The U.K.’s National Cyber Security Centre (NCSC) and other international cyber authorities, including the Federal Bureau of Investigation (FBI), have warned about pro-Russia hacktivist attacks targeting providers of operational technology. OT is hardware and software that interacts with the physical environment and includes smart water metres, automated irrigation systems, dam monitoring systems, smart grids and IoT sensors for precision agriculture.
In the alert published on May 1, the cyber authorities provide advice to OT providers in light of “continued malicious cyber activity” between 2022 and April 2024. The authoring bodies have observed attempts to compromise small-scale OT systems that provide critical infrastructure in North America and Europe. Targeted sectors include Water and Wastewater Systems, Dams, Energy and Food and Agriculture.
Other bodies that contributed to the alert include;
“This year we have observed pro-Russia hacktivists expand their targeting to include vulnerable North American and European industrial control systems,” said Dave Luber, director of cybersecurity at the NSA, in a press release.
“NSA highly recommends critical infrastructure organizations’ OT administrators implement the mitigations outlined in this report, especially changing any default passwords, to improve their cybersecurity posture and reduce their system’s vulnerability to this type of targeting.”
SEE: CISA Aims For More Robust Open Source Software Security for Government and Critical Infrastructure
Pro-Russia hacktivists exploit both virtual network computing remote access software and default passwords to access the software components of internet-exposed industrial control systems associated with OT devices.
Once the ICS is compromised, they largely only create “nuisance effects.” For example, some U.S.-based WWS victims reported having the settings of their water pumps and blowers altered to “exceed their normal operating parameters,” occasionally resulting in “minor tank overflow events.” The hacktivists also turned off alarm mechanisms and changed administrative passwords to lock out the WWS operators.
While most victims were able to quickly regain control and restore operations, the authorities are concerned that the hacktivists “are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”
Indeed, despite the limited impacts of these attacks, the advisory notes that pro-Russia hacktivists tend to “exaggerate their capabilities and impacts to targets.” This is to help generate fear and uncertainty around the robustness of the critical infrastructure and amplify their perceived power.
SEE: Study Reveals Most Vulnerable IoT, Connected Assets
The alert said the hacktivists largely aim to get remote access to the human machine interface associated with the OT device’s ICS and then use it to control its output. They use a variety of techniques to do so, including;
They added that several of the compromised HMIs were “unsupported legacy, foreign-manufactured devices rebranded as U.S. devices.”
SEE: Tenable: Cyber Security Pros Should Worry About State-Sponsored Cyber Attacks
Jake Moore, the global cybersecurity advisor for internet security and antivirus company ESET, told TechRepublic in an email: “Although not always or entirely malicious, hacktivists will highlight areas of concern that need to be addressed whilst making their political or social noise in order to get their message heard,
“Limited to unsophisticated techniques to target (critical infrastructure), attacks on these controls naturally raise the threat level and showcase what needs to be addressed.”
While the report does not explicitly name any threat actors identified as being responsible for these attacks, in January, a pro-Russia hacktivist group called Cyber Army of Russia posted a video that appears to show them manipulating settings at a water supply organisation in Muleshoe, Texas, leading to an overflow. A similar incident occurred in April in Indiana that was claimed by the same group.
Google-owned cyber security firm Mandiant has since linked the Cyber Army of Russia to notorious Russian hacking unit Sandworm in a report. It added that OT exploitation events have also been reported in Poland and France.
SEE: Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack
As per The Record, Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a media briefing on Wednesday: “Russian hacktivist groups have publicly stated their intent to undertake these kinds of activities to reflect their support for the Russian regime.”
However, Goldstein clarified that the federal government is “not assessing a connection” between the recent malicious activity and Sandworm.
The authors of the fact sheet consolidate advice targeted at OT device users and OT device manufacturers to protect their systems from attackers.
Moore told TechRepublic: “Critical national infrastructure has been a particular area of interest to pro-Russian attackers since the war (in Ukraine) broke out. OT operations have also been (held) in high regard (as they) make the most noise politically.
“I would even go as far as saying hacktivists and Russian threat actors alike have continually been targeting these systems, but the weight of their attacks are finally adding to newer levels of pressure.”
Compromising critical national infrastructure can lead to widespread disruption, making it a prime target for ransomware. The NCSC stated that it is “highly likely” the cyber threat to the U.K.’s CNI increased in 2023, in part due to its reliance on legacy technology.
Organisations that handle critical infrastructure are well-known for harbouring legacy devices, as it is difficult and expensive to replace technology while maintaining normal operations. Evidence from Thales submitted for a U.K. government report on the threat of ransomware to national security stated, “it is not uncommon within the CNI sector to find aging systems with long operational life that are not routinely updated, monitored or assessed.”
Other evidence from NCC Group said that “OT systems are much more likely to include components that are 20 to 30 years old and/or use older software that is less secure and no longer supported.”
In the U.S., the White House is actively making efforts to reduce the risk of cyber attack on its critical infrastructure. On Tuesday, President Joe Biden signed a National Security Memorandum that aims to advance the country’s “national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.” It clarifies the roles of the federal government in ensuring its security, establishes minimum security requirements, outlines risk-based prioritisation and aims to improve the collection and sharing of intelligence.
This is in response to a number of cyber attacks that targeted critical infrastructure in the U.S., not only from Russia-linked groups. For instance, an advisory was released in February 2024 warning against Chinese state-backed hackers infiltrating U.S. water facilities and other critical infrastructure. In March 2024, national security adviser Jake Sullivan and Michael Regan wrote a letter to water authorities asking them to invest in strengthening the cyber security posture in light of the attacks.