A recent post by Google Cloud’s Mandiant discusses the how the global revival of hacktivism requires increased vigilance from defenders. This increased vigilance includes defenders of the water and wastewater systems sector, as it has seen multiple attacks from the modern hacktivist classification of threat actors in recent months.

Mandiant discusses the resurgence of hacktivism as a significant cyber threat, highlighting its evolution and increased sophistication since early 2022. Modern hacktivists exhibit enhanced capabilities in both intrusion and information operations, conducting disruptive attacks, network compromises, and even tampering with physical processes. Likewise, the anonymity provided by hacktivist personas has made them attractive to both state and non-state actors seeking to exert influence, with perhaps an air of plausible deniability, in the cyber domain.

Mandiant states, while in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others.

Recent modern hacktivist activity impacting the water and wastewater systems sector include (but are not limited to):

• Pro-Iranian “Cyber Av3ngers” targeting of unsecured, internet-connected Unitronics PLCs. (WaterISAC reference post: WaterISAC Advisory: (TLP:CLEAR) CISA and Partners Confirm Additional Activity into Exploitation of Unitronics PLCs Across the U.S. Water and Wastewater Sector)
• Sandworm affiliated “Cyber Army of Russia Reborn” (CARR) and its claims of manipulation of U.S. and European critical infrastructure OT assets, including water utilities. (WaterISAC reference post: Incident Awareness – Suspected Sandworm-Affiliated “Hacking” Group Appears to Annoy Another Utility)

Furthermore, as Mandiant suggests, proactive monitoring of hacktivist threats is necessary for defenders to anticipate cyber attacks. In its analysis, Mandiant offers the following observations:

• The increase in frequency and breadth of hacktivism activity over the last two years represents a threat to a wide range of organizations. Even if most attacks do not result in significant impacts, defenders need to proactively filter through the volume of insignificant activity to identify indications of substantive targeting of their organizations and prepare mitigation strategies.
• Hacktivist attacks are often inspired by global events, but they frequently target organizations that do not necessarily play a role in the event itself. Targeting seemingly unrelated organizations allows the actors to claim attacks at a larger scale and to select high-profile targets—such as critical infrastructure or major businesses—in an attempt to increase group prestige and publicity for their attacks. Proactive monitoring enables defenders to identify when an organization or region is generally at higher risk, what events may be a precursor to hacktivist attacks, and when hacktivists have launched campaigns targeting similar industries or organizations.
• The threat is even higher for networks located in regions and industries with lower cybersecurity maturity, where victims are also more likely to face a significant or lasting impact from this activity. In such cases, proactive monitoring plays the same role as other detection mechanisms by allowing organizations to identify and mitigate immediate threats to their networks.

For more, members are highly encouraged to read the full Mandiant analysis: Global Revival of Hacktivism Requires Increased Vigilance from Defenders  | Google Cloud