Full Report
Ukrainian National Indicted and Rewards Announced for Co-Conspirators Relating to Destructive Cyberattacks Worldwide WASHINGTON — The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other... Source
Analysis Summary
# Threat Actor: Victoria Eduardovna Dubranova (Associated with CARR and NoName)
## Attribution & Identity
**Identified Individual:** Victoria Eduardovna Dubranova, 33, a Ukrainian national.
**Aliases:** Vika, Tory, SovaSonya.
**Associated Groups:** Indicted for actions supporting both **CyberArmyofRussia_Reborn (CARR)** and **NoName057(16) (NoName)**.
**Association with State Actors:** CARR is described as founded, funded, and directed by the Main Directorate of the General Staff of the Russian Federation (**GRU**). NoName is described as a state-sanctioned project administered in part by a Russian Presidential order IT organization.
## Activity Summary
Dubranova is charged for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims worldwide in support of Russia’s geopolitical interests. She faces two separate indictments concerning her support for CARR and NoName, respectively. She has pleaded not guilty to both charges.
* **CARR (Cyber Army of Russia Reborn / also known as Z-Pentest):** Claimed responsibility for hundreds of global cyberattacks, primarily focusing on industrial control facilities and DDoS attacks. The group utilized financial support from the Russian government to procure services like DDoS-for-hire.
* **NoName057(16) (NoName):** Reportedly developed its own proprietary Distributed Denial of Service (DDoS) program, aided by state sanctioning.
## Tactics, Techniques & Procedures
- **Distributed Denial of Service (DDoS) Attacks:** Both groups utilized DDoS tactics. CARR specifically used DDoS-for-hire services. NoName developed a proprietary DDoS program.
- **Targeting Industrial Control Systems (ICS):** CARR specifically targeted industrial control facilities.
- **Data Exfiltration/Disclosure:** CARR claimed credit for attacks and often published photos and videos documenting their attacks on Telegram.
## Targeting
- **Sectors:** Critical Infrastructure (including food and water systems), Industrial Control Facilities, U.S. election infrastructure.
- **Geography:** Worldwide, specifically mentioning the United States.
- **Victims:**
* Public drinking water systems across several U.S. states (resulting in control damage and spilling hundreds of thousands of gallons of drinking water).
* A meat processing facility in Los Angeles (November 2024), causing spoilage and triggering an ammonia leak.
* Proponents of NATO and U.S. interests abroad.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but NoName possesses a **proprietary DDoS program**.
- **Infrastructure:** CARR leveraged **distributed denial of service-for-hire services**, procured using Russian government financing. No specific C2 infrastructure or IPs were listed in the summary context.
## Implications
The indictments highlight the U.S. strategy to hold accountable individuals acting as **criminal proxies** for Russian state interests, even if they operate under the guise of "hacktivist groups." The targeting of essential services like public drinking water systems demonstrates an intent to cause real-world kinetic and public safety harm to further geopolitical objectives. The involvement of individuals like Dubranova suggests Russian intelligence services (GRU) rely on civilians to obfuscate malicious state-sponsored cyber activity.
## Mitigations
- **Defend Critical Infrastructure:** Employ robust security measures to protect Industrial Control Systems (ICS), especially public water and food processing facilities.
- **Monitor DDoS Activity:** Implement advanced DDoS mitigation strategies to handle both external for-hire attacks and proprietary tools.
- **Supply Chain Risk Management:** Be aware that financial support from adversarial nations may fuel these threat actors' operational capabilities (e.g., purchasing DDoS services).
- **Threat Intelligence Integration:** Track claims of responsibility and communications from known hacktivist groups like CARR and NoName, particularly on platforms like Telegram.