The Canadian, US, and UK governments issued a series of recommendations in their just-released security alert Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity, which mirror my own insights on the important topic.
The alert notes that all three governments are aware of pro-Russia hacktivists targeting and compromising small-scale OT systems in North American and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture sectors. These hacktivists seek to compromise modular, Internet-exposed industrial control systems (ICS) through their software components, such as human-machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords.
At this point, with these pro-Russia hacktivists potentially in or able to get into our water and wastewater systems since 2022, the defensive measures these operators can take are somewhat limited, but as we shall detail, the WWS, and other sectors do have some moves.
Trustwave recommends WWS and other potential OT targets update and upgrade wherever possible. In addition, the best steps to take involve truly segmenting, isolating, or air-gapping their systems. This action will ensure that they have proven backup and recovery capabilities in place in case of attack.
In addition, operators must vigilantly monitor their systems for malicious activity. They must also ensure their systems are monitoring the safety of the water going to the public and are resilient enough to enable shutoff if the worst should happen.
CISA does practice what it preaches. CISA Director Jen Easterly recently explained one of the steps her agency took to secure its systems.
“First, we deployed threat-hunting teams across multiple sectors, water, power, energy, and transportation to find and eradicate these Chinese cyber actors. And we've shared insights with others before they become victims,” Easterly said. "Now these PRC hunting missions are just part of our larger hunting missions."
Finally, in addition to the recent 97 CISA-led threat hunting engagements across water, power, energy, and transportation as noted by Jen Easterly, Director of CISA, the 153,000 public drinking systems and 16,000 publicly owned WWS operators may also want to consider aligning with the private sector providers such as Trustwave’s SpiderLabs for penetration or offensive security testing engagement to identify weaknesses that may be exposing their systems and if any are found, they may want to go to the next step of a digital forensics investigation.
The report noted that hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects.
However, investigations have identified that these actors can pose physical threats against insecure and misconfigured OT environments. The government agencies have observed pro-Russia hacktivists gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.
So far, in 2024, North American and UK investigators have responded to several WWS attacks. In these cases, the pro-Russian groups created limited physical disruptions by remotely manipulating HMIs. Specifically, manipulating HMIs has caused water pumps and blower equipment to exceed their normal operating parameters.
In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.
The pro-Russia hacktivists use a variety of techniques to gain remote access to the HMIs and make changes to the underlying OT:
Security organizations from the reporting nations offered several security steps to implement. First and foremost:
Additional mitigations aligned with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) were posted specifically to harden HMI remote access.