joint advisory on the targeting of critical infrastructure by pro-Russia hacktivists:
- U.S. Department of Energy (DOE)
- U.S. Environmental Protection Agency (EPA)
- U.S. Department of Defense Cyber Crime Center (DC3)
- Europol European Cybercrime Centre (EC3)
- EUROJUST – European Union Agency for Criminal Justice Cooperation
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (Cyber Centre)
- Canadian Security Intelligence Service (CSIS)
- Czech Republic Military Intelligence (VZ)
- Czech Republic National Cyber and Information Security Agency (NÚKIB)
- Czech Republic National Centre Against Terrorism, Extremism, and Cyber Crime (NCTEKK)
- French National Cybercrime Unit – Gendarmerie Nationale (UNC)
- French National Jurisdiction for the Fight Against Organized Crime (JUNALCO)
- German Federal Office for Information Security (BSI)
- Italian State Police (PS)
- Latvian State Police (VP)
- Lithuanian Criminal Police Bureau (LKPB)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- Romanian National Police (PR)
- Spanish Civil Guard (GC)
- Spanish National Police (CNP)
- Swedish Polisen (SC3)
- United Kingdom National Cyber Security Centre (NCSC-UK)
The authoring organizations assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.
The authoring organizations encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. For additional information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Threat Overview and Advisories webpage.
