CISA, together with the FBI, the Department of Energy, the EPA, and international partners, have issued a joint advisory highlighting ongoing DDoS and intrusion attacks targeting operational technology (OT) and industrial control systems (ICS) within critical infrastructure. The alert focuses on opportunistic campaigns conducted by pro-Russia hacktivist groups, which continue to exploit exposed OT devices—including SCADA and HMI systems—over the internet.
These groups—including Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16—primarily scan for internet-facing VNC devices, leveraging default or weak passwords to gain access. While their attacks are technically unsophisticated, they often combine DDoS campaigns with direct manipulation of HMI systems to disrupt operations, cause loss-of-view incidents, and generate remediation work. Targeted sectors include water and wastewater, energy, and food and agriculture.
Attack methods
According to the advisory, hacktivist activity typically follows a straightforward pattern:
- Scan for exposed VNC-enabled OT devices on public IP ranges.
- Use brute-force or default credentials to gain access.
- Manipulate HMI settings, change credentials, disable alarms, or restart devices.
- Launch DDoS attacks against affected networks to facilitate intrusions or distract operators.
- Publicly post evidence of the compromise, often exaggerating impact.
Even low-sophistication attacks can disrupt operations, requiring manual intervention, recovery of PLCs, or restoration of HMI configurations.
Mitigation measures
CISA and partners recommend the following to reduce risk:
- Remove internet-facing OT systems or restrict access via VPNs, firewalls, and time-limited connections.
- Enforce strong authentication, replace default passwords with unique, robust credentials, and enable phishing-resistant MFA where possible.
- Segment IT and OT networks and introduce DMZs to limit potential DDoS and intrusion impact.
- Monitor network traffic for unusual connections, logins, or protocol use that could indicate scanning, brute-force attempts, or DDoS activity.
- Maintain manual control readiness with tested backups, fail-safes, and disaster recovery procedures.
- Coordinate with vendors and service providers to identify and remediate misconfigurations that may create vulnerabilities.
The advisory also encourages asset owners to implement mature asset management practices, map data flows, and validate security controls against MITRE ATT&CK techniques relevant to OT intrusions.
Operational impact and further resources
Even though these hacktivist attacks are not as technically advanced as state-sponsored campaigns, they are opportunistic, easily replicable, and capable of causing real operational disruption. The combination of DDoS and HMI manipulation shows that even minor intrusions can have significant consequences if internet-facing OT systems are not properly secured. Read the entire advisory on CISA’s website.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com.