Pro-Russia Hacktivists Target US Critical Infrastructure: What Houston Businesses Need to Know

TL;DR: A joint CISA advisory warns that pro-Russia hacktivist groups are exploiting unsecured VNC connections to attack US critical infrastructure, including water systems, energy facilities, and food production. These opportunistic attacks have caused physical damage and operational disruptions, making network security essential for businesses with industrial control systems.

 

On December 9, 2025, CISA, the FBI, NSA, and over 20 international partners released a joint cybersecurity advisory warning about ongoing attacks against US and global critical infrastructure by pro-Russia hacktivist groups. While these threat actors lack the sophistication of advanced persistent threat groups, their attacks have resulted in physical damage to industrial systems and significant operational disruptions for victim organizations.

Houston-area businesses operating in energy, water treatment, food production, and manufacturing should take immediate notice. These hacktivist groups aren’t targeting specific organizations based on strategic value—they’re exploiting any vulnerable system they can find on the internet.

   Understanding the Threat

The advisory identifies four primary hacktivist groups conducting attacks against critical infrastructure:

• Cyber Army of Russia Reborn (CARR): Established in early 2022 with direct support from Russia’s GRU military intelligence unit 74455. The group transitioned from DDoS attacks to targeting industrial control systems in late 2023, claiming intrusions at European wastewater facilities and US dairy farms.
• NoName057(16): Created by the Center for the Study and Network Monitoring of the Youth Environment (CISM), a Kremlin-backed organization. Active since March 2022, this group has conducted frequent attacks against NATO member states and European entities perceived as hostile to Russian interests.
• Z-Pentest: Formed in September 2024 by disgruntled members of CARR and NoName057(16). This group specializes in operational technology intrusions and avoids traditional DDoS attacks, preferring to claim OT compromises for greater media attention.
• Sector16: The newest group, formed in January 2025 through collaboration with Z-Pentest. This novice group may receive indirect Russian government support in exchange for conducting cyber operations that align with Russian strategic objectives.

   How These Attacks Work

The attack methodology employed by these groups is relatively straightforward, which makes it both easy to replicate and—fortunately—preventable with proper security measures.

The typical attack chain includes:

• Scanning the internet for devices with exposed VNC (Virtual Network Computing) services, typically on port 5900 or nearby ports 5901-5910
• Using brute force tools to spray common or default passwords against discovered systems
• Gaining remote access to human-machine interface (HMI) devices connected to live control networks
• Manipulating available settings through the graphical interface, including changing parameters, disabling alarms, modifying credentials, and restarting devices
• Recording screen captures of their activities to post on Telegram channels, often with exaggerated claims about impact

   Who Is at Risk

The advisory specifically identifies three sectors facing the highest risk:

• Water and Wastewater Systems: Treatment facilities with internet-connected monitoring and control systems
• Food and Agriculture: Processing plants, dairy operations, and agricultural facilities with automated systems
• Energy Sector: Oil and gas operations, power generation facilities, and utility infrastructure

However, any organization running operational technology with internet-exposed VNC connections faces potential targeting. These groups use opportunistic methodologies, exploiting whatever vulnerable systems they discover rather than carefully selecting strategic targets.

(Source: FBI Advisory)

   Real-World Impact

While these hacktivist groups often exaggerate their claims on social media, the advisory confirms they have caused actual harm:

• Physical damage to industrial equipment and processes
• Temporary loss of operational visibility, requiring manual intervention
• Substantial labor costs for hiring programmable logic controller programmers to restore operations
• Operational downtime and associated revenue losses
• Network remediation expenses

The groups demonstrate a concerning willingness to target occupied facilities without consideration for human safety. Though no injuries have been reported yet, attacks against community water systems and manufacturing plants present genuine risks to public health and worker safety.

   Recommended Mitigations

Organizations should implement the following protective measures immediately:

• Reduce internet exposure of OT assets: Many industrial control devices can be discovered through simple internet searches. Use attack surface management tools to identify any exposed VNC systems within your IP ranges.
• Implement network segmentation: Separate IT and OT networks with proper demilitarized zones for passing control data to enterprise systems.
• Strengthen authentication: Eliminate default credentials, require strong unique passwords, and implement multi-factor authentication where possible. Establish IP address allowlists for authorized devices.
• Enable security features: Configure control systems to separate view and control functions, limiting remote accounts to view-only access where appropriate.
• Monitor and log activity: Collect traffic data from OT assets and networking devices, watching for unusual logins, unexpected protocols, and functions that modify operating modes.
• Prepare for manual operations: Maintain business continuity plans that include switching to manual control, and regularly test backup systems and restoration procedures.

 How CinchOps Can Help

For Houston and Katy area businesses, the threat from pro-Russia hacktivists represents exactly the kind of evolving cybersecurity challenge that demands professional expertise. CinchOps provides comprehensive managed IT support specifically designed to help small and medium-sized businesses protect their operations against both opportunistic and targeted cyber threats.

• Network Security Assessment: We identify internet-exposed systems and vulnerable access points across your infrastructure, including operational technology environments
• Managed Firewall and VPN Services: CinchOps implements and monitors perimeter security to control access to critical systems
• Authentication Hardening: We eliminate default credentials and deploy strong password policies and multi-factor authentication throughout your organization
• 24/7 Security Monitoring: Our managed IT services include continuous monitoring for suspicious activity and unauthorized access attempts
• Incident Response Planning: We develop and test business continuity plans to ensure you can maintain operations during and after a security incident
• Employee Security Training: We educate your team on recognizing social engineering attempts and following security best practices

Don’t wait until your organization appears on a hacktivist Telegram channel. Contact CinchOps today to assess your cybersecurity posture and implement the protections your business needs.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: State-Sponsored Cyber Attacks Target U.S. Critical Infrastructure
For Additional Information on this topic: Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure

FREE CYBERSECURITY ASSESSMENT