Hunting off the Red Banner

The Unseen Threat:
Hunting Pro-Russia Hacktivists Exploiting Exposed OT Controls


Unlike highly sophisticated nation-state attacks, the current wave of activity by pro-Russia hacktivist groups (such as Cyber Army of Russia Reborn (CARR) and Z-Pentest) leverages low-complexity, opportunistic attacks focused on exposing inadequately secured Operational Technology (OT) assets. These campaigns prioritize visibility and propaganda over advanced technical capabilities, yet their targeting of critical infrastructure sectors like Water, Food and Agriculture, and Energy poses tangible risks to operations.

This type of opportunistic attack is akin to a burglar simply walking through an unlocked front door. While a master thief might meticulously bypass a sophisticated alarm system, these hacktivist groups are merely scanning the entire neighborhood for systems that left the key under the mat; specifically, internet-facing OT control systems secured only by weak or default Virtual Network Computing (VNC) passwords.

For executives and directors, this threat translates directly to operational downtime, safety risks, and significant reputational damage. An attacker who accesses a Human-Machine Interface (HMI) can inhibit response functions, modify control devices, or cause physical harm, leading to regulatory fines and service disruptions. The key risk is not technical genius but a fundamental failure in basic cyber hygiene: exposing mission-critical systems to the public internet. Proactive defense requires shifting focus from chasing complex malware to mastering the fundamentals of access control and network segmentation.


Hunting Controls & Observations

Defensive teams should focus monitoring efforts across OT/IT boundary points and remote access infrastructure to detect hacktivist reconnaissance and intrusion activity:

  • Endpoint (EDR/AV): Monitor for VNC client software execution on systems that typically do not require remote access capabilities, particularly when connecting to internal OT network segments.
  • Identity/IAM: Track failed and successful authentication attempts against HMI devices, especially password spray patterns showing multiple failed attempts across different accounts from single source IPs.
  • Firewall / NetFlow: Alert on inbound connections to ports 5900-5910 (VNC default ports) from external IP addresses, and monitor for connection attempts from known VPS providers and hosting services.
  • OT Network Monitoring: Detect unauthorized configuration changes to SCADA systems, including setpoint modifications, alarm suppression commands, and credential changes on HMI devices.
  • Windows Security Log: Review Event ID 4624 (successful logon) and 4625 (failed logon) for unusual access patterns to systems hosting HMI applications, particularly from unexpected source addresses.
  • DNS Query Logs: Monitor for DNS lookups to known hacktivist infrastructure or Telegram-related domains from OT network segments that should have restricted internet access.

Behavioral Indicators of Attack

Behavioral indicators of pro-Russia hacktivist intrusions include the following observations that defensive teams should actively hunt for in their environments:

  • Port scanning activity targeting TCP ports 5900-5910 from external IP addresses, often originating from virtual private server infrastructure.
  • Rapid succession of VNC authentication failures followed by a successful connection, indicating password brute-force or spray attacks against HMI devices.
  • Configuration changes to HMI systems occurring outside normal business hours or from IP addresses not on approved access lists.
  • Modification of operational setpoints, upper/lower parameter limits, or alarm thresholds without corresponding change management tickets.
  • Administrative password changes on HMI devices that lock out legitimate operators, creating a "loss of view" condition.
  • Alarm suppression or clearing commands issued without corresponding operational justification.
  • Device restarts or shutdown commands initiated through remote HMI access rather than local operator intervention.
  • Screenshot capture or screen recording activity on systems hosting industrial control interfaces.

MITRE Enterprise ATT&CK Tactics and Techniques

The pro-Russia hacktivist methodology aligns with multiple tactics and techniques documented in the MITRE ATT&CK Framework, spanning both Enterprise and ICS matrices. Understanding this mapping enables security teams to validate detection coverage across the attack lifecycle:

