Russian Hacktivists Target US Infrastructure

There is a persistent assumption in cybersecurity circles that hacktivists are noisy but largely harmless — ideologically motivated actors whose bark outpaces their bite. Recent federal indictments out of the Central District of California should put that assumption to rest. They tell a different story: one in which self-styled hacktivist groups serve as operational arms of foreign intelligence services, targeting drinking water, food supply chains, and election infrastructure with coordinated precision.

The case centers on two pro-Russia groups Cyber Army of Russia Reborn (CARR) and NoName057(16) and the charges illuminate a threat model that many organizations have not yet built into their risk frameworks.

The infrastructure under attack isn’t abstract

What makes these cases striking isn’t the sophistication of the attacks it’s the targets. Public water systems. A meat processing facility. Nuclear regulatory websites. Election infrastructure. These are not targets chosen for financial gain. They are chosen for disruption, fear, and strategic effect. CARR’s attack on a Los Angeles-area food processing plant which caused an ammonia leak and destroyed thousands of pounds of product was not ransomware. It was sabotage.

This matters for how security teams prioritize. Organizations responsible for operational technology environments have long treated cyber threats as secondary to physical security and regulatory compliance. That calculus is changing. Internet-facing control systems are now active targets in a geopolitical conflict most organizations never expected to be part of.

Crowdsourced attacks: a scalable threat model

NoName057(16) introduced something worth studying closely: a gamified, volunteer-driven DDoS operation. The group built its own attack tool DDoSia and distributed it to volunteers around the world, running daily leaderboards and paying top contributors in cryptocurrency. At its core, this is a scalable, low-cost force multiplier. State intelligence agencies get attack capacity without directly employing the people executing it.

It also creates an attribution challenge. When an attack is launched from thousands of volunteer devices across dozens of countries, tracing it back to a state sponsor requires exactly the kind of sustained, multi-agency investigation these indictments represent. Most organizations will never see that investigation they will only see the outage.

The entry point: unprotected remote access

A joint advisory from federal agencies including CISA, the FBI, and NSA identified the specific vulnerability these groups exploited most effectively: internet-facing Virtual Network Computing (VNC) connections with minimal authentication. VNC is widely used for remote access to industrial control systems and widely left exposed.

For security practitioners, this is a concrete and fixable problem. Exposed VNC interfaces on OT networks should be treated as critical findings, not medium-severity tickets. Network segmentation between IT and OT environments, multi-factor authentication on all remote access points, and continuous monitoring for anomalous lateral movement are the baseline controls that would have meaningfully reduced exposure to these specific attack patterns.

TAKEAWAY

The federal response to CARR and NoName including indictments, sanctions, international extradition, and reward offers reaching $10 million signals that the U.S. government views these threats as serious national security matters, not just cybercrime. Security leaders in critical sectors should treat them accordingly. Threat modeling that stops at financially motivated actors is incomplete. Geopolitically motivated groups with state backing and operational discipline represent a distinct and growing risk category — one that requires both technical controls and organizational readiness to match.

At Topgallant Partners, we help organizations identify and close the exact vulnerabilities these threat actors exploit before they become headlines. Contact us today to find out how we can strengthen your security posture against nation-state and hacktivist threats.