Cyber Army of Russia Reborn

Cyber Army of Russia Reborn (CARR) is a pro-Russia hacktivist persona/group also referenced as CyberArmyofRussia_Reborn, Z-Pentest, and in some reporting as a fake hacktivist cyber persona. The provided content states that U.S. authorities and indictments assess CARR was founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), with likely support from GRU Main Center for Special Technologies unit 74455 in its creation and tooling. The group used the Telegram channel “CyberArmyofRussia_Reborn” beginning in April 2022 to organize operations, claim responsibility, and publish photos and videos, and at times reportedly had more than 100 members and over 75,000 Telegram followers. CARR initially focused on distributed denial-of-service activity against U.S. and European targets in support of Russia’s geopolitical interests, but later expanded into operational technology and industrial control system intrusions. The content states that CARR and affiliated groups moved beyond low-impact DDoS into OT/IoT reconnaissance and disruptive industrial targeting, particularly against water, energy, food/agriculture, and other critical infrastructure sectors in the United States and Europe. Reported victimology in the content includes public drinking water systems in several U.S. states, a Los Angeles meat processing facility, election infrastructure, nuclear regulatory websites, a European wastewater treatment facility, two U.S. dairy farms, and facilities in Poland and France. The content also states CARR claimed disruptions to water supplies at U.S., Polish, and French facilities, and that video footage verified by Le Monde showed the Cyber Army of Russia accessing the control system of a French water mill in April 2024. The group’s OT tradecraft in the provided content centers on opportunistic exploitation of minimally secured, internet-facing remote access, especially VNC connections to HMI and sometimes SCADA environments. Reported techniques include scanning exposed VNC services, use of VPS infrastructure, brute forcing passwords, exploiting default, weak, unchanged, or leaked credentials, password spraying, and credential stuffing-like automated login attempts. Once inside, actors reportedly manipulated HMI settings through legitimate interfaces, including changing credentials, parameters, device names, instrument settings, disabling alarms, restarting or shutting down devices, and causing temporary “loss of view,” with some incidents resulting in physical damage. Multiple sources in the content emphasize that CARR often exaggerates operational impact in public claims. The content also links the CyberArmyofRussia_Reborn persona to GRU-linked disruptive and information operations. In one Mandiant-described incident, victim data from a GRU wiper attack using CADDYWIPER was staged and advertised on Telegram by “CyberArmyofRussia_Reborn,” and Mandiant assessed with high confidence that UNC3810 and the persona coordinated cyber and information operations through forward planning, while the persona exaggerated the success of the attack. CARR is described as closely collaborating with other pro-Russia hacktivist groups including NoName057(16), Sector16, Dark Engine, Z-Alliance, TwoNet, and the Infrastructure Destruction Squad. The content states that partnerships with CARR led to the formation of the hybrid group Z-Pentest in 2024; other reporting says Z-Pentest was established in September 2024 from members of CARR and NoName057(16), specializing in OT intrusion operations, hack-and-leak activity, and defacement. Sector16 is also described as emerging through collaboration with Z-Pentest and aligned with the same pro-Russia ecosystem. The content further notes U.S. Treasury sanctions announced on July 19, 2024 against alleged CARR members Yuliya Vladimirovna Pankratova, identified as leader, and Denis Olegovich Degtyarenko, identified as a primary hacker. U.S. indictments announced in 2026 allege support to CARR by Victoria Eduardovna Dubranova. Overall, the provided content characterizes CARR as a Russian state-backed or state-aligned threat actor using a hacktivist cover to conduct DDoS, OT/ICS intrusion, and influence-amplified disruptive operations against Western critical infrastructure in support of Russian strategic objectives.