US govt warns of pro-Russian hacktivists focusing on water amenities

The US authorities is warning that pro-Russian hacktivists are searching for out and hacking into unsecured operational expertise (OT) methods used to disrupt essential infrastructure operations.

The joint advisory comes from six US govt companies, together with CISA, FBI, NSA, EPA, DOE, USDA, and FDA, in addition to the Multi-State Data Sharing and Evaluation Middle (MS-ISAC), Canada’s Centre for Cyber Security (CCCS), and United Kingdom’s Nationwide Cyber Security Centre (NCSC-UK).

OT units are a mixture of {hardware} and software program platforms used to watch and management bodily processes or actions in manufacturing, essential infrastructure, and different industries. For instance, water crops use OT units to handle water therapy, distribution, and stress to supply a steady and protected water provide. 

In an advisory launched as we speak, the US authorities warns that pro-Russian hacktivists have been focusing on insecure and misconfigured OT units since 2022 to disrupt operations or create “nuisance effects.”

“Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects,” reads the joint advisory.

“However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”

The federal government says that most of the assaults are overexaggerated, however some current assaults in 2024 led to a bit extra disruption.

A professional-Russian hacktivist group referred to as the Cyber Military of Russia has claimed to be behind assaults on Texas and Indiana water therapy and processing crops, in addition to water infrastructure in Poland and France.

Whereas the Texas water facility confirmed an assault brought on a tank to overflow, the Indiana wastewater therapy plant instructed CNN they had been focused however not breached.

Whereas the Cyber Military and different teams declare to be hacktivists, a current Mandiant report linked the group to the Sandworm hackers, a complicated persistent menace actor tracked as APT44 and linked to Russia’s Major Intelligence Directorate (GRU), the nation’s overseas navy intelligence company.

Mitigating assaults on OT units

The advisory warns that authorities companies have seen these hacktivists focusing on OT units via completely different strategies, primarily using VNC:

  • Utilizing the VNC Protocol to entry human machine interfaces (HMIs) and make adjustments to the underlying OT. VNC is used for distant entry to graphical consumer interfaces, together with HMIs that management OT methods.
  • Leveraging the VNC Distant Body Buffer Protocol to log into HMIs to regulate OT methods.
  • Leveraging VNC over Port 5900 to entry HMIs by utilizing default credentials and weak passwords on accounts not protected by multifactor authentication

To guard towards these assaults, the advisory provides a variety of steps, together with placing HMIs behind firewalls, hardening VNC installs, enabling multifactor authentication, making use of the newest safety updates, and altering default passwords, and growing the general safety posture of IT environments.

“This year we have observed pro-Russia hacktivists expand their targeting to include vulnerable North American and European industrial control systems,” mentioned Dave Luber, NSA’s Director of Cybersecurity.

“NSA highly recommends critical infrastructure organizations’ OT administrators implement the mitigations outlined in this report, especially changing any default passwords, to improve their cybersecurity posture and reduce their system’s vulnerability to this type of targeting.”

Recent articles