  • Reconnaissance (T1595.002 – Active Scanning: Vulnerability Scanning): Threat actors use open-source tools like Nmap and OPENVAS to scan for internet-exposed VNC services on ports 5900-5910.
  • Resource Development (T1583.003 – Acquire Infrastructure: Virtual Private Server): Attackers establish temporary VPS infrastructure to obfuscate their origin and execute password brute-force operations.
  • Initial Access(T0883 – Internet Accessible Device): Hacktivists gain entry through HMI devices that are improperly exposed to the public internet without adequate access controls.
  • Credential Access (T1110.003 – Brute Force: Password Spraying): Attackers rapidly attempt common passwords and known default credentials against VNC-enabled devices.
  • Lateral Movement (T0812 – Default Credentials): Threat actors maintain libraries of default passwords for industrial control devices to access legitimate user accounts.
  • Lateral Movement (T1021.005 – Remote Services: VNC): Once credentials are obtained, attackers connect via VNC viewer software to interact with compromised HMI devices.
  • Execution (T0823 – Graphical User Interface): Hacktivists interact directly with HMI graphical interfaces to manipulate control device settings.
  • Inhibit Response Function (T0878 – Alarm Suppression): Attackers clear or disable alarm systems to mask their activity and create operational disruption.
  • Inhibit Response Function (T0892 – Change Credential): Threat actors modify HMI usernames and passwords to lock out legitimate operators.
  • Impair Process Control (T0836 – Modify Parameter): Hacktivists change upper and lower operational limits on devices through the HMI interface.
  • Impact (T0829 – Loss of View): By changing credentials, attackers prevent operators from remotely monitoring and controlling industrial processes.

Controls' Observables

Organizations can observe pro-Russia hacktivist tactics across multiple control points in their security architecture. The following breakdown maps detection opportunities to common security controls deployed in OT environments:


Endpoint Controls

  • Process tracing for VNC client executables running on the HMI devices without approved change management documentation.
  • Monitoring for changes to registry keys or configuration files associated with remote access services to ensure unauthorized persistence attempts are logged.
  • Full PowerShell logging (script block/module) should be enabled on all HMI endpoints to capture any subsequent manipulation scripts.

Network Controls

  • Immediate high-priority alerts for any inbound connection attempts to standard VNC ports (5900, 5901) from external, non-trusted IP addresses.
  • Anomaly detection on NetFlow to flag unusual communication volume or duration over VNC from an external source.
  • Firewall logs must show explicit denials for all inbound connections to the OT network except from known, trusted jump-box hosts.

Identity & Access Controls

  • Windows Event ID 4625 (failed logon) accumulation indicates brute-force attempts against HMI host systems.
  • Event ID 4624 (successful logon) from unexpected source IPs warrants immediate investigation.
  • Event ID 4720 (user account created) and 4724 (password reset) on HMI systems may indicate credential manipulation.
  • VPN and remote access logs should correlate authorized sessions against observed HMI access.

Cloud & SaaS

  • Cloud-hosted HMI solutions should enable audit logging for all configuration changes and access attempts.
  • Azure Activity Log or AWS CloudTrail can capture management plane operations if OT infrastructure extends to cloud.
  • SaaS-based SCADA platforms should alert on parameter modifications outside change windows.

Application & Service Logs

  • HMI application logs record operator actions, configuration changes, and alarm acknowledgments.
  • SCADA historian data can reveal unauthorized setpoint modifications when compared to change management records.
  • VNC server logs capture connection attempts, authentication failures, and session durations.
  • Web server logs on HMI web interfaces track access attempts and authentication events.

Insights and Recommendations

Organizations that fail to address internet-exposed OT assets face an increasing risk of operational disruption and potential physical damage. While these hacktivist groups currently demonstrate limited technical sophistication, they have proven willing to cause harm and are actively sharing tactics across multiple threat groups. The joint advisory from 26 international agencies underscores the global scale of this threat and the potential for escalation as these groups iterate on their methods.


Critical infrastructure operators should immediately conduct an inventory of internet-facing OT assets, prioritizing the identification of exposed VNC services and HMI devices. Implement network segmentation between IT and OT environments with explicit firewall rules that deny by default. Where remote access is operationally necessary, require VPN connections with multi-factor authentication rather than direct internet exposure. Organizations should also establish monitoring and alerting for VNC port activity and validate that all HMI devices use strong, unique passwords rather than manufacturer defaults.


Sources and Credits

This summary is based on the joint Cybersecurity Advisory "Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure" (AA25-343A) published on December 9, 2025, by the FBI, CISA, NSA, and 26 international partner agencies including the U.S. Department of Energy, Environmental Protection Agency, and cybersecurity agencies from Australia, Canada, the United Kingdom, and multiple European nations.


Threat Hunting IOCs & Queries

This section contains known Indicators of Compromise (IOCs) along with Microsoft Sentinel (KQL) and Splunk queries to detect pro-Russia hacktivist activity targeting OT systems. These queries translate the behavioral indicators described above into actionable detection logic. Note: These queries were created with AI assistance and should be validated in your environment before production deployment.


