A Ukrainian woman accused of hacking US public drinking water systems and a meat processing facility on behalf of Kremlin-backed cyber groups was extradited to the US earlier this year and will stand trial in early 2026.
Late Tuesday, the US Justice Department announced charges against Victoria Eduardovna Dubranova, 33, who the feds say was involved in two pro-Russia hacktivist groups, CyberArmyofRussia_Reborn (CARR) and NoName057(16). She has pleaded not guilty and is scheduled to begin trial in the NoName matter on February 3, and in the CARR matter on April 7.
Dubranova is a “pro-Russian hacktivist and administrator linked to malicious cyber attacks directed by the Russian GRU and the Russian presidential administration,” FBI cyber division assistant director Brett Leatherman told reporters on Thursday.
CARR, whose victims include public drinking water systems across several US states and a meat processing facility in Los Angeles, is known for hacking industrial control systems and conducting distributed-denial-of-service attacks (DDoS) against critical infrastructure websites.
CARR’s ties to Russia’s GRU
In the case of the LA meat processor attack in November 2024, the digital intrusion caused thousands of pounds of meat to spoil and triggered an ammonia leak in the facility, and caused more than $5,000 in damages, according to court documents [PDF]. US officials said the public drinking water system intrusions damaged controls and spilled “hundreds of thousands of gallons of drinking water.”
The hacktivist crew has bragged about DDoSing hundreds of victims worldwide, and the US government has blamed CARR for attacking election infrastructure and websites for US nuclear regulatory entities.
An individual using the monikers “Cyber_1ce_Killer,” and “Commander,” who is allegedly associated with at least one Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) officer, is also charged in the indictment.
“Defendants and co-conspirators believed that defendant CYBER_ICE was at all relevant times a Russian government agent and the defendant worked for the Federal Security Service of the Russian Federation (FSB),” the court documents say.
According to the feds, the GRU financed CARR’s access to various cybercriminal services, including subscriptions to DDoS-for-hire services.
The CARR indictment charges Dubranova with one count of conspiracy to damage protected computers and tamper with public water systems, one count of damaging protected computers, one count of access device fraud, and one count of aggravated identity theft.
If convicted of these charges, Dubranova would face a statutory maximum penalty of 27 years in federal prison.
The US previously sanctioned two other CARR members.
NoName, another DDoS nuisance
NoName’s victims included government agencies, financial institutions, and critical infrastructure, including public railways and ports, according to the indictment [PDF].
Prosecutors say this crew recruited volunteers from around the world to download DDoSia, its proprietary tool for network-traffic-flooding attacks, and used their computers to DDoS victims. NoName also allegedly published a daily leaderboard on its Telegram channel ranking volunteers by number of attacks, and paid top participants in cryptocurrency.
Over the summer, the international cops shut down more than 100 servers used by NoName057(16) as part of the Europol-led Operation Eastwood.
The NoName indictment charges Dubranova with one count of conspiracy to damage protected computers. If convicted of this charge, Dubranova would face a statutory maximum penalty of five years in federal prison.
The single most important thing people can do to protect themselves is to reduce the number of OT devices exposed to the public-facing internet
“While these attacks may be relatively unsophisticated, they pose real risk to our water systems, food supply and energy sectors,” Leatherman said on Thursday. “Both hacktivist groups have direct ties to the Russian government, and recruit members worldwide to facilitate attacks that further Russian geopolitical goals.”
Today’s indictment, according to Google, confirms its threat hunters’ earlier assessment of ties between CARR and the GRU.
“CARR carried out cyberattacks on US and European critical infrastructure but hid behind this false persona,” John Hultquist, chief analyst at Google Threat Intelligence Group, told The Register.
“The GRU is increasingly leaning into willing accomplices to hide their own hand in destabilizing physical and cyber attacks in Europe and the US,” he said. “It’s important that we never take an adversary’s word for it when they tell us who they are. They frequently lie.”
In addition to announcing the charges against Dubranova and co-conspirators, the US State Department offered potential rewards of up to $2 million for information on individuals associated with CARR and up to $10 million for information on individuals associated with NoName.
Plus, several US government agencies – including the FBI, National Security Agency, Department of Energy, Environmental Protection Agency, and the US Cybersecurity and Infrastructure Agency (CISA) – along with more than 20 international partners, issued guidance for operational technology (OT) owners and operators on how to secure their critical networks against attacks by these and other pro-Russian hacktivist groups.
“The single most important thing people can do to protect themselves is to reduce the number of OT devices exposed to the public-facing internet,” CISA’s Chris Butera told reporters.
These attacks tend to be opportunistic, with hacktivist crews scanning VPNs and remote-access tools connected to OT devices, he added.
“This broad, indiscriminate approach has been used across multiple sectors, from water treatment facilities to oil well systems, often using easily repeatable and unsophisticated methods,” Butera said. “The cumulative impact of this malicious cyber activity poses a persistent and disruptive threat to essential services.”
It also means even small utilities and providers are at risk.
“We see small organizations – whether they’re municipal, critical infrastructure or just small mom and pop shops – that operate through a security mindset where ‘we’re too small to be targeted by foreign actors,'” Leatherman said. “But in today’s environment, automated scanning provides a very effective way of identifying vulnerable infrastructure.” ®