US and UK Warn of Disruptive Russian OT Attacks
US, UK and Canadian security agencies have warned that pro-Russia hacktivists are causing disruption at operational technology (OT) facilities in multiple sectors across North America and Europe.
The alert, Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity, was authored by the US Cybersecurity and Infrastructure Security Agency (CISA) alongside the UK’s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (CCCS) and several other US agencies.
It claimed Russian hacktivists have since 2022 targeted “small-scale” OT systems in the water and wastewater (WWS), dams, energy, and food and agriculture sectors – exploiting outdated virtual network computing (VNC) remote access software, and weak/default passwords on human machine interfaces (HMIs).
“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters,” the alert explained.
“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.”
Read more on OT threats: Researchers Reveal 56 OT Bugs in “Icefall” Report
The security agencies issued a lengthy list of mitigations for network defenders to consider in these and other sectors where OT equipment use is widespread:
- Disconnect all HMIs or programmable logic controllers (PLCs) from the public-facing internet
- Implement multi-factor authentication (MFA) for all access to the OT network
- Change default passwords to strong, unique credentials
- Keep VNCs updated to the latest versions
- Establish an allow list permitting only authorized device IP addresses
- Log remote logins to HMIs
- Ensure systems can be operated manually
- Create backups
- Check the integrity of PLC ladder logic or other PLC programming languages
- Update and safeguard network diagrams
- Take inventory and determine the end-of-life status of all HMIs
- Implement software and hardware limits to the manipulation of physical processes
- Be aware that hackers may attempt to obtain network credentials by various physical means, including official visits and tradeshows
The agencies also urged OT network defenders to build resilience to vulnerability exploitation by regular scanning, testing and other cyber-hygiene measures. They recommended UK organizations use the NCSC’s free Early Warning service, while US-based operators can assess posture by reaching out to their regional CISA office.