Known Indicators of Compromise

The following IOCs have been identified from the intelligence and can be used for threat hunting:

  • File Hashes:
    No specific file hashes were published in the advisory. Detection should focus on behavioral indicators.
  • IP Addresses:
    No specific malicious IPs were published. Monitor for connections from VPS providers and hosting services to VNC ports.
  • Domains:
    No specific domains were published. Monitor for Telegram-related traffic from OT network segments.
  • Ports of Interest:
    TCP 5900 (VNC default)
    TCP 5901-5910 (VNC alternate ports)
    These ports should not be exposed to the internet for OT systems.
  • Threat Actor Groups:
    Cyber Army of Russia Reborn (CARR)
    Z-Pentest
    NoName057(16)
    Sector16
  • Tools Used:
    Nmap (port scanning)
    OPENVAS (vulnerability scanning)
    VNC viewer software
    Password brute-force tools

Log Analytics and Splunk Queries

The following queries translate behavioral indicators into actionable detection logic for common SIEM platforms. These queries were developed with AI assistance and should be tested and tuned for your specific environment before production deployment.

Query 1: External VNC Connection Attempts

  • Behavior Targeted: Inbound connections to VNC ports from external IP addresses targeting OT systems
  • MITRE ATT&CK: T1021.005 (Remote Services: VNC), T0883 (Internet Accessible Device)
  • Expected Results: Connection attempts to ports 5900-5910 from non-internal IP ranges
  • False Positive Likelihood: Low – VNC ports should not be exposed externally for OT systems

Splunk (SPL)

// Detect external VNC connection attempts to internal systems
// Tuning: Adjust internal IP ranges to match your environment
// Time Range: Last 24 hours recommended for initial hunting

index=firewall OR index=network
(dest_port>=5900 AND dest_port<=5910)
| where NOT cidrmatch("10.0.0.0/8", src_ip) 
    AND NOT cidrmatch("172.16.0.0/12", src_ip) 
    AND NOT cidrmatch("192.168.0.0/16", src_ip)
| stats count by src_ip, dest_ip, dest_port, action
| where count > 5
| sort -count
| table src_ip, dest_ip, dest_port, action, count

Microsoft Defender/Sentinel (KQL)

// Detect external VNC connection attempts to internal systems
// Data Tables: DeviceNetworkEvents, CommonSecurityLog
// Tuning: Adjust internal IP ranges and time window as needed

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort between (5900 .. 5910)
| where not(ipv4_is_private(RemoteIP))
| summarize ConnectionCount = count(), 
            DistinctDestinations = dcount(LocalIP)
    by RemoteIP, RemotePort
| where ConnectionCount > 5
| project RemoteIP, RemotePort, ConnectionCount, DistinctDestinations
| order by ConnectionCount desc

Query 2: VNC Authentication Brute Force Detection

  • Behavior Targeted: Password spray and brute-force attacks against VNC-enabled systems
  • MITRE ATT&CK: T1110.003 (Brute Force: Password Spraying)
  • Expected Results: Multiple failed authentication attempts followed by success from same source
  • False Positive Likelihood: Medium – Legitimate users may have occasional authentication failures

Splunk (SPL)

// Detect VNC brute force patterns - multiple failures then success
// Tuning: Adjust threshold based on normal failure patterns
// Time Range: Last 4 hours for rapid detection

index=windows OR index=auth sourcetype=WinEventLog:Security
(EventCode=4625 OR EventCode=4624)
| eval auth_result=if(EventCode=4624, "success", "failure")
| stats count(eval(auth_result="failure")) as failures,
        count(eval(auth_result="success")) as successes,
        values(auth_result) as outcomes
    by src_ip, dest, _time span=15m
| where failures > 10 AND successes > 0
| table _time, src_ip, dest, failures, successes
| sort -failures

Microsoft Defender/Sentinel (KQL)

// Detect VNC brute force patterns - multiple failures then success
// Data Tables: SecurityEvent
// Tuning: Adjust FailedAttempts threshold for your environment

let FailedLogons = SecurityEvent
| where TimeGenerated > ago(4h)
| where EventID == 4625
| summarize FailedAttempts = count() by IpAddress, Computer, bin(TimeGenerated, 15m);
let SuccessLogons = SecurityEvent
| where TimeGenerated > ago(4h)
| where EventID == 4624
| summarize SuccessfulAttempts = count() by IpAddress, Computer, bin(TimeGenerated, 15m);
FailedLogons
| join kind=inner (SuccessLogons) on IpAddress, Computer, TimeGenerated
| where FailedAttempts > 10 and SuccessfulAttempts > 0
| project TimeGenerated, IpAddress, Computer, FailedAttempts, SuccessfulAttempts
| order by FailedAttempts desc

