Srsly Risky Biz: Dumb and Dumber, Russia's State-Backed "Hacktivists"

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . This week's edition is sponsored by Push Security .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Last week, the US revealed the Russian government had used two state-backed hacktivist groups to carry out disruptive attacks against critical infrastructure worldwide.

The history and activities of the CyberArmyofRussia_Reborn (CARR) and NoName057(16) (NoName), were described in indictments and sanctions announced by the US Department of Justice and Treasury respectively, and in a joint advisory published by CISA . 

The US says that the CARR was "founded, funded and directed" by Russian military intelligence ( the GRU ) as an unattributable way of deterring anti-Russia rhetoric. The group was founded in early 2022 shortly after Russia's invasion of Ukraine, started out with DDoS attacks and over time has escalated to attacks on operational technology (OT) systems. 

The DoJ does its best to embiggen CARR. It says the group "at times" had more than 100 members, including juveniles, and more than 75,000 followers on its Telegram channel. It also lists some of CARR's higher impact attacks:

CARR's victims included public drinking water systems across several states in the US, resulting in damage to controls and the spilling of hundreds of thousands of gallons of drinking water. CARR also attacked a meat processing facility in Los Angeles in November 2024, spoiling thousands of pounds of meat and triggering an ammonia leak in the facility. CARR has attacked US election infrastructure during US elections, and websites for US nuclear regulatory entities, among other sensitive targets.

At first glance that sounds impressive, but on the scale of the entire US these are inconsequential. That's less than one Olympic-sized pool of water and the indictment of one of CARR's members, Victoria Dubranova, alleges that the meat processing facility incident resulted in " more than $5,000 in damages".  

Other OT hacks include "tampering with the position of car wash components" at a Florida car wash and altering the temperature and chlorination levels of a water fountain in the Netherlands . Not exactly earth-shattering. 

Even the Russian GRU seems to have been disappointed. It stopped funding CARR's DDoS efforts, with the group's GRU handler saying "it does not cause any damage" and "if we hit Kyiv with missiles, we won't need DOS [sic]". According to CISA, CARR's administrators "became dissatisfied with the level of support and funding provided by the GRU" and broke off to form a splinter group called Z-Pentest around September last year. Z-Pentest focuses on disruptive OT attacks.   

The other Russia-backed group, NoName, focusses on DDoS attacks but is notable for its direct links to the government. It is a covert project of the Center for the Study and Network Monitoring of the Youth Environment (CISM), a technology organisation established by Russian President Vladimir Putin in 2018. CISM employees paid for NoName's infrastructure, developed and customised its proprietary DDoS tool, administered its Telegram channels and selected DDoS targets. 

CISA's advisory focuses on the OT hacking of CARR, Z-Pentest and other Russian purported hacktivist groups. To uncharitably summarise it, we'd say these groups are self-aggrandising opportunistic numpties. 

Their targeting is opportunistic because rather than focusing on strategically important targets they simply compromise whoever is vulnerable to their standard set of tricks. This methodology is "relatively unsophisticated, inexpensive to execute, and easy to replicate", which results in a broad range of victims across many different sectors. 

Once they have access to an OT system, however, there is no standard operating procedure to cause maximum damage. The groups don't have the expertise to understand what they are doing in any particular OT environment, so they try to cause mischief by more or less randomly flicking switches and altering values.

CISA notes dryly that "regardless of outcome", the groups post images and screen recordings and exaggerate the impacts of their hacking. 

Of course, just because they don't know what they are doing doesn't mean these hackers won't cause a serious disaster one day. That's the intent, after all. It's probably safe to just keep laughing at them in the medium term though.

The US Government Did a Shamoon. Maybe. 

Venezuela's state-run oil company Petroleos de Venezuela (PDVSA) announced on Monday that it had been victim of a ransomware attack. 

Given the current US pressure on the country , and the Coast Guard's seizure of Venezuelan crude oil from a supertanker last week, it is logical to consider the possibility this is a Cyber Command or CIA operation. PDVSA and the country's oil ministry think so, and have blamed the US for trying to take over Venezuela's oil through "force and piracy". 

Previous US cyber operations that targeted Venezuela have been ineffective, at least in part because they weren't accompanied by any real-world actions. If this is a US operation, it makes sense. Oil exports have fallen sharply since the tanker seizure, and disrupting PDVSA would ratchet up the impact.

It's been 13 years since the infamous Shamoon wiper attacks vapourised 30,000 workstations at Saudi Aramco, four months after a similar attack targeted Iranian oil terminals caused serious disruptions. 

We're not expecting the Venezuelans to retaliate, though. The country isn't known for its cyber operations prowess, and we think Maduro will do everything in his power to avoid giving Trump an excuse to escalate further.

