U.S. warns of pro-Russian hacktivist attacks against OT systems

U.S. agencies warned of pro-Russian hacktivist attacks against operational technology systems at critical infrastructure organizations, including water and energy facilities.

In a joint alert on Wednesday, CISA and other U.S. agencies along with the Canadian Centre for Cyber Security and the U.K. National Cyber Security Centre revealed that pro-Russian hacktivists claimed responsibility for attacks against critical infrastructure organizations in North America and Europe. The attacks targeted operational technology (OT) systems for the water and wastewater systems, dams, energy, and food and agriculture sectors.

So far, the attacks have not affected operations for the critical sectors, but CISA is concerned that the unnamed hacktivists could advance their techniques.

"The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS [industrial control systems] equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments," CISA wrote in the alert.

The authoring agencies initially observed the activity earlier this year, but stressed that it is ongoing. The alert referred to the activity as "unsophisticated" because the hacktivists leveraged security weaknesses that critical infrastructure and OT device manufacturers are repeatedly urged to address.

CISA emphasized that the hacktivists gained remote access to victim organizations by exploiting publicly exposed and outdated virtual network computing software as well as compromised human-machine interfaces (HMIs) that were using default passwords or weak passwords with no MFA enabled.

Once the hacktivists compromised an organization, CISA observed threat actors manipulating HMIs to tamper with settings for water pumps and blower equipment, turn off alarm mechanisms, and change administrative passwords to lock out operators. While attacks resulted in minor tank overflows, CISA said most victim organizations switched to manual controls and quickly restored operations.

Cyberattacks on critical infrastructure have been a growing concern for the U.S. In December, CISA issued an alert regarding a hacktivist group known as "CyberAv3ngers," which is connected to the Iranian government's Islamic Revolutionary Guard Corps. The group compromised programmable logic controllers at several water and wastewater facilities in the U.S.

CISA urged critical infrastructure organizations to harden HMI remote access, implement MFA for all OT network access and replace legacy HMIs "as soon as feasible." The alert also included mitigations for OT device manufacturers, including eliminating default passwords and additional costs for logging.

"Although critical infrastructure organizations can take steps to mitigate risks, it is ultimately the responsibility of the OT device manufacturer to build products that are secure by design and default," the alert said.

In a media briefing on Wednesday, Eric Goldstein, executive assistant director for cybersecurity at CISA, said the U.S. government is not assessing a connection between the hacktivist group and the Russian advanced persistent threat group known as Sandworm. Mandiant recently promoted Sandworm to what it now tracks as APT44 due to the rising threat the group poses to government bodies and critical infrastructure. In addition, cybersecurity vendors have warned about hacktivists spreading disinformation to hide legitimate threats to organizations.

Goldstein emphasized that pro-Russian hacktivists have publicly stated their intentions to deploy attacks on critical infrastructure since Russia invaded Ukraine in 2022. He referred to CISA's Secure by Design alert from December that urged manufacturers to eliminate default passwords -- a weakness leveraged in these ongoing attacks.

"We also are calling upon every vendor of technology products used for our nation's operational technology and industrial control systems to deploy, as a default, the appropriate security controls to minimize the likelihood of this kind of activity," Goldstein said during the media briefing.

Alexander Leslie, a threat intelligence analyst at Recorded Future, told TechTarget Editorial that the advisory underscores the importance of framing pro-Russian hacktivist activity as a national security issue. He emphasized that the use of proxies and personas is an integral part of Russian military deception used against victims.

"While the advisory does not name any specific groups or assess any connections to the Russian government, we note that some of these attacks have been publicly claimed by personas like the Cyber Army of Russia Reborn, which has been previously attributed to the GRU [Russia's military intelligence agency]," Leslie said. "The advisory notes that pro-Russian hacktivists tend to exaggerate their claims, which we assess is an intentional practice meant to amplify malign narratives and undermine collective faith in the security of our critical infrastructure."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.