DOJ, CISA Warn of Russia-Linked Attacks Targeting Meat Processing Plants, Nuclear Regulatory Entitie
Summary:
U.S. agencies warned critical infrastructure organizations this week of attacks launched by multiple Russian groups backed financially by the country’s government. The Cybersecurity and Infrastructure Security Agency (CISA), alongside several other U.S. and international agencies, have provided details on cyberattacks launched by CyberArmyofRussia_Reborn (CARR), NoName057(16), and related groups.
This intelligence details a persistent and evolving threat campaign targeting U.S. and global critical infrastructure sectors, including water, energy, and food processing. Originating around the onset of the 2022 Russian invasion of Ukraine, these Russian government-backed hacktivist groups initially focused on Distributed Denial-of-Service (DDoS) attacks but have since evolved to conduct more damaging intrusions into Operational Technology (OT) control systems.
These intrusions have resulted in significant physical effects, such as a November 2024 attack on a Los Angeles meat processing facility that spoiled thousands of pounds of meat and caused an ammonia leak, and attacks on water facilities that caused "damage to controls and the spilling of hundreds of thousands of gallons of drinking water." The groups' joint efforts led to the formation of Z-Pentest, which specializes in OT intrusion. The primary vector for these attacks is the exploitation of minimally secured, internet-facing Virtual Network Computing (VNC) connections to gain access to control devices. Although U.S. agencies note that the attacks are "conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups," they still carry significant real-world impact. The threat actors have also targeted U.S. election infrastructure and websites for nuclear regulatory entities.
The attacks are opportunistic, leveraging automated scanning for vulnerable devices, meaning small organizations and municipal critical infrastructure, even "mom and pop shops," are targeted. U.S. agencies, including CISA and the DOJ, have responded with a joint effort, including the release of an advisory, indictments against a member linked to both groups for attacks on water facilities, and the FBI's ongoing counter-threat effort, Operation Red Circus, aimed at disrupting Russian state-sponsored cyber-threats. The U.S. State Department has also offered rewards of up to $2 million and $10 million for information on individuals associated with CARR and NoName057(16), respectively.
Security Officer Comments:
The confirmed state-sponsorship and state-sanctioning of these groups by Russian entities—with CARR founded, funded, and directed by the GRU (Russia's military intelligence) and NoName057(16) linked to the Kremlin-established CISM, elevates their activity beyond typical hacktivism. This relationship suggests a deliberate strategy by the Russian state to use cyber proxies to conduct disruptive, deniable operations below the threshold of direct military conflict, primarily targeting nations supporting Ukraine. While the threat actors are assessed to have a "low level" of technical knowledge and often misunderstand the processes they aim to disrupt, leading to "haphazard attacks," their success demonstrates the critical vulnerability posed by basic misconfigurations, particularly internet-exposed VNC connections on OT networks. The opportunistic nature of their attacks, leveraging automated scanning, means that even smaller organizations or "mom and pop shops" are not immune if they have these vulnerabilities, challenging the assumption that only large, high-profile entities are targeted by state-aligned actors. The groups' willingness to attack facilities without "consideration for human safety," as seen in the physical damage to occupied factories and community facilities, suggests a significant shift in motivation towards destructive rather than purely disruptive goals.
Suggested Corrections:
For complete guidance, refer to the official CISA advisory: Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure.
To significantly reduce the risk posed by these threat actors, organizations, especially those in critical infrastructure sectors, must prioritize securing their Operational Technology (OT) environments, focusing immediately on the groups' primary TTP.
Link(s):
https://www.cisa.gov/news-events/cy...?utm_source=AA25-343a&utm_medium=PressRelease
U.S. agencies warned critical infrastructure organizations this week of attacks launched by multiple Russian groups backed financially by the country’s government. The Cybersecurity and Infrastructure Security Agency (CISA), alongside several other U.S. and international agencies, have provided details on cyberattacks launched by CyberArmyofRussia_Reborn (CARR), NoName057(16), and related groups.
This intelligence details a persistent and evolving threat campaign targeting U.S. and global critical infrastructure sectors, including water, energy, and food processing. Originating around the onset of the 2022 Russian invasion of Ukraine, these Russian government-backed hacktivist groups initially focused on Distributed Denial-of-Service (DDoS) attacks but have since evolved to conduct more damaging intrusions into Operational Technology (OT) control systems.
