Full Report
Palencia man suspected of links to CARR, Z-Pentest, and NoName057(16), plus helping a Ukrainian hacker flee to Russia
Analysis Summary
# Threat Actor: Unidentified Palencia Associate (Linked to CARR)
## Attribution & Identity
* **Identity:** An unidentified male resident of Palencia, Spain.
* **Aliases:** None officially disclosed in the report; associated with individuals linked to GRIZZLY STEPPE/Sandworm.
* **Known Associations:**
* **CyberArmy of Russia Reborn (CARR):** Direct logistical support and member coordination.
* **Z-Pentest:** Suspected affiliation.
* **NoName057(16):** Suspected execution of attacks on their behalf.
* **Russian GRU (Unit 74455):** Linked via CARR’s suspected role as a front for Russian military intelligence.
## Activity Summary
The subject was arrested in March (coordinated with an FBI tip-off from August 2025) for providing "logistical and support cover" to help a high-value Ukrainian hacker—a member of CARR—flee to Russia via Poland and Belarus. Beyond logistics, the individual is accused of coordinating operations between different pro-Russia hacktivist outfits and managing cryptocurrency assets derived from cybercriminal activities.
## Tactics, Techniques & Procedures
* **DDoS (Distributed Denial of Service):** Primary method for overwhelming essential services and public/private websites.
* **SCADA/ICS Compromise:** Direct manipulation of Human-Machine Interfaces (HMIs) to control industrial pumps and alarms.
* **Logistical Support:** Facilitating the physical exfiltration of threat actors across international borders.
* **Financial Management:** Use of cryptocurrency storage devices to manage and hide proceeds from cyber operations.
* **Collaborative Hacktivism:** Acting as a liaison between distinct groups to synchronize targeting during the "Operation Red Circus" period.
## Targeting
* **Sectors:** Critical National Infrastructure (CNI), specifically Water and Wastewater, Energy (Hydroelectric/Supply), Agriculture (Food processing), and Government services.
* **Geography:** Spain, United Kingdom, United States, and NATO member states.
* **Victims:**
* US and European water facilities.
* A US energy company (SCADA system access).
* A Los Angeles meat processing facility (leading to physical spoilage and chemical leaks).
## Tools & Infrastructure
* **Industrial Control Systems (ICS) Exploitation:** Targeting of HMIs and SCADA systems.
* **Cryptocurrency:** Use of digital wallets and hardware storage for laundering or operational funding.
* **Operational Infrastructure:** Use of encrypted communications for coordinating with CARR leadership, including Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko.
## Implications
This arrest highlights the narrowing gap between "hacktivist" activities and state-sponsored military operations (GRU). The subject’s role as a logistical "fixer" in a Western country demonstrates that pro-Russia groups maintain physical and financial support networks within the EU and NATO borders. The transition from simple DDoS to targeting SCADA systems indicates an increased risk of kinetic impact (e.g., ammonia leaks, water supply disruption) under the guise of hacktivism.
## Mitigations
* **ICS/SCADA Hardening:** Isolate Human-Machine Interfaces (HMIs) from the public internet and implement multi-factor authentication (MFA) for all remote access points.
* **DDoS Protection:** Implement robust rate-limiting and utilize content delivery networks (CDNs) to absorb high-volume traffic typical of NoName057(16).
* **Geopolitical Threat Monitoring:** Organizations in NATO countries should monitor for heightened "Red Circus" activity, especially during periods of geopolitical tension.
* **Network Segmentation:** Ensure that IT networks are strictly partitioned from Operational Technology (OT) networks to prevent lateral movement from web servers to critical control systems.