Defending OT and Critical Infrastructure from Pro Russia Hacktivist Attacks on HMIs and VNC

Pro‑Russia hacktivist collectives have mounted a wave of opportunistic intrusions against internet‑exposed operational technology (OT) devices worldwide, exploiting unsecured Virtual Network Computing (VNC) connections and weak or default credentials to access human‑machine interfaces (HMIs) in water, energy, and food‑sector systems — a trend government agencies warn can cause nuisance physical effects today and potentially escalate into far more serious safety and availability incidents if left unchecked.

---

Background​

Since 2022, a growing constellation of pro‑Russia hacktivist groups — including Cyber Army of Russia Reborn (CARR), NoName057(16), Z‑Pentest, and newly formed affiliates such as Sector16 — have publicly claimed and, in some cases, demonstrated intrusions into OT networks and HMIs linked to small and mid‑size critical infrastructure operators across North America and Europe. Government authoring organizations issued a joint fact sheet in May 2024 that catalogues these activities, maps the adversaries’ common tactics, and prescribes immediate mitigations for defenders. This wave of activity is distinct in scale and intent from the higher‑skill, state‑level advanced persistent threat (APT) campaigns historically observed against industrial targets, but it sits on the same general threat continuum: low‑sophistication techniques applied at scale against badly configured OT assets can produce tangible operational impacts. U.S. and allied agencies emphasize that while hacktivists generally demonstrate limited technical sophistication, their opportunistic behavior and willingness to manipulate live control interfaces have produced real world disturbances — for example, short‑lived overflows and equipment parameter excursions in water systems — and thus demand urgent attention. For historical context, state‑linked Russian cyber campaigns against critical infrastructure have long leveraged simple service exposure and credential weaknesses as initial vectors; recent hacktivist activity echoes those same exploitation patterns but with broader public bragging and rapid social‑media amplification.

---

Who’s doing this and why​

The actors​

• Cyber Army of Russia Reborn (CARR) — emerged publicly in 2022 and later claimed HMI manipulations; acts as a pro‑Russia propaganda and action platform.
• NoName057(16) — a high‑activity DDoS‑centric collective that also distributes tooling and has been linked to coordinated campaigns; law enforcement disruption operations in 2025 have targeted elements of this group.
• Z‑Pentest and Sector16 — newer configurations and splinter channels comprised of operators and administrators from the groups above; these actors increasingly claim OT intrusions and post HMI defacements or recordings to Telegram and other platforms.

The motivation​

• Notoriety and propaganda: Many members seek attention and influence; public claims serve recruitment, messaging, and morale functions.
• Proxy amplification: Even if not fully state‑directed, some groups operate in a strategic alignment with Russian geopolitical aims; in multiple cases these actors have benefited from direct or indirect support. Government authors note the blurred lines between purely independent hacktivism and state‑aligned activity.

---

Technical overview: how these groups operate​

The operational pattern described by the joint advisory and corroborating industry reporting is simple, opportunistic and highly replicable. The adversaries exploit internet‑accessible VNC services and misconfigured HMIs to gain remote GUI access and then manipulate device settings. Key technical elements include:

• Scanning and reconnaissance for internet‑facing VNC services (commonly on port 5900 and neighbouring ports 5901–5910).
• Renting or spinning up transient Virtual Private Servers (VPS) to run scanning and brute‑force tooling to avoid easy attribution.
• Using credential spraying and default/weak passwords to authenticate into HMI GUIs.
• Leveraging the HMI’s graphical interface to change setpoints, disable alarms, alter device names or credentials (causing loss of view), and sometimes restart or shut down operator displays — actions that force manual fallbacks and operational costs.

These tactics map cleanly to common MITRE ATT&CK techniques (Initial Access: Internet‑accessible device; Credential Access: Brute force; Lateral Movement: Remote services/VNC; Impact: Manipulation of control, loss of view). The advisory explicitly lists these behaviors to help operators map controls and detection use cases.

---

Notable incidents and the real impact​

Reporting and incident investigations show two important truths: the consequences so far have been mostly nuisance or short‑duration physical impacts, but the same basic methods can produce far worse effects in the right circumstances.

