Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU

Sector16

Also known assector16

Sector16 is a pro-Russia hacktivist group formed in January 2025 through collaboration with Z-Pentest. It is described as a newer, relatively inexperienced operator set that nevertheless achieves access through opportunistic methods, especially stolen credentials, weak authentication controls, password spraying, default or weak credentials, and exploitation of poorly secured, internet-facing remote access to operational technology environments, particularly VNC access to HMI devices. Sector16 has been publicly identified alongside Cyber Army of Russia Reborn (CARR), Z-Pentest, and NoName057(16) in joint U.S. and international advisories as targeting critical infrastructure organizations worldwide, including the water and wastewater, food and agriculture, energy, and in some reporting aviation sectors, as well as government services. Reported impacts include temporary loss of view, operational disruption, remediation costs, and in some cases physical damage, while the group and related actors often exaggerate impacts for publicity. Sector16 maintains a public Telegram channel where it shares videos, statements, and claims of compromising U.S. energy infrastructure, and it is described as prioritizing hack-and-leak operations for publicity. The content states its messaging aligns with pro-Russia narratives, and that members may have received indirect Russian government support in exchange for operations aligned with Russian strategic goals. Known alias in the provided content: sector16.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Energy
  • Capital Goods
  • Transportation
  • Telecommunication Services
  • Utilities

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
  • 🇮🇹 Italy

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1591×2
Gather Victim Org Information
T1595
Active Scanning
T1595.002×2
Vulnerability Scanning
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
T1583.003×2
Virtual Private Server
TA0001
Initial Access
1 technique
T1133
External Remote Services
TA0003
Persistence
1 technique
T1133
External Remote Services
TA0006
Credential Access
1 technique
T1110
Brute Force
T1110.003×3
Password Spraying
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.005×3
VNC
TA0040
Impact
1 technique
T1491
Defacement
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
cyble blogNews
Mar 19, 2026
Inside Russia Credential-Based Intrusions & Cyber Risks

Emerging pro-Russia hacktivist group using opportunistic stolen credentials and weak authentication controls to gain access, including attacks affecting critical infrastructure sectors.

Read more
analyst1 blogNews
Feb 18, 2026
Ransomware & Extortion Activity | Analyst1

Pro-Russia hacktivist group cited in a joint advisory as part of opportunistic critical-infrastructure targeting activity.

Read more
scworldNews
Jan 20, 2026
NCSC warns of pro-Russia hacktivist threat to UK critical services | SC Media

Pro-Russia hacktivist group linked to DoS/DDoS attacks targeting UK local authorities and critical national infrastructure / critical service operators.

Read more
techrepublic com securityNews
Jan 20, 2026
NCSC Warns of Increased Russian Hacktivist Threat to UK Online Services - TechRepublic

Pro-Russian hacktivist group reported targeting OT environments in critical infrastructure sectors (water, energy, food production) across Europe and North America.

Read more
+16 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.