DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure

U.S. agencies warned critical infrastructure organizations this week of attacks launched by multiple Russian groups backed financially by the country’s government. 

The Cybersecurity and Infrastructure Security Agency (CISA), alongside several other U.S. and international agencies, released an advisory covering the cyberattacks launched by CyberArmyofRussia_Reborn (CARR), NoName057(16) and several related groups.

The advisory covers the tactics the groups have used since 2022 to target the water, energy and food sectors. 

The Justice Department said CARR was responsible for a November 2024 attack on a meat processing facility in Los Angeles that spoiled thousands of pounds of meat and caused an ammonia leak at the facility. 

The group also attacked U.S. election infrastructure during elections, websites for U.S. nuclear regulatory entities and several other sensitive targets. 

On a call with reporters, FBI assistant director for the cyber division Brett Leatherman declined to say how many U.S. organizations have been attacked when asked for figures by Recorded Future News. 

Alongside the advisory, the Justice Department unveiled two indictments charging a member of both groups with attacks on a water and wastewater facility in the U.S. 

Prosecutors said the attacks caused “damage to controls and the spilling of hundreds of thousands of gallons of drinking water.”

The CISA advisory says the groups “target minimally secured, internet-facing virtual network computing connections to infiltrate (or gain access to) operational technology control devices within critical infrastructure systems to execute attacks against critical infrastructure, resulting in varying degrees of impact, including physical damage.”

The authoring agencies admitted that the groups are “conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups.” But the attacks have had varying degrees of impact that included physical effects. 

‘Mom and pop shops’

Much of the activity started in 2022 at the onset of Russia’s invasion of Ukraine, with the GRU supporting the creation of CARR around February or March of 2022. By 2023, the group claimed attacks on a European wastewater treatment facility and two U.S. dairy farms. 

NoName057(16) was started around the same time and primarily targeted governments and companies in North Atlantic Treaty Organization (NATO) member states. 

The two groups eventually joined forces in 2024 to create Z-Pentest — which specializes in operational technology intrusion operations instead of DDoS attacks. The group has frequently posted images and videos on Telegram illustrating their defacement of critical infrastructure tools. 

The advisory said the groups have a “low level” of technical knowledge and frequently misunderstand the processes they aim to disrupt. The group’s actions often result in “haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact.”

CISA provided critical infrastructure organizations with measures they can take to better protect themselves. One key piece of advice is that the groups take advantage of internet-facing virtual network computing connections for legitimate remote system access functions. The threat actors “can maliciously use these connections to broadly target numerous platforms and services.”

The groups scan for vulnerable devices on the internet and take a range of actions to either gain access or knock them offline. 

“Attacks have not yet caused injury; however, the attacks against occupied factories and community facilities demonstrate a lack of consideration for human safety. Victim organizations reported that the most common operational impact caused by these threat actors is a temporary loss of view, necessitating manual intervention to manage processes.” 

Leatherman added that they have seen small organizations, municipal critical infrastructure and even “mom and pop shops” attacked by the groups. While some may think they are too small to be targeted by Russian actors, the FBI has seen that the kind of automated scanning used by the groups means anyone with vulnerable infrastructure will be attacked. 

Ties to the Russian state

The indictments released on Tuesday show that CARR and several other groups have deep ties to the Russian state. CARR, which also goes by the name Z-Pentest, was allegedly “founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU),” according to the Justice Department. 

Like many Russian groups, CARR uses Telegram to boast about its attacks on critical infrastructure and often shares videos or photos of its actions. CARR used DDoS attacks to target industrial control facilities – including public drinking water systems across several states in the U.S.

Prosecutors found evidence that at least one GRU officer guided CARR on what they should target. CARR had more than 100 members, including juveniles, according to the DOJ.

NoName057(16) — which has a long history of launching DDoS attacks on U.S. critical infrastructure — is accused of being launched by members of Russia’s Center for the Study and Network Monitoring of the Youth Environment (CISM). 

CISM was an effort launched by Putin in 2018 with the stated goal of monitoring the “safety of the internet for Russian youth.”

The indictment claims NoName057(16) used a proprietary DDoS tool called DDoSia which relied on network infrastructure created by employees of CISM.

Leatherman and other government officials declined to answer questions about whether the U.S. would take direct action against the Russian government over the groups’ actions.

But the State Department issued a reward of up to $2 million for information on people associated with CARR and a $10 million reward for information on anyone tied to NoName057(16). 

The Treasury Department previously sanctioned two leading CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, in July 2024. 

Earlier this year, U.S. officials worked with 19 countries to take down infrastructure used by NoName057(16). Leatherman told reporters that the operation resulted in the takedown of more than 100 servers, the search of 20 residences and multiple arrests.

All of the actions are part of the FBI’s Operation Red Circus — an ongoing effort to address Russian state-sponsored cyberthreats to U.S. critical infrastructure.