Agencies Warn of Pro-Russia Hackers Targeting OT Control Systems

Multiple U.S. and allied cybersecurity agencies are sounding the alarm over an ongoing campaign by pro-Russia hacktivist groups to target and compromise operational technology (OT) systems across critical infrastructure sectors in North America and Europe.

According to a new joint cybersecurity alert, the hacktivists have been observed gaining remote access to small-scale industrial control systems used in water/wastewater, dams, energy, and food and agriculture by exploiting internet-exposed human-machine interfaces (HMIs) and using default or weak passwords.

The fact sheet is being distributed through a partnership of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom's National Cyber Security Centre (NCSC-UK).

While the intrusions so far have largely caused nuisance impacts like manipulating equipment settings, the alert warns that hackers potentially have capabilities to pose major physical threats to insecure OT environments they access.

"The increase of attacks on critical assets and infrastructure is requiring the cybersecurity profession to draw a stronger connection between commercial business and national security," said Henryk Ciejek, VP of Information Security at PayScale. "As the commercial business world provides increasing technology support to local and national infrastructure, the scope of security expands beyond general commercial terms and underscores the importance of well established security vetting processes for both the vendors and government bodies."

Some key examples of confirmed activity from early 2024 include pro-Russia groups remotely accessing HMIs at water treatment facilities to max out pump settings, disable alarms, and change passwords to lock out operators—leading to minor spills in some cases.

To defend against this ongoing campaign, the cybersecurity agencies are urging critical infrastructure organizations to urgently implement several risk mitigation measures, such as:

• Limiting internet exposure of OT systems and using firewalls/VPNs to restrict remote access
• Enabling multi-factor authentication for all OT network access
• Changing all default passwords to strong, unique credentials
• Keeping software like VNC clients patched and updated (particularly remote access)
• Creating allowlists limiting HMI access to authorized IPs
• Ensuring ability to manually operate OT systems if compromised

The agencies also called on OT device manufacturers to build more secure products by design, eliminating issues like default passwords that are widely exploited by hackers.

Ciejek suggested it would behoove cybersecurity teams to "work closely with and install up-to-date patching and updates as provided by vendors."

From the alert, the partnering agencies recommend network defenders strengthen their security postures with these suggestions:

• Integrate cybersecurity considerations into the conception, design, development, and operation of OT systems.
• Practice and maintain the ability to operate systems manually [CPG 5.A].
• Check the integrity of PLC ladder logic or other PLC programming languages and diagrams and check for any unauthorized modifications to ensure correct operation.
• Update and safeguard network diagrams to reflect both the IT and OT networks [CPG 2.P].
• Be aware of cyber/physical-enabled threats. Take inventory and determine the end-of-life status of all HMIs [CPG 1.A].
• Implement software and hardware limits to the manipulation of physical processes, limiting the impact of a successful compromise.

For OT device manufacturers, the alert's recommendations are straightforward:

• Eliminate default and require strong passwords.
• Mandate multifactor authentication for privileged users.
• Include logging at no additional charge.
• Publish Software Bills of Materials (SBOM).

While the hacktivists may overstate impacts, the alert underscores the escalating physical threat cyberattackers motivated by the Russia-Ukraine war could pose to essential services if OT security practices are not shored up across sectors like water, energy, and food production.