Government agencies have alerted critical infrastructure operators to a wave of attacks by pro-Russian hackers against industrial control systems (ICS) at facilities in North America and Europe.
By messing with control setting, the hackers have been able to cause “physical disruptions” at targeted facilities, including overflowing a tank at a water plant.
A May 1 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — prepared jointly with partner agencies in the U.S., Canada and the UK — advises critical infrastructure operators to more quickly to take steps to defend their systems against the attacks.
CISA described the attacks as unsophisticated and resulting in only nuisance-level impacts, but warned that the techniques being used could pose physical threats to insecure and misconfigured operational technology (OT) environments.
The advisory said the hackers were exploiting vulnerabilities in outdated virtual network computing (VNC) remote access software and using default or weak passwords to access the systems’ human machine interfaces (HMIs).
It said CISA and the FBI responded to several U.S. operators of water and wastewater systems (WWS) who experienced “limited physical disruptions” after hackers remotely manipulated their HMIs.
“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters,” the advisory said.
“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.”
While CISA’s advisory did not identify the group responsible for the attacks, an entity calling itself CyberArmyofRussia_Reborn last month claimed responsibility for cyberattacks against critical infrastructure plants in Indiana and Texas.
The Indiana attack targeted water and wastewater treatment plant and electricity provider Tipton Municipal Utilities, while the Texas breach impacted a water treatment plant in Muleshoe.
Researchers at Mandiant linked the Muleshoe incident to Sandworm (APT44), a top Russian military-aligned threat group notorious for its campaigns targeting Ukraine, and said CyberArmyofRussia_Reborn was one of several “front personas” or “hacktivist identities” linked to Sandworm.
The researchers said personas such as CyberArmyofRussia_Reborn were intended to generate “second-order psychological effects” by making the cyber gang that created them “appear more potent through exaggerated claims of impact."
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said those responsible for the spate of critical infrastructure attacks should not be described as “hacktivists."
“Rather, they are cyber militias, and their attacks are geared to poisoning the U.S. water supply,” he said.
“Water utilities have never been sufficiently funded for cybersecurity, and now they are on the front lines. The U.S. government must endow cybersecurity grants to these critical infrastructures, as we face a clear and present danger.”
In its advisory, CISA recommended critical infrastructure operators who could be potential targets of the pro-Russian campaign take immediate action, including hardening HMIs, limiting exposure of OT systems to the internet, using strong and unique passwords, and implementing multifactor authentication for all access to OT networks.
Attacks against critical U.S. infrastructure have not only originated from Russia-aligned threat groups in recent months. Hackers linked to China and Iran have also been observed targeting U.S. facilities. Earlier this week, CISA Director Jen Easterly told lawmakers Chinese cyberattacks against U.S. critical infrastructure were the most serious threat to the nation she has seen in her career.