• Water and wastewater systems: Multiple utilities experienced HMI manipulations that caused pumps and blowers to exceed normal operating parameters; some facilities saw minor tank overflows and had to switch to manual controls. Operators reported changed setpoints, muted alarms, and credential changes that produced a loss of remote view.
• Agriculture and dairy operations: Public claims by these groups include intrusions into farm HMIs and defacements; while the veracity and impact of every claim varies, several operators required significant labor for remediation.
• Energy sector: Reported incidents include tampering with HMI readouts and temporary loss of view; investigators caution that manipulation of setpoints or command messages in more complex facilities could lead to equipment damage or safety risks.

The joint advisory is careful to note that many hacktivist claims are exaggerated and sometimes misattributed — actors often misidentify victims or inflate impact in social posts — but those exaggerations do not negate real operational harm when insecure HMIs are actually compromised.

---

Why VNC and HMIs are an attractive target​

• VNC is widely used for legitimate remote maintenance and monitoring of HMIs and PLCs, especially in smaller organizations with limited OT staffing. When VNC is internet‑exposed without compensating controls, it becomes a direct remote control channel.
• Many OT devices were designed before ubiquitous internet connectivity and lack modern access controls; default credentials, lack of MFA, and inadequate logging make fast, low‑cost compromise feasible for unsophisticated actors.
• Attackers can obtain proof and publicity quickly: a short screen recording of setpoint movements or a defaced HMI is a high‑visibility trophy that fuels social‑media recruitment.

---

What the advisory recommends (operational mitigations)​

The joint guidance provides both immediate and strategic mitigation steps operators should implement. Key actionable recommendations include:

• Remove or harden internet exposure of OT devices: Segregate OT networks from the internet wherever possible; if remote access is required, use secure VPNs or jump hosts with strict allowlists.
• Eliminate default credentials and enforce strong password policies: Replace vendor default accounts, implement unique, complex passwords for all OT device accounts, and rotate credentials on a schedule.
• Deploy multifactor authentication (MFA) for privileged access: Make MFA mandatory for all administrative access to HMIs, engineering workstations, and remote access gateways.
• Harden HMI/VNC access: Disable VNC when not required, limit access to specific management subnets, or use modern, authenticated remote management alternatives. Implement allowlists for management IPs.
• Enable logging and monitoring: Ensure HMIs and controllers produce change and access logs; centralize and retain logs for forensic analysis and detection.
• Patch and apply secure‑by‑design principles: Update VNC and other remote access software promptly; pressure OT vendors to remove insecure defaults, include logging and MFA by default, and publish Software Bills of Materials (SBOMs).

Industry sources widely echo and amplify these recommendations and add pragmatic steps for small utilities: use managed service providers for secure remote access, adopt strict network segmentation, and rehearse manual fallback procedures to reduce the operational burden during incidents.

---

Practical prioritized checklist for OT operators (ranked steps)​

• Inventory all OT devices that are reachable from the internet and immediately isolate any that are not mission‑critical.
• Change all default credentials and enforce unique, strong passwords for all HMI/PLC/engineering accounts.
• Implement MFA and restrict remote access to a small number of pre‑approved management hosts behind strong VPN or jump server architecture.
• Block or restrict VNC traffic at the enterprise/edge firewall; if VNC must be used, only allow it over authenticated, auditable tunnels and to internal IP ranges.
• Enable and export HMI change and access logs to a secure SIEM or central collector; set alerts for unusual account changes or repeated authentication failures.
• Practice failover to manual controls and rehearse incident playbooks that include steps to regain view and restore trusted configurations.
• Engage vendors about secure‑by‑default requirements: built‑in logging, no default credentials, MFA options, and SBOMs.

---

Incident response: immediate steps when compromise is suspected​

• Assume compromise for any internet‑exposed system with default or weak credentials; quarantine affected hosts and remove them from the network.
• Collect volatile artifacts (running processes, open connections, recent logins) and image affected systems for forensic analysis.
• Reimage compromised hosts and re‑provision credentials; do not reuse the same credentials on restored systems.
• Report incidents to national authorities (CISA/FBI/NSA in the U.S.; equivalent agencies internationally) and, where applicable, ISACs for sector collaboration.

---

Manufacturer accountability: secure‑by‑design is a must​

The advisory explicitly calls on OT device manufacturers to adopt secure‑by‑default principles and shoulder responsibility for customer security outcomes. Recommended manufacturer actions include:

• Ship products without default credentials and enforce unique initial passwords or provisioning workflows.
• Provide built‑in logging and change control capabilities at no extra cost and support open logging formats.
• Offer MFA options for engineering and configuration interfaces, especially where safety‑impacting changes can be made.
• Publish SBOMs to help operators rapidly assess exposure when third‑party library vulnerabilities are disclosed.

