Pro-Russia hacktivists are targeting and compromising small-scale operational technology (OT) systems in North American and European critical infrastructure sectors – including water and wastewater systems (WWS), dams, energy, and food and agriculture – according to a joint fact sheet released today by leading Federal cyber agencies.
The malicious activity against these sectors – which the agencies said has mostly been limited to “unsophisticated techniques” that create “nuisance effects” – has been observed since 2022.
The Cybersecurity and Infrastructure Security Agency (CISA) co-authored the joint fact sheet in collaboration with the FBI, the National Security Agency, the Environmental Protection Agency, the Department of Energy, the United States Department of Agriculture, the Food and Drug Administration, the Multi-State Information Sharing and Analysis Center, the Canadian Centre for Cyber Security, and the United Kingdom’s National Cyber Security Centre.
According to the agencies, pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated virtual network computing software, as well as using the human machine interfaces’ (HMI) factory default passwords and weak passwords without multifactor authentication.
“Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects,” the fact sheet says. “However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”
“Historically, these hacktivists have been known to exaggerate their capabilities and impacts to targets,” the agencies wrote. “Since 2022, they have claimed on social media to have conducted cyber operations (such as distributed denial of service, data leaks, and data wiping) against a variety of North American and international organizations. Based on victim incident reporting, this activity has caused limited disruption to operations.”
The joint fact sheet explains that pro-Russia hacktivists have manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators.
“Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations,” the agencies said.
During a call with reporters today, CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein recognized that small-scale critical infrastructure owners and operators lack significant resources and struggle to implement basic cyber protocols.
He emphasized CISA’s call for technology developers to make their products secure by design. “There is no reason why any technology product should be coming off the shelf” with factory default passwords or lacking multifactor authentication, he said.
Goldstein said that since the self-proclaimed pro-Russia hacktivists have not yet caused major disruption to operations, now is the time for the country to be investing in security measures before damaging impact does occur.
The agencies offered nearly two dozen mitigations for critical infrastructure entities to defend against this malicious activity in the joint fact sheet. These mitigations align with the cross-sector cybersecurity performance goals developed by CISA and the National Institute of Standards and Technology, including hardening HMIs, limiting exposure of OT systems to the internet, using strong and unique passwords, and implementing multifactor authentication for all access to the OT network.