Cyber Army of Russia Reborn Hacktivist Group

Direct Control: CARR could be a directly controlled subunit or cover persona for Sandworm, used to conduct attacks that Russia wants to avoid direct attribution for.

Collaboration: CARR could be a separate, ideologically aligned group that receives tasking, tools, or intelligence from Sandworm.

Loose Affiliation: CARR could be inspired by Sandworm, mimicking their tactics and targeting, but operating independently.

Distributed Denial of Service (DDoS) Attacks: Initially, and still a significant part of their arsenal, CARR utilizes DDoS attacks to overwhelm targeted websites and services, causing disruption and making them unavailable to legitimate users. They have developed their own DDoS tool, reportedly based on the Aura-DDoS code used by Killnet, another pro-Russian hacktivist group. This tool is designed to be multi-platform (Microsoft, Linux, Android) and can reportedly bypass Cloudflare protections. To mitigate such attacks, using the right DDoS protection tools is essential.

Operational Technology (OT) Intrusions: This is the most concerning aspect of CARR's evolution. They have demonstrated the ability to gain access to and manipulate Human-Machine Interfaces (HMIs) – the software used to control physical processes in industrial control systems (ICS). This allows them to directly impact operations at critical infrastructure facilities.

Data Exfiltration and Leakage: CARR has been observed leaking stolen data, often obtained through collaborations with other groups or potentially provided by state-sponsored actors like Sandworm. This stolen information is used for propaganda purposes, to exert pressure on targets, or to embarrass them publicly. Several data breaches have been reported recently, and it's crucial to stay informed about such incidents.

Social Engineering: While not extensively documented, the group likely employs social engineering tactics to gain initial access to target networks. This could involve phishing emails, impersonation, or other methods to trick individuals into providing credentials or installing malware. A common type of attack is spear phishing which has been widely used.

Telegram Usage: CARR heavily relies on Telegram for communication, coordination, recruitment, and propaganda. They use Telegram channels to announce attacks, share stolen data, and disseminate pro-Russian narratives. This reliance on Telegram is common among hacktivist groups, providing a degree of anonymity and a platform for reaching a wide audience.

Vulnerability Exploitation: Although often using unsophisticated techniques, they can get access using known, and public vulnerabilities. Protecting against these exploits requires a robust vulnerability assessments strategy.

Ukraine and Supporting Countries: Initially, the group focused on Ukrainian government websites, critical infrastructure, and media outlets. They have also consistently targeted countries providing military or financial aid to Ukraine, including NATO members.

Critical Infrastructure: This is the most significant aspect of their targeting strategy. CARR has specifically targeted water utilities, hydroelectric facilities, and wastewater treatment plants in the US, Poland, and France. This focus on critical infrastructure is intended to cause disruption, sow fear, and potentially retaliate against countries perceived as adversaries. Securing IoT devices is also important to prevent attacks.

Government Entities: Government websites and networks are frequent targets, likely for both disruption and espionage purposes.

Private Companies: While less frequent, private companies, particularly those involved in critical infrastructure or supporting Ukraine, can also be targeted.

Early 2022 - DDoS Attacks: Focused primarily on DDoS attacks against Ukrainian and allied government websites and online services.

Late 2023 - Texas Water Utilities: Targeted water utilities in Abernathy and Muleshoe, Texas, resulting in a water tank overflow in Muleshoe. CARR posted videos on Telegram showing them manipulating HMIs. Utilities in Abernathy and Hale Center were also impacted.

Late 2023 - Polish Wastewater Treatment Plant: Targeted a wastewater treatment plant in Wydminy, Poland, demonstrating their expansion beyond US targets.

Early 2024 - French Hydroelectric Facility: Claimed to have targeted the Courlon Sur Yonne hydroelectric dam in France. However, it was later determined they had actually accessed a smaller, less significant water mill. This attack coincided with French President Macron's statements about potentially sending troops to Ukraine, suggesting a retaliatory motive.

Ongoing 2024 - Continued Infrastructure attacks: Increasing number of attacks at critical infrastructure.

Network Segmentation: Isolate critical OT networks from IT networks to limit the impact of any potential intrusion. Implement strict access controls and network monitoring to detect and prevent lateral movement.

Vulnerability Management: Regularly scan for and patch vulnerabilities in both IT and OT systems. Prioritize patching of known vulnerabilities that are actively exploited by threat actors. Pay particular attention to remote access vulnerabilities and weak authentication mechanisms.

Multi-Factor Authentication (MFA): Implement MFA for all remote access to critical systems, including OT networks. This adds an extra layer of security and makes it more difficult for attackers to gain access even if they obtain valid credentials.

Security Awareness Training: Train employees, particularly those with access to critical systems, to recognize and avoid phishing attacks and other social engineering tactics. Regularly conduct simulated phishing exercises to test employee awareness.

Intrusion Detection and Prevention Systems (IDPS): Deploy and maintain IDPS on both IT and OT networks to detect and block malicious activity. Configure these systems to monitor for known indicators of compromise (IOCs) associated with CARR and other relevant threat actors.

Endpoint Detection and Response (EDR): Implement EDR solutions on endpoints to detect and respond to malicious activity that may bypass traditional security controls.

Threat Intelligence: Leverage threat intelligence feeds and platforms to stay informed about the latest TTPs and IOCs associated with CARR and other relevant threat actors. This information can be used to proactively adjust security controls and improve detection capabilities.

Incident Response Plan: Implement, and test an incident response plan.

DDoS Mitigation: Implement DDoS mitigation strategies, such as using a content delivery network (CDN) or specialized DDoS protection services, to protect against volumetric attacks.

Specific OT Security Measures:

Russian Hackers Launch Sophisticated Wi-Fi Attacks, Using Neighbors as a Covert Entry Point

Ukrainian Hackers Destroy Russian Internet Providers Network in Cyberattack

Russian Hackers Target Kazakhstan Diplomatic Files in Strategic Cyber Espionage Campaign

Pro-Russian Hackers Target Italian Government and Airport Websites in Cyberattack

Russian Cyber Attacks on Ukrainian Defense Sector Double in First Half of 2024