Query 3: HMI Configuration Change Detection

  • Behavior Targeted: Unauthorized modifications to HMI setpoints, alarms, or credentials
  • MITRE ATT&CK: T0836 (Modify Parameter), T0878 (Alarm Suppression), T0892 (Change Credential)
  • Expected Results: Configuration changes to OT systems outside approved change windows
  • False Positive Likelihood: Medium – Requires correlation with change management system

Splunk (SPL)

// Detect HMI/SCADA configuration changes outside business hours
// Tuning: Adjust time windows and system names for your OT environment
// Requires: OT system logs indexed in Splunk

index=ot_systems OR index=scada
(action="config_change" OR action="setpoint_modify" OR action="alarm_disable" OR action="password_change")
| eval hour=strftime(_time, "%H")
| where hour < 6 OR hour > 20
| stats count by src_user, dest_system, action, _time
| table _time, src_user, dest_system, action, count
| sort -_time

Microsoft Defender/Sentinel (KQL)

// Detect suspicious account modifications on systems hosting HMI applications
// Data Tables: SecurityEvent
// Tuning: Add specific computer names for your HMI hosts

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4720, 4724, 4738)  // Account created, password reset, account changed
| where Computer has_any ("HMI", "SCADA", "PLC", "RTU")  // Adjust for your naming convention
| extend HourOfDay = datetime_part("hour", TimeGenerated)
| where HourOfDay < 6 or HourOfDay > 20  // Outside business hours
| project TimeGenerated, Computer, Account, TargetAccount, Activity, IpAddress
| order by TimeGenerated desc

Query 4: VNC Port Scanning Activity

  • Behavior Targeted: Reconnaissance scanning for VNC services across network ranges
  • MITRE ATT&CK: T1595.002 (Active Scanning: Vulnerability Scanning)
  • Expected Results: Single source IP attempting connections to VNC ports across multiple destinations
  • False Positive Likelihood: Low – Horizontal scanning is rarely legitimate

Splunk (SPL)

// Detect horizontal scanning for VNC ports
// Tuning: Adjust destination threshold based on network size
// Time Range: Last 1 hour for rapid detection

index=firewall OR index=network
dest_port>=5900 dest_port<=5910
| stats dc(dest_ip) as unique_targets, 
        values(dest_ip) as target_list 
    by src_ip
| where unique_targets > 10
| table src_ip, unique_targets, target_list
| sort -unique_targets

Microsoft Defender/Sentinel (KQL)

// Detect horizontal scanning for VNC ports
// Data Tables: DeviceNetworkEvents
// Tuning: Adjust UniqueTargets threshold for network size

DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort between (5900 .. 5910)
| summarize UniqueTargets = dcount(LocalIP),
            TargetList = make_set(LocalIP, 20)
    by RemoteIP
| where UniqueTargets > 10
| project RemoteIP, UniqueTargets, TargetList
| order by UniqueTargets desc

Query 5: Anomalous VNC Session Behavior

  • Behavior Targeted: VNC sessions with characteristics of hacktivist activity (screen recording, rapid commands)
  • MITRE ATT&CK: T0823 (Graphical User Interface), T0829 (Loss of View)
  • Expected Results: VNC sessions from unusual sources or with abnormal duration patterns
  • False Positive Likelihood: Medium – Requires baseline of normal VNC usage patterns

Splunk (SPL)

// Detect anomalous VNC session patterns
// Tuning: Establish baseline of normal session durations and sources
// Requires: VNC server logs or network session data

index=vnc_logs OR index=network
protocol="vnc" action="session_*"
| transaction src_ip dest_ip startswith="session_start" endswith="session_end"
| eval session_duration_min=duration/60
| where session_duration_min < 5 OR session_duration_min > 120
| stats count by src_ip, dest_ip, session_duration_min
| table src_ip, dest_ip, session_duration_min, count
| sort -count

Microsoft Defender/Sentinel (KQL)

// Detect VNC process execution on non-standard systems
// Data Tables: DeviceProcessEvents
// Tuning: Exclude known VNC administrator workstations

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any ("vncviewer", "tvnviewer", "ultravnc", "tightvnc", "realvnc")
| where not(DeviceName has_any ("admin-ws", "remote-support"))  // Exclude authorized systems
| summarize ExecutionCount = count(),
            Devices = make_set(DeviceName)
    by AccountName, FileName
| project AccountName, FileName, ExecutionCount, Devices
| order by ExecutionCount desc