U.K. and U.S. Warn of Pro-Russia Hacktivist Attacks on Operational Technology Systems
The U.K.’s National Cyber Security Centre (NCSC) and other international cyber authorities, including the Federal Bureau of Investigation (FBI), have warned about pro-Russia hacktivist attacks targeting providers of operational technology. OT is hardware and software that interacts with the physical environment and includes smart water metres, automated irrigation systems, dam monitoring systems, smart grids and IoT sensors for precision agriculture.
In the alert published on May 1, the cyber authorities provide advice to OT providers in light of “continued malicious cyber activity” between 2022 and April 2024. The authoring bodies have observed attempts to compromise small-scale OT systems that provide critical infrastructure in North America and Europe. Targeted sectors include Water and Wastewater Systems, Dams, Energy and Food and Agriculture.
Other bodies that contributed to the alert include;
- National Security Agency (NSA).
- Environmental Protection Agency (EPA).
- Department of Energy (DOE).
- United States Department of Agriculture (USDA).
- Food and Drug Administration (FDA).
- Multi-State Information Sharing and Analysis Center (MS-ISAC).
- Canadian Centre for Cyber Security (CCCS).
“This year we have observed pro-Russia hacktivists expand their targeting to include vulnerable North American and European industrial control systems,” said Dave Luber, director of cybersecurity at the NSA, in a press release.
“NSA highly recommends critical infrastructure organizations’ OT administrators implement the mitigations outlined in this report, especially changing any default passwords, to improve their cybersecurity posture and reduce their system’s vulnerability to this type of targeting.”
SEE: CISA Aims For More Robust Open Source Software Security for Government and Critical Infrastructure
Hacktivists only create “nuisance effects” after accessing OT devices
Pro-Russia hacktivists exploit both virtual network computing remote access software and default passwords to access the software components of internet-exposed industrial control systems associated with OT devices.
Once the ICS is compromised, they largely only create “nuisance effects.” For example, some U.S.-based WWS victims reported having the settings of their water pumps and blowers altered to “exceed their normal operating parameters,” occasionally resulting in “minor tank overflow events.” The hacktivists also turned off alarm mechanisms and changed administrative passwords to lock out the WWS operators.
While most victims were able to quickly regain control and restore operations, the authorities are concerned that the hacktivists “are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”
Indeed, despite the limited impacts of these attacks, the advisory notes that pro-Russia hacktivists tend to “exaggerate their capabilities and impacts to targets.” This is to help generate fear and uncertainty around the robustness of the critical infrastructure and amplify their perceived power.
SEE: Study Reveals Most Vulnerable IoT, Connected Assets
How are pro-Russia hacktivists accessing OT systems?
The alert said the hacktivists largely aim to get remote access to the human machine interface associated with the OT device’s ICS and then use it to control its output. They use a variety of techniques to do so, including;
- Using the VNC protocol to access the HMIs.
- Leveraging the VNC Remote Frame Buffer Protocol to log into HMIs.
- Leveraging VNC over Port 5900 to access HMIs; and then logging into the HMI with accounts that have factory default credentials or weak passwords and are not protected by multifactor authentication.
They added that several of the compromised HMIs were “unsupported legacy, foreign-manufactured devices rebranded as U.S. devices.”
SEE: Tenable: Cyber Security Pros Should Worry About State-Sponsored Cyber Attacks
Jake Moore, the global cybersecurity advisor for internet security and antivirus company ESET, told TechRepublic in an email: “Although not always or entirely malicious, hacktivists will highlight areas of concern that need to be addressed whilst making their political or social noise in order to get their message heard,
“Limited to unsophisticated techniques to target (critical infrastructure), attacks on these controls naturally raise the threat level and showcase what needs to be addressed.”
Which pro-Russia hacktivists were responsible for attacks on OT systems?
While the report does not explicitly name any threat actors identified as being responsible for these attacks, in January, a pro-Russia hacktivist group called Cyber Army of Russia posted a video that appears to show them manipulating settings at a water supply organisation in Muleshoe, Texas, leading to an overflow. A similar incident occurred in April in Indiana that was claimed by the same group.
Google-owned cyber security firm Mandiant has since linked the Cyber Army of Russia to notorious Russian hacking unit Sandworm in a report. It added that OT exploitation events have also been reported in Poland and France.
