US sanctions two members of Russian ‘Cyber Army’ hacktivist group

The U.S. has imposed sanctions on two members of the Russian government-aligned hacktivist group known as the Cyber Army of Russia Reborn (CARR).

The group’s leader, Yuliya Pankratova, and its primary hacker, Denis Degtyarenko, are suspected of carrying out cyber operations against U.S. critical infrastructure, according to a statement by the Treasury Department on Friday.

Pankratova, also known by the online alias YUliYA, is a Russian cybercriminal accused of overseeing the Cyber Army’s operations and acted as the group’s spokesperson.

Degtyarenko, who goes by Dena online, was allegedly behind the compromise of a U.S. energy company. In early May 2024, Degtyarenko developed training materials on how to compromise supervisory control and data acquisition (SCADA) systems — which are used in industrial operations — and was possibly looking to distribute the materials to external groups.

As a result of the sanctions, any property in the U.S. belonging to the suspects could be seized, and citizens are forbidden from doing business with them.

Since 2022, the Cyber Army of Russia Reborn has conducted low-impact, unsophisticated distributed denial-of-service (DDoS) attacks in Ukraine and against its allies. In late 2023, the group claimed to have attacked the industrial control systems of multiple U.S. and European critical infrastructure targets.

“Using various unsophisticated techniques, CARR has been responsible for manipulating industrial control system equipment at water supply, hydroelectric, wastewater, and energy facilities in the U.S. and Europe,” the Treasury said.

In January 2024, for example, the group claimed responsibility for the overflow of water storage tanks in Abernathy and Muleshoe, Texas, posting a video of the manipulation of human-machine interfaces at each facility on a public forum. The compromise of the industrial control systems resulted in the loss of tens of thousands of gallons of water.

In addition, CARR compromised the SCADA system of a U.S. energy company, giving them control over alarms and pumps for tanks.

“Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication,” the Treasury said.

Russia has reportedly been using so-called hacktivists to deflect blame for the Kremlin’s attacks on Ukraine and its allies. However, researchers have previously reported that many Russian hacktivist collectives are affiliated with or directly controlled by well-known Russian state-sponsored groups.

Google-owned Mandiant reported in April that CARR has a close operational relationship with Sandworm.