These steps are not optional; without vendor cooperation, operators will continue to face an uphill battle retrofitting legacy devices that were never designed for internet‑connected environments.

---

Analysis: strengths of the advisory and remaining gaps​

Strengths​

• Clear, actionable guidance: The advisory focuses on high‑leverage mitigations (remove internet exposure, remove defaults, MFA, logging) that defenders can implement quickly.
• Cross‑agency coordination: Co‑sponsorship by CISA, FBI, NSA and international partners increases credibility and operational reach, enabling harmonized reporting and response.
• Realistic threat framing: The authors balance the need to warn with caution about exaggerated claims, which helps reduce knee‑jerk reactions while still conveying urgency.

Gaps and risks​

• Implementation capacity at small utilities: Many WWS and rural operators lack the staff, budget, and vendor support to fully implement the guidance quickly; bridging that gap will require funding, managed services, or direct government assistance.
• Legacy device constraints: Devices that cannot be patched, reconfigured or replaced present a persistent exposure; SBOMs and vendor cooperation are necessary but will take time.
• Attribution and escalation risk: Even if many actors are low‑skill hacktivists, opportunistic intrusions can be co‑opted by more capable adversaries or unintentionally create conditions for safety hazards. The line between nuisance and catastrophic impact can be thin when industrial processes are involved.

---

Law enforcement and disruption activity​

International law enforcement has taken action against some pro‑Russian hacktivist infrastructure. Coordinated operations in mid‑2025 targeted networks and servers used by NoName057(16), resulting in disruption of parts of their infrastructure and issuance of arrest warrants in multiple countries. These actions demonstrate an appetite among allied authorities to disrupt infrastructure that enables politically motivated cyber operations, but legal and operational complexities limit the scope and speed of takedowns.

---

Broader implications for cybersecurity strategy​

• Operational risk management must include OT exposures: Boards and CISOs need to bring OT internet exposure into enterprise risk registers, prioritize it for remediation, and fund long‑term device modernization.
• Cross‑sector collaboration is essential: Information sharing among vendors, ISACs, regulators, and national agencies accelerates detection and remediation for small operators who otherwise lack resources.
• Procurement rules must change: Entities buying OT equipment should require secure defaults, logging, MFA, and SBOMs contractually. Regulators and large buyers can push the market toward secure‑by‑design through procurement leverage.

---

What defenders should do this week (rapid response playbook)​

• Run an internet scan to enumerate any HMIs, VNC servers, or PLC management interfaces reachable from public IP space. Prioritize immediate isolation of any such hosts.
• Force rotation of all administrative credentials and disable any unused remote management channels.
• Require MFA for all privileged accounts and block VNC at the perimeter unless tunneled via approved jump hosts.
• Start ingesting HMI and device logs into a centralized monitoring solution and tune alerts for credential changes and alarm suppressions.
• Practice a tabletop exercise simulating a loss of view event to rehearse manual operations and communications with regulators and the public.

---

Caution on claims and public communication​

Operators and journalists should treat public claims by hacktivist channels with skepticism. Adversary videos and posts are often staged, incorrect, or deliberately misleading. Accurate incident characterization requires forensics and coordination with government partners. The advisory’s approach — warn urgently but verify claims — is the prudent path for communicating about operational impacts without amplifying disinformation.

---

Conclusion​

The joint advisory crystallizes a simple but dangerous reality: small faults in OT security — internet‑exposed VNC services, default passwords, lack of MFA and insufficient logging — create high‑impact opportunities for low‑cost adversaries. While pro‑Russia hacktivists to date have mostly produced nuisance outcomes and publicity stunts, their tactics can and do impose real operational costs and carry latent safety risks. The remedy is neither exotic nor discretionary: immediate isolation of internet‑facing OT assets, elimination of default credentials, enforced MFA, comprehensive logging, and a sustained push for secure‑by‑default OT products.
Public‑ and private‑sector leaders must convert the advisory’s guidance into funded action plans and vendor accountability measures today. Failure to act will leave essential services — water, energy, food — vulnerable to continued opportunistic tampering that, in the wrong context, could escalate from nuisance to crisis.

---

---

Source: CISA Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure | CISA