Pro-Russia hacktivists attacking vital tech in water and other sectors, agencies say

Pro-Russia hacktivists are compromising technology that keeps facilities safe and operational in the water, wastewater, energy, dam, food and agriculture sectors, federal and international agencies said in an advisory released Wednesday.

The hacks exploited common weaknesses in cyber defenses, the agencies said, and in some cases the attacks pose physical threats.

The advisory, focused on hacktivist activity in those sectors in North America and Europe, provides guidance on defending operational technology (OT) devices and industrial control systems (ICS), which are involved in the maintenance, monitoring or controlling of industrial processes.

“The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects,” according to the agencies. “However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”

The hacktivists have carried out disruptions “causing water pumps and blower equipment to exceed their normal operating parameters,” and “in each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords.”

“Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations,” the advisory continued.

One such case of an overflow where Russian hacktivists claimed credit was in Muleshoe, Texas. Mandiant said in a recent report that a Russian military intelligence operation, Sandworm, is suspected of controlling that group.

The agencies suggested that organizations immediately change all default passwords of OT devices to those with strong unique passwords; limit the exposure of OT systems on the internet; and implement multi-factor authentication.

“We also know, however, that many of the organizations being affected by this activity lack significant resources and they struggle to implement, in many cases, even basic cybersecurity measures,” Eric Goldstein, the executive assistant director of cybersecurity at the Cybersecurity and Infrastructure Security Agency, told reporters in an afternoon call. 

“So we are also calling upon every vendor of technology products used for our nation’s operational technology and industrial control systems to deploy, as a default, the appropriate security controls to minimize the likelihood of this kind of activity,” he said, such as configuring systems so users must override factory default passwords upon installation.

The advisory was produced by CISA, Federal Bureau of Investigation, National Security Agency, Environmental Protection Agency, Department of Energy, Department of Agriculture, Food and Drug Administration, Multi-State Information Sharing and Analysis Center, Canadian Centre for Cyber Security and the United Kingdom’s National Cyber Security Centre.

CNN first reported on the then-forthcoming advisory.

Goldstein would not name any of the hacktivists groups described in the advisory. He said the U.S. government was not making a connection at this time between Sandworm and the hacktivist activity from the alert, but that it was conducting ongoing analysis to understand the threat as it evolves.

This story was updated May 1, 2024, with comments from CISA’s Eric Goldstein.