These intrusions have resulted in significant physical effects, such as a November 2024 attack on a Los Angeles meat processing facility that spoiled thousands of pounds of meat and caused an ammonia leak, and attacks on water facilities that caused "damage to controls and the spilling of hundreds of thousands of gallons of drinking water." The groups' joint efforts led to the formation of Z-Pentest, which specializes in OT intrusion. The primary vector for these attacks is the exploitation of minimally secured, internet-facing Virtual Network Computing (VNC) connections to gain access to control devices. Although U.S. agencies note that the attacks are "conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups," they still carry significant real-world impact. The threat actors have also targeted U.S. election infrastructure and websites for nuclear regulatory entities.
The attacks are opportunistic, leveraging automated scanning for vulnerable devices, meaning small organizations and municipal critical infrastructure, even "mom and pop shops," are targeted. U.S. agencies, including CISA and the DOJ, have responded with a joint effort, including the release of an advisory, indictments against a member linked to both groups for attacks on water facilities, and the FBI's ongoing counter-threat effort, Operation Red Circus, aimed at disrupting Russian state-sponsored cyber-threats. The U.S. State Department has also offered rewards of up to $2 million and $10 million for information on individuals associated with CARR and NoName057(16), respectively.
Security Officer Comments:
The confirmed state-sponsorship and state-sanctioning of these groups by Russian entities—with CARR founded, funded, and directed by the GRU (Russia's military intelligence) and NoName057(16) linked to the Kremlin-established CISM, elevates their activity beyond typical hacktivism. This relationship suggests a deliberate strategy by the Russian state to use cyber proxies to conduct disruptive, deniable operations below the threshold of direct military conflict, primarily targeting nations supporting Ukraine. While the threat actors are assessed to have a "low level" of technical knowledge and often misunderstand the processes they aim to disrupt, leading to "haphazard attacks," their success demonstrates the critical vulnerability posed by basic misconfigurations, particularly internet-exposed VNC connections on OT networks. The opportunistic nature of their attacks, leveraging automated scanning, means that even smaller organizations or "mom and pop shops" are not immune if they have these vulnerabilities, challenging the assumption that only large, high-profile entities are targeted by state-aligned actors. The groups' willingness to attack facilities without "consideration for human safety," as seen in the physical damage to occupied factories and community facilities, suggests a significant shift in motivation towards destructive rather than purely disruptive goals.
Suggested Corrections:
For complete guidance, refer to the official CISA advisory: Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure.
To significantly reduce the risk posed by these threat actors, organizations, especially those in critical infrastructure sectors, must prioritize securing their Operational Technology (OT) environments, focusing immediately on the groups' primary TTP.
- Restrict OT Exposure: Immediately reduce or eliminate the exposure of all Operational Technology (OT) assets and control devices, especially Human-Machine Interfaces (HMIs) and Industrial Control Systems (ICS), to the public-facing internet.
- Secure Remote Access: If remote access via technologies like VNC is absolutely necessary, it must be implemented through robust, modern security controls. This includes mandatory Multi-Factor Authentication (MFA), enforcing the use of secure, high-entropy passwords, and ensuring all remote connections are tunneled through a strong Virtual Private Network (VPN) or Secure Remote Access solution that is only accessible to authorized personnel.
- Asset Management and Network Segmentation: Implement a mature asset management program to map all network devices and data flows, enabling the effective segmentation of IT and OT networks. This segmentation is crucial to prevent lateral movement from the IT side to the sensitive OT controls, limiting the potential impact of an intrusion.
- Patching and Least Privilege: Ensure all network services, especially those related to remote access and control devices, are patched to the latest versions. Furthermore, enforce the principle of least privilege, ensuring that accounts used for OT access only have the minimum permissions necessary to perform their required tasks.
- Monitoring and Detection: Enhance monitoring capabilities for the OT network, specifically looking for anomalous connection attempts to control devices and unexpected configuration changes, which are indicators of successful intrusion and manipulation.
Link(s):
https://www.cisa.gov/news-events/cy...?utm_source=AA25-343a&utm_medium=PressRelease