With his extensive background in artificial intelligence and blockchain, Dominic Jainy has become a leading voice on the convergence of emerging technology and legacy industrial systems. We sat down with him to discuss the recent joint cybersecurity advisory that casts a spotlight on a disturbing trend: pro-Russia hacktivists targeting the operational technology at the heart of our critical infrastructure. Our conversation explored the evolution of these groups from military-backed units to publicity-seeking disruptors, the tangible, on-the-ground impact of their seemingly low-tech attacks, and the persistent vulnerabilities that leave essential services exposed. We also delved into what effective defense truly looks like in practice and what the future may hold as these threat actors continue to adapt.
The advisory mentions groups like Cyber Army of Russia Reborn evolving from military-backed units to OT-focused hacktivists. Could you describe the typical process they follow, from initial reconnaissance like scanning port 5900 to manipulating HMIs and causing a “loss of view” impact?
It’s a chillingly simple and effective playbook, really. It doesn’t require the sophistication of a state-sponsored APT. It starts with broad, indiscriminate scanning of the internet. They’re looking for a specific digital doorway: port 5900, the default for VNC. Once they get a hit, which is far more common than it should be, they deploy brute-force tools from a rented server to hammer away at the login. They’re betting on human error—default credentials or laughably simple passwords like ‘12345’—and they often win. The moment they’re in, the attacker is staring at the same control screen an operator on the plant floor would see. From there, it’s about creating chaos and getting a trophy. They’ll start manipulating the GUI, maybe changing device names to something provocative, disabling critical alarms, and then they’ll take their screenshots for Telegram. The goal is to cause a “loss of view,” a situation where the legitimate operators are blind and have to scramble to initiate manual overrides, all while the attackers are celebrating their victory online.
These groups often publicize their attacks on platforms like Telegram, sometimes exaggerating the impact. From your experience, what does the real-world operational fallout look like for a victim, such as a U.S. dairy farm or a European wastewater plant, after such an intrusion?
The videos they post on Telegram are for propaganda and recruitment, showing a flickering screen or a changed setting. But the reality on the ground is pure, unfiltered stress. For that dairy farm operator, it’s a sudden, terrifying realization that they’ve lost control over a critical process. For the wastewater plant, it’s an immediate crisis. You’re not just dealing with a digital problem; you’re facing potential operational halts and costly remediation. The immediate fallout is a scramble to isolate the affected systems, which often means shutting things down. Then comes the cost of bringing in experts to reimage the HMI, reprovision all the credentials, and hunt through the network to ensure the attacker isn’t still lurking. Even if no physical damage occurs, the financial sting from downtime and reprogramming fees is very real, and the psychological impact—that sense of violation and the lingering fear of ‘what if’—is immense.
The text highlights a low-tech approach, focusing on weak VNC protections rather than sophisticated exploits. Can you walk us through why these basic internet-facing vulnerabilities persist in critical infrastructure and what a step-by-step audit using tools like Nmap or OpenVAS would reveal to an operator?
This is the million-dollar question, and the answer is rooted in the history of OT itself. These systems were designed for reliability and safety in physically isolated environments, not for the hostile world of the modern internet. There’s a powerful “if it isn’t broken, don’t fix it” culture. An operator running an audit with Nmap would get a shocking wake-up call. The tool would simply scan their public IP addresses and spit back a report. Seeing port 5900 listed as ‘open’ is like finding out you left your front door wide open with a sign on it. An OpenVAS scan would go a step further, identifying the VNC service and flagging it for having weak or default credentials. For an operator who assumed their network was safe, that report is a cold, hard piece of evidence showing that anyone, anywhere, could be just a simple password guess away from their control panel. It’s the moment the theoretical threat becomes frighteningly tangible.
For infrastructure owners, the advisory recommends several key actions, including eliminating internet-exposed OT and enforcing MFA. Beyond these, what does effective IT/OT network segmentation look like in practice, and what are the biggest hurdles organizations face when trying to implement it correctly?
Effective segmentation is about creating a digital fortress with a strictly controlled gate. In practice, it means your corporate IT network—where people check emails and browse the web—should have absolutely no direct line of communication to the sensitive OT network that runs the physical machinery. Any data that needs to pass between them must go through a demilitarized zone, or DMZ, where it is thoroughly inspected. It’s a fundamental shift from a flat, trusting network to a zero-trust architecture. The biggest hurdles are almost always twofold: cost and culture. Retrofitting segmentation into a plant that’s been running for 30 years is a massive, expensive undertaking that requires significant downtime. Culturally, operations teams are inherently resistant to changes that could compromise uptime or add complexity to their workflow. Overcoming that inertia and convincing them that the security risk outweighs the operational inconvenience is the single greatest challenge.
What is your forecast for how these pro-Russia hacktivist alliances and their TTPs will evolve over the next two years, especially concerning their targeting of critical infrastructure in the U.S. and Europe?
I believe we’re seeing the foundation being laid for more coordinated and impactful campaigns. These groups are learning and iterating. While their core TTP of exploiting weak remote access will likely remain—because it’s incredibly effective for the low effort required—I forecast they will become more adept at blending their attacks. We saw a glimpse of this in the April 2025 case, where a DDoS attack was used to create a distraction while the real intrusion into the SCADA system took place. I expect to see more of these multi-faceted attacks. The alliances between groups like CARR, Z-Pentest, and NoName057(16) will solidify, allowing them to share intelligence and pool resources. Their targeting will become more strategic, aiming for maximum psychological impact by hitting highly visible U.S. and European infrastructure during times of heightened geopolitical tension. Their goal isn’t espionage; it’s to create fear and doubt, and they are getting better at it every day.