CISA, FBI, and NSA issue joint advisory AA25-343A on December 9, 2025, warning of active campaigns by four pro-Russia hacktivist groups exploiting VNC vulnerabilities in OT/ICS systems worldwide.
THREAT ACTORS IDENTIFIED:
- Cyber Army of Russia Reborn (CARR) – GRU Unit 74455 linked
- NoName057(16) – Kremlin CISM creation
- Z-Pentest – CARR/NoName merger, OT-specialized
- Sector16 – Emerging January 2025
ATTACK VECTOR: Mass exploitation of exposed VNC services (ports 5900-5910) with default/weak credentials on HMI devices. Direct SCADA access causing parameter modifications, alarm disabling, and operational disruptions across water, energy, and agriculture sectors.
IMMEDIATE ACTIONS: Scan external attack surface, eliminate default credentials, implement MFA, enforce IT/OT segmentation, and deploy continuous monitoring for unauthorized VNC connections.
TARGET AUDIENCE: CERT, CSIRT, SOC Teams, CISOs, Critical Infrastructure Operators
DURATION: 8 minutes of dense technical intelligence
PRODUCED BY: RadioCSIRT – Daily cyber threat intelligence for operational defense teams
#Cybersecurity #OT #ICS #SCADA #ThreatIntelligence #CriticalInfrastructure #CISA #InfoSec