CISA, the FBI, NSA, Department of Energy, EPA, and international partners including the UK, Canada, and Australia have jointly issued advisory AA25-343A warning that pro-Russia hacktivist groups are conducting opportunistic attacks against operational technology (OT) systems in critical infrastructure sectors. The groups are exploiting minimally secured, internet-exposed virtual network computing (VNC) connections to gain unauthorized access to control systems governing physical processes in water, food and agriculture, and energy facilities.
Technical Details
The attack vector is technically unsophisticated but highly effective against organizations that have not hardened OT network perimeters: the hacktivist groups scan for internet-facing VNC services on ports 5900 and 5901, then authenticate using default, guessed, or previously compromised credentials.
VNC provides direct graphical access to industrial control system interfaces — SCADA displays, HMI panels, PLC configuration screens. Once authenticated, operators can modify process parameters, disable alarms, change setpoints, and in some cases issue direct commands to physical equipment.
The advisory identifies five groups as the primary threat actors:
- Cyber Army of Russia Reborn (CARR)
- Z-Pentest
- NoName057(16)
- Sector16
- And affiliated, loosely coordinated groups
These are not sophisticated APT actors using zero-days and custom implants. They are opportunistic groups that leverage widely available scanning tools to find exposed assets, then exploit the inherent access that unprotected remote management protocols provide. The low sophistication of the initial access method does not reduce the physical impact potential — accessing an HMI is accessing an HMI, regardless of how the attacker got there.
The advisory notes that these groups often post videos of their access to social media as propaganda, whether or not significant operational damage was caused. This creates an additional threat dimension: even minimally disruptive access events may be amplified into reputational or political damage for targeted facilities.
Exploitation Status and Threat Landscape
The joint advisory was initially published December 9, 2025, following a pattern of incidents documented through late 2025. The attacks are ongoing and characterized as opportunistic — groups scan for exposed targets broadly rather than conducting targeted reconnaissance against specific facilities.
Targeted sectors confirmed in the advisory:
- Water and Wastewater Systems — pump stations, treatment controls
- Food and Agriculture — processing and storage environmental controls
- Energy — generation and distribution system interfaces
These sectors share a common vulnerability: OT systems that predate modern network security design were often connected to the internet for remote management without authentication controls appropriate to their risk level.
Who Is Affected
Any organization operating OT/ICS systems with internet-accessible VNC, RDP, or other remote desktop services — particularly with default or weak credentials — is a target. This is not a geographically targeted campaign; advisory signatories span US, UK, Canadian, and Australian agencies because the targeting is indiscriminate and international.
Water utilities, agricultural processing facilities, and smaller energy operators with limited IT/OT security staffing are at highest risk because they frequently have legacy remote access configurations that larger enterprises would have already addressed.
What You Should Do Right Now
- Inventory and remove internet-facing OT remote access. Any HMI, SCADA, or PLC interface reachable from the internet without VPN is an immediate risk. Run internet-facing port scans against your own infrastructure (Shodan and Censys can be used for this) to identify exposures.
- Enforce authentication on all OT remote access. VNC with no password or default credentials is the specific attack vector. Require strong authentication on all remote access paths into OT environments. If VNC is required, place it behind a VPN with MFA.
- Segment OT from IT and internet. Implement network segmentation so that OT systems are not directly reachable from corporate IT networks or the internet. Use industrial DMZ architectures where IT-OT communication is required.
- Enable logging on OT remote access systems. If you cannot detect VNC authentication attempts and sessions in real time, you cannot identify an active intrusion. Ensure all remote access events are logged and reviewed.
- Review your incident response plan for physical process impacts. If an attacker modifies a setpoint or disables an alarm, your response is not IT incident response — it is operational emergency response. Ensure OT operators and security teams have coordinated playbooks.
Conclusion
The pro-Russia hacktivist groups targeting OT infrastructure are not technically sophisticated, but they do not need to be. Exposed VNC with weak credentials is sufficient. Organizations operating critical infrastructure with internet-facing control system interfaces should treat this advisory as a direct call to action: remove the exposure before it becomes an incident.
For any query contact us at contact@cipherssecurity.com
