The US government is warning that pro-Russian hacktivists are seeking out and hacking into unsecured operational technology (OT) systems used to disrupt critical infrastructure operations.
The joint advisory comes from six US govt agencies, including CISA, FBI, NSA, EPA, DOE, USDA, and FDA, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC), Canada's Centre for Cyber Security (CCCS), and United Kingdom's National Cyber Security Centre (NCSC-UK).
OT devices are a combination of hardware and software platforms used to monitor and control physical processes or activities in manufacturing, critical infrastructure, and other industries. For example, water plants use OT devices to manage water treatment, distribution, and pressure to provide a continuous and safe water supply.
In an advisory released today, the US government warns that pro-Russian hacktivists have been targeting insecure and misconfigured OT devices since 2022 to disrupt operations or create "nuisance effects."
"Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects," reads the joint advisory.
"However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments."
The government says that many of the attacks are overexaggerated, but some recent attacks in 2024 led to a bit more disruption.
A pro-Russian hacktivist group known as the Cyber Army of Russia has claimed to be behind attacks on Texas and Indiana water treatment and processing plants, as well as water infrastructure in Poland and France.
While the Texas water facility confirmed an attack caused a tank to overflow, the Indiana wastewater treatment plant told CNN they were targeted but not breached.
While the Cyber Army and other groups claim to be hacktivists, a recent Mandiant report linked the group to the Sandworm hackers, an advanced persistent threat actor tracked as APT44 and linked to Russia’s Main Intelligence Directorate (GRU), the country’s foreign military intelligence agency.
Mitigating attacks on OT devices
The advisory warns that government agencies have seen these hacktivists targeting OT devices through different techniques, mainly utilizing VNC:
- Using the VNC Protocol to access human machine interfaces (HMIs) and make changes to the underlying OT. VNC is used for remote access to graphical user interfaces, including HMIs that control OT systems.
- Leveraging the VNC Remote Frame Buffer Protocol to log into HMIs to control OT systems.
- Leveraging VNC over Port 5900 to access HMIs by using default credentials and weak passwords on accounts not protected by multifactor authentication
To protect against these attacks, the advisory offers a wide range of steps, including putting HMIs behind firewalls, hardening VNC installs, enabling multifactor authentication, applying the latest security updates, and changing default passwords, and increasing the overall security posture of IT environments.
"This year we have observed pro-Russia hacktivists expand their targeting to include vulnerable North American and European industrial control systems," said Dave Luber, NSA's Director of Cybersecurity.
"NSA highly recommends critical infrastructure organizations' OT administrators implement the mitigations outlined in this report, especially changing any default passwords, to improve their cybersecurity posture and reduce their system's vulnerability to this type of targeting."
