On December 9, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), along with several authoring organizations, released a joint Cybersecurity Advisory (CSA) on the targeting of critical infrastructure by pro-Russia hacktivists.

The CSA is published as an addition to the joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology published on May 6, 2025, and European Cybercrime Centre’s (EC3) Operation Eastwood, in which CISA, the FBI, the Department of Energy (DOE), the Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the Operational Technology (OT) and Industrial Control Systems (ICS) of critical infrastructure entities in the United States and globally.

The authoring organizations assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to Advanced Persistent Threat (APT) groups. These attacks use minimally secured, internet-facing Virtual Network Computing (VNC) connections to infiltrate, or gain access to, OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups, including the Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups, are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.

Pro-Russia Hacktivist Groups

Over the past several years, the authoring organizations have observed pro-Russia hacktivist groups conducting cyber operations against numerous organizations and critical infrastructure sectors worldwide. The escalation of the Russia-Ukraine conflict in 2022 significantly increased the number of these pro-Russia groups. Consisting of individuals who support Russia’s agenda but lack direct governmental ties, most of these groups target Ukrainian and allied infrastructure. However, among the increasing number of groups, some appear to have associations with the Russian state through direct or indirect support.

1. Cyber Army of Russia Reborn (CARR): The authoring organizations assess that the Russian General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455, also known as Sandworm, is likely responsible for supporting the creation of CARR, also known as “The People’s Cyber Army of Russia” in late February or early March of 2022. Actors suspected to be from GRU unit 74455 likely funded the tools CARR threat actors used to conduct Distributed Denial-of-Service (DDoS) attacks through at least September 2024.
2. The authoring organizations assess that by late September 2024, CARR channel administrators became dissatisfied with the level of support and funding provided by the GRU. This dissatisfaction led CARR administrators and an administrator from another hacktivist group, NoName057(16), to create the Z-Pentest group, employing the same Tactics, Techniques, and Procedures (TTPs) as CARR but separate from GRU involvement.
3. NoName057(16): The authoring organizations assess that the Center for the Study and Network Monitoring of the Youth Environment (CISM), established on behalf of the Kremlin, created NoName057(16) as a covert project within the organization. Senior executives and employees within CISM developed and customized the NoName057(16) proprietary DDoS tool DDoSia, paid for the group’s network infrastructure, served as administrators on NoName057(16) Telegram channels, and selected DDoS targets.
4. Active since March 2022, NoName057(16) has conducted frequent DDoS attacks against government and private sector entities in North Atlantic Treaty Organization (NATO) member states and other European countries perceived as hostile to Russian geopolitical interests. The group operates primarily through Telegram channels and uses GitHub, alongside various websites and repositories, to host DDoSia and share materials and TTPs with their followers.
5. In 2024, NoName057(16) began collaborating closely with other pro-Russia hacktivist groups, operating a joint chat with CARR by mid-2024. In July 2024, NoName057(16) jointly claimed responsibility with CARR for an alleged intrusion against OT assets in the U.S. The high degree of cooperation with CARR likely contributed to the formation of Z-Pentest, which is composed of actors and administrators from both teams, in September 2024.
6. Z-Pentest: Established in September 2024, Z-Pentest is composed of members from CARR and NoName057(16). The group specializes in OT intrusion operations targeting globally dispersed critical infrastructure entities. Additionally, the group uses “hack and leak” operations and defacement attacks to draw attention to their pro-Russia messaging. Unlike other pro-Russia hacktivist groups, Z-Pentest largely avoids DDoS activities, claiming OT intrusions as attempts to garner more attention from the media.
7. Shortly after Z-Pentest’s inception, the group announced alliances with CARR and NoName057(16), possibly to leverage the other groups’ subscribers to grow the new channel. In March 2025, Z-Pentest posted evidence claiming OT device intrusions to their channel using a NoName057(16) cyberattack campaign hashtag. Similarly, in April 2025, Z-Pentest shared a video purporting defacement of an HMI by changing system names to NoName057(16) and CARR references. Z-Pentest continues to create new alliances with other groups, like Sector16, to continue growing their subscriber base and incidentally propagate TTPs with new partners.
8. Sector16: Formed in January 2025, Sector16 is a novice pro-Russia hacktivist group that emerged through collaboration with Z-Pentest. Sector16 actively maintains an online presence, including a public Telegram channel where they share videos, statements, and claims of compromising U.S. energy infrastructure. These communications often align with pro-Russia narratives and reflect their self-proclaimed support for Russian geopolitical objectives.
9. Members of Sector16 may have received indirect support from the Russian government in exchange for conducting specific cyber operations that further Russian strategic goals. This aligns with broader Russian cyber strategies that involve leveraging non-state threat actors for certain cyber activities, adding a layer of deniability.

AttackIQ’s Recommendations

Given the extensive ecosystem of Russian adversaries, malware families, and intelligence operations, it can be challenging to determine what to emulate and which to prioritize for prevention and detection opportunities. To address this complexity, AttackIQ recommends focusing on long-standing, highly sophisticated adversaries whose operations consistently demonstrate strategic value and significant operational impact.

One such adversary is Sandworm, also known as APT44, Seashell Blizzard, and Voodoo Bear, widely regarded as one of the most destructive and consequential adversaries. It is attributed to Russia’s Main Intelligence Directorate (GRU) or Special Technologies (GTsST) military Unit 74455. Over the years, Sandworm has been linked to some of the most disruptive cyber operations ever recorded, including attacks on critical infrastructure, large-scale malware campaigns, and persistent intrusions targeting governmental and civil institutions. Their operations are known for their technical sophistication, operational adaptability, long-term persistence, and strong alignment with Russia’s geopolitical objectives.

For over a decade, its long-standing center focus has been Ukraine, where it has conducted numerous disruptive and destructive operations, predominantly against the Energy and Telecommunications sectors, through the repeated use of customized wiper malware. Beyond Ukraine, Sandworm sustains worldwide espionage and sabotage operations demonstrating the Russian military’s far-reaching ambitions and interests in other regions.

Sandworm is particularly characterized for its development and deployment of malware families designed to compromise Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments. especially within the Energy, Government, and Media sectors.

Sandworm has been emulated by AttackIQ on multiple occasions, with the latest emulation published on November 14, 2025. Through these repeated efforts, AttackIQ’s Adversary Research Team (ART) has demonstrated its continued commitment to replicating the operations of highly sophisticated adversaries, often getting ahead of emerging activities before they make headlines. This proactive approach ensures that organizations can validate their defenses against the same tactics and techniques leveraged by one of the world’s most disruptive and strategically significant adversaries.

Recommended Emulations

• Sandworm – 2025-10 – Associated Tactics, Techniques and Procedures (TTPs)
• Seashell Blizzard – 2025-02 – The BadPilot Campaign
• Prestige Ransomware – 2022-10 – Complete Infection Chain
• Sandworm – 2022-02 – HermeticWizard Deployment Leads to HermeticWiper
• Sandworm – 2022-03 – From PowerShell Command to HermeticWiper Deployment
• [CISA AA25-141A] Russian GRU Targeting Western Logistics Entities and Technology Companies
• [CISA AA24-249A] Russian Military Cyber Actors Target US and Global Critical Infrastructure

Validating your security program’s performance against these behaviors is essential to reducing operational risk. By leveraging these existing emulations within the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate the effectiveness of their security controls against baseline behaviors exhibited by long-standing Russian adversaries.
• Assess their defensive posture against highly disruptive and destructive adversaries that indiscriminately target organizations across multiple sectors.
• Continuously validate detection and prevention pipelines against playbooks commonly observed across multiple pro-Russia groups.

Wrap-up

In summary, these emulations will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Russian adversaries. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against known and dangerous threats.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.