Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Russian Hackers Target Industrial Systems in North America, Europe

Government agencies are sharing recommendations following attacks claimed by pro-Russian hacktivists on ICS/OT systems.

Industrial ICS attack

Government agencies from the United States, Canada and the United Kingdom are providing recommendations to critical infrastructure organizations following a series of attacks launched by apparent pro-Russia hacktivists against industrial control systems (ICS) and other operational technology (OT) systems.

A fact sheet authored by the cybersecurity agency CISA and its partners reveals that hacktivist groups have been attempting to compromise ICS and OT systems in North America and Europe, particularly in sectors such as water and wastewater systems (WWS), dams, energy, and food and agriculture.

Hackers have mainly targeted internet-exposed human-machine interfaces (HMIs), typically leveraging default passwords and outdated VNC software. 

The government agencies have been tracking these types of attacks since 2022, but the new alert was prompted by recent attacks for which pro-Russia hacktivists have taken credit. 

“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators,” the alert reads. “Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.”

The tank overflow incident mentioned by the government agencies likely involves a small Texas town, whose representatives stated that there wasn’t any danger to the public water system.

Threat actors claiming to be pro-Russia hacktivists recently also targeted the water sector in France. They claimed to have attacked a hydroelectric power plant, posting videos of a dam and suggesting that they could have caused significant damage. However, it turned out that in reality they targeted a small mill. 

It’s not uncommon for hacktivists to exaggerate their claims. However, the government agencies warned that while most of the activity observed to date created only “nuisance effects”, the hackers “are capable of techniques that pose physical threats against insecure and misconfigured OT environments”.

Advertisement. Scroll to continue reading.

This assumption is reinforced by a recent report from Google Cloud’s Mandiant. While the government alert links the ICS attacks to “pro-Russia hacktivist activity”, Mandiant said at least some of these ‘hacktivists’ appear to be personas tied to a highly sophisticated hacking unit of the Russian government, specifically Sandworm (APT44), which is known for highly disruptive ICS attacks.

The fact sheet released this week by CISA and its partners includes recommendations for network defenders, OT device manufacturers, and organizations that have been targeted in these types of attacks. 

Related: States and Congress Wrestle With Cybersecurity After Iran Attacks Small Town Water Utilities

Related: Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against Russian Infrastructure

Related: In Other News: Moscow Sewage Hack, Women in Cybersecurity Report, Dam Security Concerns

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights