Yesterday, CISA and a cadre of U.S. federal and international agencies and multiple ISAC’s (including WaterISAC), released a joint fact sheet titled “Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity.” The purpose of the fact sheet is to highlight and safeguard against the continued malicious cyber activity conducted by pro-Russia hacktivists against operational technology (OT) devices, notably attacks against small water and wastewater systems in North America and Europe.
WaterISAC is sharing this fact sheet to emphasize and amplify its message so water and wastewater utilities understand the larger threat picture and for OT operators to apply the recommendations listed in the Mitigations section of the fact sheet to defend against this activity. Likewise, utilities may need to forward this information to systems integrators or other technology or cybersecurity support to assist.
Executive Overview
As WaterISAC has reported regularly in recent weeks about the ongoing threat, this effort comes as pro-Russia hacktivists have targeted and compromised small-scale OT North American and European Water and Wastewater Systems (WWS). These hacktivists seek to compromise modular, internet-exposed industrial control systems (ICS) through software components, such as human machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords.
The fact sheet includes mitigations and actions that the authoring agencies urge OT operators and administrators to apply as soon as possible. Please review the fact sheet to implement any mitigation measures to protect against and detect this activity.
Why This is Important
This malicious activity has been observed since 2022 and as recently as April 2024. WWS victims have experienced limited physical disruptions from an unauthorized user remotely manipulating HMIs, causing water pumps and blower equipment to exceed normal operating parameters, specifically from pro-Russia hacktivists. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.
Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments. Pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.
Actions to Take Today
- Immediately change all default passwords of OT devices (including PLCs and HMIs) and use strong unique passwords.
- Limit exposure of OT systems to the internet.
- Implement multifactor authentication for all access to the OT network.
Members are encouraged to review the fact sheet for more comprehensive mitigation actions, including additional considerations for hardening HMI remote access and strengthening overall security posture. Access the fact sheet at CISA.
Relevant resources and summaries
