Critical Infrastructure Security, Governance, Risk and Compliance, Government Regulations

US charges Ukrainian for pro-Russia critical infrastructure attacks

A colorful keyboard and handcuffs.

(iStock via Getty Images)

The U.S. Justice Department on Dec. 9 announced that it extradited and released two indictments against a Ukrainian national for participating in dozens of attacks on critical infrastructure worldwide.

The cyber incidents on critical infrastructure included an April 2024 attack on a U.S. water treatment facility in Muleshoe, Texas, and a November 2024 attack on a Los Angeles meat processing plant.

The extradition and indictments against Victoria Dubranova, 33, were released Dec. 9, but the Justice Department said the extradition took place earlier this year.

Dubranova pleaed not guilty to the two indictments at a Dec. 9 arraignment in U.S. District Court in Los Angeles.

“This is not a norm for us … to be able to obtain pro-Russian hacktivists and then have them successfully extradited to the United States,” said Brett Leatherman, assistant director of the FBI’s Cyber Division, in a statement to CNN.

Related reading:

John Bambenek, president at Bambenek Consulting, said it’s exceptionally rare that a cybercriminal is actually brought to the United States for trial. It’s even more exceptional when it’s someone who appears to have nation-state backing, he added.

“This is a rare case of consequences for these types of actions that, unfortunately, are the exception and not the rule,” said Bambenek. “The attacks on critical infrastructure systems demonstrate how much more work we have left to do to shore up the safety of these organizations in which one indictment won’t do enough to protect.”

John Carberry solution sleuth at Xcape Inc. added that this Justice Department action feels significant because it involves an actual person facing charges, not just a listed name. Carberry said extraditions usually happen when European countries have a solid basis for arrest (matching IDs, travel records, or local charges) and the case is prepared for legal assistance.

“This suggests unusually close international cooperation,” said Carberry.

One indictment was for Dubranova’s alleged activities around the Cyber Army of Russia_Reborn (CARR), a group U.S. officials have linked to Russia-backed attacks on Ukraine and Western critical infrastructure, including alleged compromises of water, energy, and industrial control systems, with previous U.S. Treasury/State sanctions already targeting their leaders, said Carberry.

The other indictment was for Dubranova’s alleged activites with NoName057(16), part of the same pro-Kremlin network, famous for large-scale DDoS attacks against Ukraine's allies. NoName was recently targeted in a multinational law enforcement operation, so Carberry said these indictments are part of a wider pressure campaign.

“The key takeaway isn't that one arrest dismantles two groups, but that consistent arrests, takedowns, and rewards increase the risks for ‘state-sponsored’ hackers by making them personally liable,” said Carberry. “The indictment, including charges under laws protecting water systems, shows the U.S.'s dedication to holding individuals responsible for cyberattacks backed by foreign governments.”

John Hultquist, chief analyst at the Google Threat Intellignece Group (GTIG), said DOJ has confirmed GTIG’s earlier assessment of ties between hacktivist front CARR and Russia’s military intelligence service, the GRU.

Hultquist said GTIG believes that CARR is linked to the GRU group best known as "Sandworm," which carried out cyberattacks on U.S. and European critical infrastructure, but hid behind this false persona.

“The GRU is increasingly leaning into willing accomplices to hide their own hand in destabilizing physical and cyberattacks in Europe and the U.S.,” said Hultquist. “It’s important that we never take an adversary’s word for it when they tell us who they are. They frequently lie."

According to the indictment, CARR — also known as Z-Pentest — was founded, funded, and directed by the GRU. The Justice Department said CARR claimed credit for hundreds of cyberattacks against victims worldwide, including attacks against critical infrastructure in the United States  in support of Russia’s geopolitical interests.

The law enforcement takedown against NoName is part of Operation Red Circus, and has been executed in coordination with a Europol operation, Operation Eastwood, aimed at disrupting NoName. As part of the ongoing operations, law enforcement in 19 countries worked with the FBI to disrupt more than 100 servers around the world, including virtual servers hosted in the United States, in July 2025.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Business Impact Analysis (BIA)British Standard 7799Chain of CustodyCompetitive IntelligenceData CustodianDue CareDue Diligence

You can skip this ad in 5 seconds