Like Huawei, but for Electricity 

The global push towards renewable energy is heavily dependent on Chinese manufacturers and brings with it an assortment of cyber security and supply-chain risks, according to a trio of reports released over the last month.

In its 2025 annual report to Congress , the US-China Economic and Security Review Commission paints a big-picture view of the why and how of China's drive to dominate the global electricity sector. 

The Commission found that China has good reasons for investing heavily in renewable energy and the electrification of its economy, including improving its energy security and meeting environmental goals. Renewables have also received significant state support, which has helped China to become the dominant manufacturer of certain types of power equipment.

A second report , from strategic intelligence firm Strider, assesses US dependency on Chinese-made inverter-based resources (IBRs), devices which include solar inverters and battery storage systems. 

Strider found four of the top five inverter exporters are Chinese companies and nearly half of the inverters shipped to the US from China come from "high-risk" vendors. These are defined as vendors that have close ties to the Chinese military, intelligence services or sanctioned organisations.   

Strider also reviewed Chinese research publications and found 225 papers, many of them written by PLA-affiliated organisations, that are "highly relevant to potential attacks against the US [electricity] grid".

Buying vital grid infrastructure components from a country that is dreaming up scenarios for attacking your grid in peer reviewed papers could be seen as somewhat problematic, we agree. 

One Chinese company has even pulled the plug on equipment it manufactured, too. Both reports cite the November 2024 case of Ningbo Deye Technology remotely shutting down solar inverters that had been sold in violation of commercial distribution agreements. This wasn't an act of sabotage, but it certainly highlights the supply chain risks here. 

The third and most recent report , co-authored by the consultancy Brattle and OT security firm Dragos, provides more practical advice on how to secure this type of infrastructure, particularly with regards to battery energy storage systems. Their recommendations include cataloging hardware and software bills of materials, building a defensible architecture and improving network visibility. 

Of course, the better solution is not to rely on an adversary for your electricity grid equipment. But that kind of dependency won't be unwound any time soon.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Microsoft gets pragmatic about security: Microsoft announced that its online bug bounty program will cover any bug affecting its services regardless of whether the code was written by Microsoft or by a third party. It's also rolling out a new Baseline Security Mode that will help admins apply minimum security standards across Microsoft products including Office, SharePoint and Teams.  
2. Android's in-call scam protection: Google announced it is expanding its Android in-call scam protection feature which has been piloted in the UK. This will warn users if they launch a financial app while screen sharing with a number that is not saved in their contacts. The feature imposes a 30s pause before a user can continue, which Google says helps to "break the spell" of a scammer's social engineering. 
3. Ransomware payments declined in 2024: The US Treasury's Financial Crimes Enforcement Network (FinCEN) has reported that ransomware payments declined in 2024, down to USD$734 million after 2023's record high of $1.1 billion. That is consistent with reports of declining payment rates , but the best we can hope for is that ransomware has peaked. 

Sponsor Section

In this sponsored interview Casey Ellis is joined by Push Security’s Field CTO, Mark Orlando. They chat about the ways that browser-based attacks are evolving and how Push Security is finding and cataloging them.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk to Hamid Kashfi, CEO and founder of DarkCell, about the Iranian cyber espionage scene.

Or watch it on YouTube!

From Risky Bulletin :

African freelancers behind anti-US and anti-French disinfo campaigns: Meta's security team has shut down a disinformation network spreading Russian propaganda across Africa.

The network has been active for more than six months and was run by Russia-based entities, the company said in its quarterly security report [ PDF ].

The network ran over 65 accounts and 70 pages that mimicked legitimate news outlets and published content critical of France and the US and promoted Russian geopolitical narratives.

Meta says the network consisted of freelancers hired via job-seeking platforms like Upwork. The individuals advertised their services as social media managers or search engine optimization specialists.

[ more on Risky Bulletin ]

EU has a problem attracting and retaining cyber talent: Public and private critical sector organizations across the EU are having issues attracting and retaining cybersecurity talent.

According to a survey by the EU's cybersecurity agency, candidates don't have the necessary skills or the employers don't have the proper training programs.

Cyber experts who leave companies cite excessive workloads, burnout, and the lack of competitive salaries and bonuses.

[ more on Risky Bulletin ]

Linux adds PCIe encryption to help secure cloud servers: The Linux kernel is adding support for a new security feature designed to help secure cloud server infrastructure.

Support for PCI Express Link Encryption will roll out with the upcoming release of the Linux kernel, version 6.19.

The new feature was developed together by representatives from chipmakers Intel, AMD, and Arm.

[ more on Risky Bulletin ]