Government agencies from the United States, Canada and the United Kingdom are providing recommendations to critical infrastructure organizations following a series of attacks launched by apparent pro-Russia hacktivists against industrial control systems (ICS) and other operational technology (OT) systems.
A fact sheet authored by the cybersecurity agency CISA and its partners reveals that hacktivist groups have been attempting to compromise ICS and OT systems in North America and Europe, particularly in sectors such as water and wastewater systems (WWS), dams, energy, and food and agriculture.
Hackers have mainly targeted internet-exposed human-machine interfaces (HMIs), typically leveraging default passwords and outdated VNC software.
The government agencies have been tracking these types of attacks since 2022, but the new alert was prompted by recent attacks for which pro-Russia hacktivists have taken credit.
“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators,” the alert reads. “Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.”
The tank overflow incident mentioned by the government agencies likely involves a small Texas town, whose representatives stated that there wasn’t any danger to the public water system.
Threat actors claiming to be pro-Russia hacktivists recently also targeted the water sector in France. They claimed to have attacked a hydroelectric power plant, posting videos of a dam and suggesting that they could have caused significant damage. However, it turned out that in reality they targeted a small mill.
It’s not uncommon for hacktivists to exaggerate their claims. However, the government agencies warned that while most of the activity observed to date created only “nuisance effects”, the hackers “are capable of techniques that pose physical threats against insecure and misconfigured OT environments”.
This assumption is reinforced by a recent report from Google Cloud’s Mandiant. While the government alert links the ICS attacks to “pro-Russia hacktivist activity”, Mandiant said at least some of these ‘hacktivists’ appear to be personas tied to a highly sophisticated hacking unit of the Russian government, specifically Sandworm (APT44), which is known for highly disruptive ICS attacks.
The fact sheet released this week by CISA and its partners includes recommendations for network defenders, OT device manufacturers, and organizations that have been targeted in these types of attacks.
Related: States and Congress Wrestle With Cybersecurity After Iran Attacks Small Town Water Utilities
Related: Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against Russian Infrastructure
Related: In Other News: Moscow Sewage Hack, Women in Cybersecurity Report, Dam Security Concerns
