Pro-Russia infrastructure attacks in 2022–2025 have revealed a distinct evolution: a widening ecosystem that mixes low-cost, high-volume hacktivism with criminal proxies and periodic state-linked sabotage. The result is a threat picture that is geographically dispersed, tactically diverse, and unpredictable in its impacts. This is not a single monolithic campaign. It is an ecosystem where ideology, profit, and plausible deniability intersect to put critical systems at risk.
At the tactical level we are seeing two persistent modalities. The first is commodity disruption: distributed denial of service campaigns, automated “crowd-sourced” toolkits, and defacements used to produce media effects and political signaling. The July 2025 Operation Eastwood disruption of the NoName057(16) botnet demonstrated how scalable, low-skill DDoS operations can be organized through Telegram channels and automated tooling, and how law enforcement takedowns can blunt but not permanently end that capacity.
The second modality is opportunistic intrusion against operational technology. Public guidance from US and allied agencies in 2024 flagged a trend of pro-Russia actors exploiting exposed OT interfaces and simple remote access tools such as poorly secured VNC connections to manipulate industrial devices. These intrusions tend to employ unsophisticated techniques, yet they carry an outsized risk because misconfigured OT systems can produce unintended physical effects. The recommended mitigations reflect that reality: reduce internet exposure of OT, require robust authentication, and set safe-value limits on control systems.
Two structural dynamics explain why this threat has become global. First, the commodification and gamification of attack tooling lowers the bar for participation. Investigations into DDoS campaigns have shown multi-tier infrastructures, short-lived command and control nodes, and recruitment models that reward volunteers with leaderboards and crypto payouts. That model scales attacks quickly and distributes risk across many participants, complicating attribution and enforcement.
Second, there is an increasing overlap between organized crime, hacktivist communities, and state-directed objectives. Europol’s 2025 threat assessment documented how criminal networks and hostile state actors can form pragmatic partnerships to perform destabilizing activities ranging from cyberattacks to physical sabotage. This proxying allows states to pursue coercive effects while limiting direct exposure. The blurring of these roles makes tidy categories like “state” or “criminal” less useful for defenders.
Historical precedent underscores the stakes. High-impact, state-attributed sabotage operations such as NotPetya showed how malware deployed against one country’s infrastructure can cascade into global economic damage. That event remains a reference point for the risk that destructive cyber operations pose beyond their immediate geographic target.
Geographically, attacks have concentrated on Europe and NATO-aligned states because of their political support for Ukraine. However the technical patterns are not region specific. Energy, maritime logistics, ports, food and agriculture, and water and wastewater systems are repeatedly named as high-risk sectors because they combine legacy OT, exposure to remote access, and insufficient segmentation. The threat can appear anywhere a legacy control system is reachable from the internet or accessible via weakly protected remote access.
What defenders must accept is that many of these actors are opportunistic and unsophisticated, yet capable of causing disproportionate harm through ignorance or misuse of OT. Their lack of operational discipline increases the chance of collateral damage, making broad preparedness essential. Defensive approaches that rely on attribution or narrow pursuit of “sophisticated APTs” will miss the daily churn of low-skill intrusions that produce outages and safety hazards.
Practical priorities for 2026 and beyond
1) Treat OT exposure as a first-order problem. System owners must assume any publicly reachable VNC, RDP, or similar interface is a likely compromise vector and act accordingly: remove direct internet access, apply multifactor authentication, patch or isolate legacy devices, and implement safe-value constraints that limit actuator ranges.
2) Normalize segmentation and cross-domain guardrails. Network segmentation, data diodes where appropriate, and strict change control for HMIs and PLCs reduce the blast radius when incidents occur. Incident playbooks must include OT-specific containment steps, not just IT-centric responses.
3) Expand detection beyond signatures. Crowd-sourced tools and short-lived C2 infrastructures mean traditional indicators of compromise will age quickly. Behavioral detection that looks for anomalous control commands, unusual HMI interactions, or sudden configuration changes in OT telemetry offers more durable coverage.
4) Harden the recruitment surface. Platforms that gamify participation, public code repositories that host attack tooling, and payment rails that reward volunteers are all attack enablers. Public-private disruption campaigns that focus on takedowns, content removal, and tracing financial flows will reduce adversary scale over time. The Operation Eastwood takedown is a model of coordinated law enforcement intervention, but it must be paired with persistent disruption strategies.
5) Invest in resilient design and redundancy. Accept that some exposures cannot be eradicated quickly. Designing systems to fail safe, maintaining manual fallback procedures, and rehearsing continuity plans for prolonged incidents will limit physical harm.
Policy and international responses
Law enforcement actions and coordinated international advisories demonstrate that whole-of-society responses are possible. But the shift toward hybridized proxies and criminal-state convergence calls for policy measures that go beyond sanctions and takedowns. We need sustained investments in supply chain hygiene, mandatory OT cybersecurity baselines, and mechanisms for cross-border evidence sharing that are faster and less politicized. Europol’s 2025 assessment argues for precisely this kind of coordinated posture, noting that the crime landscape is accelerating through AI and platformized abuse.
Looking ahead
Expect continued ambiguity. Attackers will keep exploiting low-hanging technical weaknesses because those yields are high and attribution costs are low. Meanwhile, economic and political incentives mean some states and criminal networks will continue to weaponize these low-cost tactics as part of a broader hybrid toolbox. Defenders must shrink the set of easy wins for attackers by eliminating exposed OT interfaces, raising basic hygiene across supply chains, and scaling detection that focuses on control plane behaviors rather than chasing fleeting indicators.
The good news is that the primary mitigations are not exotic. They are discipline, segmentation, and engineering choices that limit the ability to cause physical harm. The imperfect truth for infrastructure operators is that resilience begins with reducing internet-exposed attack surfaces and planning for the day a low-skill actor produces a high-consequence outcome. If defenders prioritize those fundamentals now, the global reach of pro-Russia infrastructure attacks will be difficult to sustain at scale.