The US Department of Justice (DOJ) has unsealed two indictments against Ukrainian national Victoria Dubranova for her alleged role in cyber operations targeting critical infrastructure worldwide in support of Russian state interests.
The cases center on two prominent pro-Russia hacktivist groups, namely Cyber Army of Russia Reborn (CARR) and NoName057(16), that have been linked to damaging cyberattacks across the United States and Europe.
Dubranova, 33, also known by online aliases “Vika,” “Tory,” and “SovaSonya,” was extradited earlier this year and has pleaded not guilty to both indictments. She faces up to 27 years in prison for her involvement with CARR, and an additional 5 years for her role in NoName057(16), with trials set to begin in February and April 2026, respectively.
Hacktivism with physical impact
According to DOJ filings, both CARR and NoName057(16) operate as extensions of Russia's hybrid warfare strategy, leveraging loosely affiliated civilian actors to obscure direct state responsibility. The indictments allege that the Russian government provided both funding and operational guidance to these groups, with CARR receiving direct support from the GRU (Russia's military intelligence agency), while NoName was partly developed and administered by a Kremlin-created IT organization, the Center for the Study and Network Monitoring of the Youth Environment (CISM).
CARR, also known as Z-Pentest in its later iteration, has conducted hundreds of cyberattacks since its emergence in early 2022. Its targets included US drinking water facilities, a Los Angeles-based meat processing plant, where sabotage led to an ammonia leak and food spoilage, and even US election infrastructure and nuclear regulatory websites. The group used distributed denial-of-service (DDoS) attacks and exploited unsecured human-machine interfaces (HMIs) to manipulate industrial control systems (ICS), sometimes causing real-world physical consequences.
CARR had over 100 active participants at its peak and used social media to publicize attacks and promote pro-Russian narratives. Its Telegram channel boasted more than 75,000 followers. Leadership guidance allegedly came from a figure known as “Cyber_1ce_Killer,” believed to be associated with the GRU.
Meanwhile, NoName057(16) built and deployed its own DDoS platform, known as DDoSia, and targeted transportation networks, ports, and financial services. The group operated a Telegram-based volunteer recruitment system, rewarding participants with cryptocurrency for successfully executing attacks and maintaining public leaderboards to gamify participation.
NoName's infrastructure was maintained by CISM personnel, who helped distribute DDoSia and select attack targets. These activities were framed as patriotic efforts to support Russia's geopolitical goals, particularly in relation to the war in Ukraine and opposition to NATO.
Critical infrastructure under fire
In parallel with the DOJ announcement, CISA, the FBI, NSA, EPA, and international partners released a detailed cybersecurity advisory warning about the growing threat of opportunistic attacks from pro-Russia hacktivist groups like CARR and NoName. These groups typically rely on poorly secured virtual network computing (VNC) connections to infiltrate operational technology (OT) environments such as water treatment facilities, dairy farms, and food processing plants.
Though not as technically advanced as state APT groups, the hacktivists have succeeded in causing disruptions by manipulating HMI settings, altering safety parameters, restarting systems, and disabling alarms. The advisory warns that their unsophisticated but persistent tactics, such as brute-force password attacks on publicly exposed ports (commonly VNC on port 5900), can still result in costly downtime, damaged equipment, or public safety risks.
CISA's advisory emphasizes that while many of these actors exaggerate their technical capabilities, their collective actions still pose a credible and growing risk to critical infrastructure worldwide.
The US State Department has announced rewards of up to $10 million for information leading to the identification or location of individuals associated with NoName, and up to $2 million for those linked to CARR.
Leave a Reply