People’s Cyber Army of Russia |
| Cyber Army of Russia
Cyber Army of Russia Reborn CARR
|
| |
| |
| |
| |
| |
Overview
The People’s Cyber Army of Russia (PCAR), also known as the Cyber Army of Russia Reborn (CARR), is a pro-Russian hacktivist group that has gained notoriety for orchestrating disruptive cyber campaigns across geopolitical adversaries. Emerging in March 2022 in the wake of Russia’s invasion of Ukraine, PCAR has positioned itself as a prominent player in Russia’s cyber ecosystem, executing large-scale Distributed Denial of Service (DDoS) attacks and targeting critical infrastructure worldwide. The group is closely affiliated with Russia’s military intelligence service, specifically the GRU-linked Sandworm group, amplifying its operational capabilities and strategic reach. Its activities demonstrate a blend of patriotism, state-sponsored motivations, and cybercriminal expertise, making it a formidable cyber actor.
PCAR primarily focuses on targeting Ukraine and its allies, including the United States and European nations, with an emphasis on critical infrastructure sectors. Their attacks have extended beyond conventional DDoS campaigns, including compromises of Supervisory Control and Data Acquisition (
SCADA) systems—essential for managing industrial processes—affecting water utilities and energy infrastructure in the United States, Poland, and France. These attacks highlight the group’s ability to disrupt essential services, creating both operational challenges and public safety concerns for targeted organizations. The group’s recent inclusion in sanctions imposed by the U.S. State Department underscores the severity of its operations and the growing threat it poses to international cybersecurity.
Common targets
- Information
- Public Administration
- Retail Trade
- France
- Ukraine
- Estonia
- Georgia
- Azerbaijan
Attack Vectors
Web Browsing
Software Vulnerabilities
How they operate
PCAR’s technical operations are largely centered on the execution of large-scale DDoS attacks. These attacks aim to overwhelm servers and networks by flooding them with illegitimate traffic, rendering websites and services inaccessible. The group frequently utilizes a distributed botnet infrastructure, often leveraging compromised IoT devices and servers. By employing tools like HTTP flooders, UDP amplifiers, and Layer 7 DDoS methods, PCAR can bypass basic mitigation measures and sustain prolonged outages. For example, during the #FreeDurov campaign, the group coordinated attacks across multiple targets in France, overwhelming services such as government websites, educational platforms, and private sector entities. These attacks are often accompanied by public disclosures on PCAR’s Telegram channels, amplifying their impact by showcasing technical success and fueling psychological disruption.
In addition to DDoS campaigns, PCAR demonstrates the ability to target SCADA systems—critical for managing industrial operations such as water utilities, power grids, and transportation networks. Leveraging vulnerabilities in outdated systems and exploiting weak access controls, PCAR has successfully compromised industrial control systems in the United States, Poland, and France. These attacks indicate a deep understanding of SCADA protocols, as well as the ability to manipulate and disrupt operational technology (OT) environments. Targeting critical infrastructure requires a higher level of technical expertise, highlighting the group’s capabilities and potential access to state-sponsored tools or intelligence.
The group’s operational success is further enhanced through coordination with other pro-Russian threat actors and the use of encrypted communication platforms like Telegram. PCAR often collaborates with groups such as CyberDragon and UserSec, amplifying attack power and expanding its reach across various sectors. Telegram serves as a key operational hub, where PCAR publishes attack announcements, shares target lists, and disseminates propaganda to its followers. These public-facing activities allow the group to maintain a perception of power while encouraging crowd-sourced contributions, such as individual participants joining DDoS campaigns using open-source tools or scripts shared within the group’s ecosystem.
PCAR also utilizes hack-and-leak operations as part of its technical playbook. In these operations, compromised databases are exfiltrated and selectively leaked to inflict reputational damage and cause operational disruptions. For example, the group has claimed responsibility for leaking sensitive data from government websites, showcasing their technical ability to exploit web application vulnerabilities, execute SQL injection attacks, and escalate privileges within targeted systems. These leaks are often accompanied by messaging that aligns with Russian geopolitical narratives, highlighting PCAR’s dual role as a disruptive hacktivist group and an influence operation tool.
In conclusion, the People’s Cyber Army of Russia operates on a technically advanced level, combining DDoS attacks, SCADA system compromises, hack-and-leak operations, and strategic collaborations with other threat actors. By leveraging advanced tools, vulnerabilities, and public platforms for coordination, PCAR is able to conduct large-scale, impactful cyber campaigns. Their alignment with state-sponsored actors and focus on critical infrastructure further distinguishes them from traditional hacktivist groups, cementing their role as a formidable force in the evolving landscape of cyber conflict.
