Pro-Russia Hacktivists Are Targeting Your SCADA Systems Through VNC: Here’s How to Prepare

On December 9, 2025, CISA, the FBI, NSA, and a coalition of international partners issued a joint advisory with an urgent message for critical infrastructure operators: pro-Russia hacktivist groups are conducting opportunistic attacks against U.S. and global critical infrastructure, using minimally secured internet-facing VNC connections to access OT control devices, including SCADA and HMI systems.

The advisory names four groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16—that have successfully targeted water and wastewater systems, food and agriculture facilities, and energy infrastructure. These attacks have caused “varying degrees of impact, including physical damage,” according to CISA.

“Russian-affiliated cyber actors continue to engage in malicious activity aimed at disrupting U.S. and allied critical infrastructure,” said CISA Acting Director Madhu Gottumukkala. The advisory urges organizations to “act now” to implement recommended mitigations.

The Attack Pattern: Simple But Effective

What makes these attacks notable is how straightforward they are. The threat actors’ methodology is, in CISA’s own words, “relatively unsophisticated, inexpensive to execute, and easy to replicate.”

The pattern is consistent: attackers scan for internet-facing devices with open VNC ports using common tools like Nmap. They spin up temporary virtual private servers to run brute-force password attacks. Once they find devices with default, weak, or no passwords, they log into human-machine interface (HMI) systems via VNC and begin manipulating parameters.

From there, the damage escalates. Attackers change usernames and passwords, modify device names and instrument settings, disable alarms, and create “loss of view” conditions that require hands-on intervention to resolve. In some cases, they restart or shut down devices entirely. After causing disruption, they disconnect and move on to research other systems in the victim’s network.

These groups often run DDoS attacks simultaneously to facilitate SCADA intrusions: “VNC was never designed for secure remote access and typically lacks strong encryption”—making it an ideal target for opportunistic attackers.

Why “Unsophisticated” Doesn’t Mean “Harmless”

The advisory is careful to distinguish these hacktivist groups from advanced persistent threat (APT) actors. Their techniques are basic, their targeting is opportunistic, and they frequently exaggerate their claims for propaganda purposes. But dismissing them as a nuisance would be a mistake.

CISA’s warning is explicit: “Attacks have not yet caused injury; however, the attacks against occupied factories and community facilities demonstrate a lack of consideration for human safety.” Disabled safety mechanisms in an OT environment can have serious consequences, including scenarios that put lives at risk.

And the connection to Russian state interests is becoming more clear. John Hultquist, chief analyst at Google Threat Intelligence Group, noted that the advisory “confirms our earlier assessment of ties between hacktivist front Cyber Army of Russia Reborn (CARR) and Russia’s military intelligence service.”

These hacktivists target what security researchers call “the slowest gazelles”: organizations with minimal defenses, exposed assets, and inadequate monitoring. The attacks may be unsophisticated, but against unprepared targets, they work.

What CISOs Should Do Now, and How to Do It

Mitigation and Validation

The CISA advisory provides a clear list of mitigations: remove OT assets from the public internet, implement strong authentication, segment networks, and adopt mature asset management processes. Any organization that hasn’t implemented them should do so immediately.

But implementing mitigations and validating that defenses actually work are two different things. Tabletop exercises can walk through theoretical scenarios, but they can’t replicate the pressure of a simultaneous DDoS attack and SCADA intrusion—the combination these groups actually use. Security leaders need confidence that their teams can detect and respond to these attacks under realistic conditions, with realistic time pressure, before damage occurs.

Start with the fundamentals: audit your environment for internet-exposed VNC connections, enforce strong authentication on all remote OT access, and ensure proper network segmentation between IT and OT systems. Then go beyond compliance. Validate that your security team can actually detect these attacks under realistic conditions. Measure your current detection and response baselines, identify gaps, and use that data to drive improvement.

The organizations that prepare now—with realistic training and validated defenses—will be ready when they become the next target.

Where Cyber Ranges Prove Their Value

A realistic OT cyber range allows teams to face scenarios that mirror these exact attack patterns: adversary emulation using documented hacktivist TTPs, combined DDoS and intrusion scenarios, and realistic SCADA/HMI environments where defenders have to distinguish malicious activity from normal operations.

SimSpace’s cyber range supports realistic emulations of industrial control system environments—including SCADA systems, PLCs, and industrial protocols like Modbus and DNP3—where teams can train against the specific attack patterns described in the CISA advisory. And because SimSpace supports on-premises, SaaS, and hybrid deployment models, organizations can replicate sensitive OT environments without the constraints that purely cloud-hosted ranges impose.

The result is quantifiable data on detection time and response effectiveness: metrics that matter when the threat is already active in the wild.

To browse attacks like these available in a realistic SimSpace cyber range, download our Attack Catalog.