U.S. cybersecurity officials and international partners have released a joint cybersecurity advisory urging operators of critical infrastructure to take immediate protective measures against a rising wave of opportunistic attacks tied to pro-Russia hacktivist groups.
The alert, published Tuesday, was jointly released by the Cybersecurity and Infrastructure Security Agency, other U.S. agencies and allied cyber authorities.
Titled “Pro-Russia Hacktivists Conduct Opportunistic Attacks Against U.S. and Global Critical Infrastructure,” the advisory stated that the groups have been scanning for and exploiting weakly secured operational technology environments across multiple sectors. Although the attacks rely on basic techniques, agencies said they have disrupted essential services and forced operators into manual procedures.
Critical infrastructure operators remain vigilant as pro-Russia hacktivist attacks escalate. Join the 2026 Cyber Summit on May 21 to learn how federal and industry experts are strengthening cyber resilience.
How Are Hacktivists Gaining Access to OT Systems?
According to the advisory, intrusions have frequently involved exposed remote access tools, including virtual network computing-connected human-machine interface devices protected by default or weak passwords. It noted that in some cases, actors gained access to OT control devices, changed system configurations and caused operational downtime.
Distributed denial-of-service campaigns have also been used to infiltrate supervisory control and data acquisition networks.
The threat groups are amplifying their operations by publicizing successful compromises and making exaggerated claims of damage to gain visibility, the advisory said.
Which Pro-Russia Hacktivist Groups Are Behind the Activity?
The advisory identifies several pro-Russia hacktivists actively involved in the campaign, including the Cyber Army of Russia Reborn, NoName057(16), Z-Pentest and Sector16, noting that these actors have shown intent to cause real-world disruption and are increasing coordination with one another.
“Russian-affiliated cyber actors continue to engage in malicious activity aimed at disrupting U.S. and allied critical infrastructure,” said Madhu Gottumukkala, acting director at CISA.
What Defensive Measures Are Agencies Recommending?
Organizations are being urged to reduce the internet exposure of industrial systems, implement strong authentication, improve asset visibility, enhance segmentation and monitoring, and adhere to secure-by-design principles.
OT device manufacturers are also encouraged to eliminate systemic weaknesses that attackers exploit.
The 2025 Annual Threat Assessment of the U.S. Intelligence Community designates Russia as a persistent cyber and critical infrastructure threat due to its advanced capabilities and success in compromising sensitive targets and pre-positioning access on U.S. infrastructure. The report highlights Moscow’s strength in integrating cyberattacks with wartime military action, which could amplify its impact on U.S. targets during a conflict.
