Overview
- The NSA, FBI, CISA and more than 20 partners issued a December 9 advisory urging immediate defensive actions across critical infrastructure sectors.
- Investigators say groups including CARR, Z-Pentest, NoName057(16) and Sector16 are exploiting internet-facing VNC and weak credentials to reach SCADA and HMI environments, in some cases pairing intrusions with DDoS attacks.
- Reported incidents have affected water, food and energy operations, leading to loss of operational visibility, altered parameters, disabled alarms, device restarts and costly manual recovery.
- The actors rely on simple, widely available tools, seek publicity and sometimes exaggerate claims online, yet some have documented links to Russian state-linked organizations and their easily copied methods could drive broader harm.
- Recommended steps include reducing OT internet exposure, strengthening asset management and authentication, segmenting networks, updating software and maintaining manual fallback plans, with a call for OT manufacturers to adopt secure-by-design practices.