Authorities urging immediate action against pro-Russian hacktivist attacks


Independent and ideologically motivated pro-Russian hacktivists can physically threaten insecure and misconfigured operational technology devices across various sectors in North America and Europe, including water, dams, energy, food, and agriculture, nine agencies warn.

The joint advisory is urging operators of critical infrastructure to take action today: immediately change all default passwords on operational technology (OT) devices, including programmable logic controllers and human-machine interfaces, limit exposure of OT systems to the internet, and implement multifactor authentication for all access to the OT network.

The advisory comes as a reaction to continued malicious cyber activity conducted by pro-Russia hacktivists.

ADVERTISEMENT

They often appear limited to unsophisticated techniques targeting industrial systems to create nuisance effects. However, their actions should not be downplayed.

Investigations have identified that these actors “are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”

“These hacktivists seek to compromise modular, internet-exposed industrial control systems (ICS) through their software components, such as human-machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords,” the document said.

Network defenders have observed pro-Russian hacktivists gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have responded to several US-based victims from the water and wastewater systems sector.

The physical disruptions from an unauthorized user were limited – water pumps and blower equipment exceeded their normal operating parameters, for example. In each case, by manipulating interfaces, hacktivists maxed out set points, altered settings, turned off the alarm mechanisms, and changed administrative passwords to lock out operators.

Some victims experienced minor tank overflow events before reverting to manual controls in the immediate aftermath and quickly restoring operations.

“Historically, these hacktivists have been known to exaggerate their capabilities and impacts to targets. Since 2022, they have claimed on social media to have conducted cyber operations (such as distributed denial of service, data leaks, and data wiping) against a variety of North American and international organizations,” the report reads.

ADVERTISEMENT

Authorities in the joint advisory listed many mitigations to protect against pro-Russian hacktivists. Network defenders should harden remote access to the industrial interfaces, strengthen security posture, and limit adversarial use of common vulnerabilities by reducing risk exposure.

OT device manufacturers are expected to eliminate default and require strong passwords, mandate multifactor authentication for privileged users, include logging features at no additional charge, and list all the software components that are included in a system.

“By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates,” the report said.

The full advisory, prepared by CISA, the FBI, the National Security Agency (NSA), the Environmental Protection Agency (EPA), the Department of Energy, and other authorities, can be found here.