2025

Written by Tidal Cyber | Dec 23, 2025 4:32:14 PM

This week’s update to the Tidal Cyber -curated “Trending & Emerging Threats” Threat Profile spotlights multiple “pro-Russia” hacktivist groups who, according to a recent government advisory and private threat reporting, have targeted a considerable number of critical infrastructure entities in the U.S. and internationally.

Threats like NoName057(16), Cyber Army of Russia, Sector16, and Z-Pentest are targeting exposed devices to disrupt networks and in some cases even cause physical damage. The opportunistic nature of recent attacks underscores these threats’ relevance to organizations in a wide range of sectors.

12/23/25: Pro-Russia Hacktivists – Spotlight Procedures

PS1031921: Suppress or Clear Alarms via HMI Interface
- Threat actors used HMI interfaces to clear alarms caused by their activity and alarms already present on the system at the time of their intrusion.

Threat-Led Defense commentary: Ensure OT assets use robust authentication procedures, and implement MFA wherever possible; establish an allowlist that permits only authorized device IP or MAC addresses; and enable control system security features that can separate and audit view and control functions.

PS1032027: Implement multi-layered control infrastructure for DDoSia botnet
- The DDoSia tool tied to NoName057(16) operates via a three-tiered control infrastructure. Bots only communicate with Tier 1 systems, whose IPs are distributed via Telegram bots.

Threat-Led Defense commentary: Monitor for control servers exposing only 22/TCP (SSH) and 80/TCP (HTTP), as DDoSia infrastructure typically has minimal public service exposure. Track and block known DDoSia control server IPs, which are often hosted on Virtual Private Servers at providers such as Azea (AEZA-AS), HostVDS (AS56971), and others. (Researchers shared a list of observed control servers on GitHub here.)

View full post