On May 1, 2024, the U.S. government’s cybersecurity agencies, as well as those from other allied nations, issued a warning that pro-Russian hacktivists are targeting operational technology (OT) systems to disrupt critical infrastructure operations.
The warning states that the pro-Kremlin hacktivists have been targeting unsecured and misconfigured OT devices since 2022 resulting in service disruptions. The threat actors mainly use the remote access tool VNC to access human-machine interfaces (HMIs) to change the underlying industrial control systems (ICS).
To mitigate the risk posed by these activities, the advisory suggests putting HMIs behind firewalls, hardening VNC installs, enabling multifactor authentication, applying the latest security updates, changing default passwords, and increasing the overall security posture of IT environments.
While these attacks are mostly limited to unsophisticated techniques resulting in nuisance effects, the threat actors are capable of more technical attacks that could pose a physical threat to vulnerable devices. For example, in 2024, the pro-Russian hacktivist group known as the Cyber Army of Russia claimed responsibility for attacks on a Texas water treatment and processing plant that caused a tank to overflow.
Despite the Cyber Army and other groups' claims to be hacktivists, at least one cybersecurity company linked the group within Russia’s Main Intelligence Directorate (GRU), known as APT44.
Source: Bleeping Computer
Analysis
It’s probable that groups like the Cyber Army are sponsored, if not directly tasked, by the Russian Intelligence Services (RIS). By using proxies like the Cyber Army, the RIS can meet their strategic objectives while maintaining a degree of plausible deniability that it is not under the control of these groups.
The RIS has a long track record of targeting critical infrastructure. In December 2015, GRU hackers used BlackEnergy malware to conduct a cyberattack on three Ukrainian energy providers, which resulted in the loss of power to 200,000 homes. The malware was originally deployed by spear phishing messages with Microsoft Excel attachments containing malicious macros.
In October 2020, the U.S. Department of the Treasury named and sanctioned a Russian State Research Center for its involvement in a cyberattack on a Saudi petrochemical plant that caused the facility to shut down automatically. Fortunately, the ICS controllers entered a fail-safe state, preventing the malware’s full functionality from being deployed. The malware involved, dubbed TRISIS, was initially deployed through phishing and, once installed, attempted to manipulate the facility’s industrial control system (ICS) controllers.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for threats from advanced cyber actors such as APT 28. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect MDR Portal.
Given that ICSs are popular targets for hackers, and the vital importance of the industrial processes they control, it’s critical to ensure that these systems are patched and tested regularly for unknown vulnerabilities, misconfigurations, rogue user accounts, and other signs of compromise. It’s also vital that ICS are not exposed to the internet unless there is a legitimate business need to do so, and only after proper controls (IP allowlisting, MFA, firewalls, etc.) are put in place.
Related Articles