News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. Pro-Russia hacktivists conduct opportunistic attacks against US and global critical infrastructure

Pro-Russia hacktivists conduct opportunistic attacks against US and global critical infrastructure

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

11:00am, 15 December 2025

TLP Rating: Clear

Pro-Russia hacktivists conduct opportunistic attacks against US and global critical infrastructure

The NCSC along with international partners, has issued a joint advisory that:

  • details the development of four pro-Russia hacktivist groups (CyberArmy of Russia Reborn - CARR, NoName057 (16), Z-Pentest and Sector16), as well as their techniques, tactics and procedures (TTPs) for targeting operational technology (OT) vendors and critical infrastructure operators.
  • provides awareness of specific malicious activities and useful mitigations for OT and critical infrastructure asset owners, operators and device manufacturers.    

Partners include:

  • U.S. Department of Energy (DOE)
  • U.S. Environmental Protection Agency (EPA)
  • U.S. Department of Defense Cyber Crime Center (DC3)
  • U.S. Federal Bureau of Investigation (FBI)
  • U.S. Cybersecurity and Infrastructure Security Agency (CISA)
  • U.S. National Security Agency (NSA)
  • Europol European Cybercrime Centre (EC3) EUROJUST – European Union Agency for Criminal Justice Cooperation
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC)
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Security Intelligence Service (CSIS)
  • Czech Republic Military Intelligence (VZ)
  • Czech Republic National Cyber and Information Security Agency (NÚKIB)
  • Czech Republic National Centre against Terrorism, Extremism, and Cyber Crime (NCTEKK)
  • French National Cybercrime Unit – Gendarmerie Nationale (UNC)
  • French National Jurisdiction for the Fight Against Organized Crime (JUNALCO)
  • German Federal Office for Information Security (BSI)
  • Italian State Police (PS)
  • Latvian State Police (VP)
  • Lithuanian Criminal Police Bureau (LKPB)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • Romanian National Police (PR)
  • Spanish Civil Guard (GC)
  • Spanish National Police (CNP)
  • Swedish Polisen (SC3)
  • United Kingdom National Cyber Security Centre (NCSC-UK)

What's happening

Systems affected

The authoring organisations assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalising on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.44444

What this means

The authoring organisations encourage critical infrastructure organisations to implement the recommendations in the Mitigations section of this advisory External Link to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. For additional information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Threat Overview and Advisories External Link webpage.

What to look for

How to tell if you're at risk

If your organisation or role involves sensitive data, policy, or research (particularly in areas of geopolitical interest), you may be a target for spear-phishing. Review recent communications for suspicious or unexpected sender behaviour.

What to do

Prevention

  • Reduce exposure of OT assets to the public-facing internet.
  • Adopt mature asset management processes, including mapping data flows and access points.
  • Ensure that OT assets are using robust authentication procedures.

Mitigation

The authoring organisations recommend organisations implement the mitigations detailed in the advisory  External Link to help improve cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s CPGs webpage External Link for more information on the CPGs, including additional recommended baseline protections.

More information

Download the advisory. External Link

If you require more information or further support, submit a report on our website:

Report an incident External Link .

If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.