Full Report
Victoria Dubranova faces charges tied to her alleged role in two groups backed by the Russian government. The post US charges hacker tied to Russian groups that targeted water systems and meat plants appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Victoria Eduardovna Dubranova (Charged Individual)
## Attribution & Identity
**Individual Identified:** Victoria Eduardovna Dubranova, 33, Ukrainian national.
**Associated Groups:** Allegedly worked with two Russian state-sponsored hacking operations:
1. **CyberArmyofRussia_Reborn (CARR):** Allegedly founded and funded by Russia’s Main Directorate of the General Staff of the Armed Forces (GRU).
2. **NoName057(16):** Allegedly emerged from the Center for the Study and Network Monitoring of the Youth Environment (an IT organization established by a Russian presidential order in Oct 2018).
**Motive Drivers:** Advancing Russian geopolitical interests.
## Activity Summary
Dubranova is charged for her alleged role in operations spanning from distributed denial of service (DDoS) attacks to destructive intrusions into industrial control systems, primarily targeting critical infrastructure globally following the escalation of the Russia-Ukraine conflict in 2022.
**CARR Activities:**
* Claimed credit for hundreds of attacks since 2022.
* Attacks resulted in tangible damage to U.S. infrastructure, including damage to control systems at public drinking water facilities causing significant water spills, and an attack on a meat processing facility that spoiled thousands of pounds of meat and triggered an ammonia leak/evacuation (Nov 2024).
* Also targeted U.S. election infrastructure and websites for nuclear regulatory entities.
**NoName057(16) Activities:**
* Conducted over 1,500 attacks between March 2022 and June 2025.
* Targeted Dutch infrastructure during the June 2025 NATO Summit in The Hague.
## Tactics, Techniques & Procedures
Specific TTPs mentioned relate to the operations of the associated groups:
* **Distributed Denial of Service (DDoS):** Primary initial activity for both groups.
* **Intrusions into Industrial Control Systems (ICS):** Evolution of activity, leading to physical damage (e.g., water spillage).
* **Use of Proprietary DDoS Tooling:** NoName057(16) developed **DDoSia** software to recruit global volunteers for attacks.
* **Exploitation of Poor Security Posture:** A joint advisory warned these groups target "minimally secured internet-facing connections to infiltrate operational technology control devices."
* **Low Sophistication Activity:** Described by CISA as "opportunistic, low sophistication, malicious cyber activity across multiple sectors."
* **Group Management/Recruitment (NoName057(16)):** Publishing daily leaderboards on Telegram to rank participants and paying top volunteers in cryptocurrency.
## Targeting
* **Sectors:** Critical Infrastructure (Water Systems, Food Processing/Meat Plants), Government Networks, Financial Institutions, Railways, Ports, U.S. Election Infrastructure, Nuclear Regulatory Entities.
* **Geography:** Worldwide, including the United States and allied nations (specifically mentioned: Ukraine, Estonia, Finland, Lithuania, Norway, Poland, Sweden, Netherlands).
* **Victims:** Public drinking water systems (multiple states), a meat processing facility in Los Angeles, government agencies, and financial institutions in Ukraine and NATO countries.
## Tools & Infrastructure
* **Malware Families Used:** DDoSia (proprietary software used by NoName057(16)).
* **Infrastructure:**
* CARR maintained a Telegram channel with over 75,000 followers.
* CARR received financial support from an entity associated with a GRU officer using the moniker "Cyber\_1ice\_Killer."
* NoName057(16) used Telegram for leaderboards and crypto payments.
## Implications
The charges highlight a coordinated effort by the Russian state (GRU) to leverage cyber operations, including hacktivism, to advance geopolitical aims and disrupt Western critical infrastructure. The explicit targeting of water systems marks a serious progression, as the DOJ used specific laws designed to protect water resources for prosecution. The noted reliance on targeting "minimally secured internet-facing connections" indicates a key vulnerability exploited by these groups.
## Mitigations
* **Reduce OT Exposure:** Organizations operating critical infrastructure must reduce the number of operational technology (OT) devices exposed to the public-facing internet.
* **Secure Internet-Facing Connections:** Harden all internet-facing connections, particularly those leading to OT control devices, against opportunistic, low-sophistication attacks.