SEE: Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack
As per The Record, Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a media briefing on Wednesday: “Russian hacktivist groups have publicly stated their intent to undertake these kinds of activities to reflect their support for the Russian regime.”
However, Goldstein clarified that the federal government is “not assessing a connection” between the recent malicious activity and Sandworm.
What advice have the cyber security authorities provided?
The authors of the fact sheet consolidate advice targeted at OT device users and OT device manufacturers to protect their systems from attackers.
OT device users
- Disconnect all HMIs, like touchscreens and programmable logic controllers, from public-facing internet. If remote access is necessary, use a firewall and/or a virtual private network with a strong password and multifactor authentication.
- Implement MFA for all access to the OT network.
- Immediately change all default and weak passwords on HMIs and use a strong, unique password.
- Keep the VNC updated with the latest version available and ensure all systems and software are up to date with patches and necessary security updates.
- Establish an allowlist that permits only authorised device IP addresses and enable alerting for monitoring access attempts.
- Log remote logins to HMIs, taking note of any failed attempts and unusual times.
- Practice and maintain the ability to operate systems manually.
- Create backups of the engineering logic, configurations and firmware of HMIs to enable fast recovery. Familiarise your organisation with factory resets and backup deployment.
- Check the integrity of PLC ladder logic or other PLC programming languages and diagrams and check for any unauthorised modifications to ensure correct operation.
- Update and safeguard network diagrams to reflect both IT and OT networks. Individuals should only have access to systems that they need to complete their job but maintain awareness of all attempts to obtain or modify network architecture. Consider using encryption, authentication and authorization techniques to secure network diagram files.
- Be aware of potential threats. Adversaries may attempt to obtain network credentials by various physical means, including official visits, tradeshow and conference conversations and through social media.
- Take inventory and replace end-of-life HMIs as soon as feasible.
- Implement software and hardware limits on physical process manipulation, for example, by using operational interlocks, cyber-physical safety systems and cyber-informed engineering.
- U.K. organisations can reduce their risk exposure by utilising the NCSC’s free Early Warning service.
OT device manufacturers
- Eliminate default and require strong passwords. The use of default credentials is a top weakness that threat actors exploit to gain access to systems.
- Mandate multifactor authentication for privileged users that can make changes to engineering logic or configurations.
- Include logging at no additional charge so users can track safety-impacting events in their critical infrastructure.
- Publish Software Bills of Materials so users can measure and mitigate the impact a vulnerability has on their existing systems.
Why are the hacktivists targeting OT devices used in critical infrastructure?
Moore told TechRepublic: “Critical national infrastructure has been a particular area of interest to pro-Russian attackers since the war (in Ukraine) broke out. OT operations have also been (held) in high regard (as they) make the most noise politically.
“I would even go as far as saying hacktivists and Russian threat actors alike have continually been targeting these systems, but the weight of their attacks are finally adding to newer levels of pressure.”
Compromising critical national infrastructure can lead to widespread disruption, making it a prime target for ransomware. The NCSC stated that it is “highly likely” the cyber threat to the U.K.’s CNI increased in 2023, in part due to its reliance on legacy technology.
Organisations that handle critical infrastructure are well-known for harbouring legacy devices, as it is difficult and expensive to replace technology while maintaining normal operations. Evidence from Thales submitted for a U.K. government report on the threat of ransomware to national security stated, “it is not uncommon within the CNI sector to find aging systems with long operational life that are not routinely updated, monitored or assessed.”
Other evidence from NCC Group said that “OT systems are much more likely to include components that are 20 to 30 years old and/or use older software that is less secure and no longer supported.”
In the U.S., the White House is actively making efforts to reduce the risk of cyber attack on its critical infrastructure. On Tuesday, President Joe Biden signed a National Security Memorandum that aims to advance the country’s “national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.” It clarifies the roles of the federal government in ensuring its security, establishes minimum security requirements, outlines risk-based prioritisation and aims to improve the collection and sharing of intelligence.
This is in response to a number of cyber attacks that targeted critical infrastructure in the U.S., not only from Russia-linked groups. For instance, an advisory was released in February 2024 warning against Chinese state-backed hackers infiltrating U.S. water facilities and other critical infrastructure. In March 2024, national security adviser Jake Sullivan and Michael Regan wrote a letter to water authorities asking them to invest in strengthening the cyber security posture in light of the attacks.