The UK’s National Cyber Security Centre (NCSC) and US partner the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about the evolving threat from Russia-backed hacktivist threat actors targeting critical national infrastructure (CNI), after a number of American utilities were attacked.
The NCSC has previously warned over the growth in mercenary activity by Russia-supporting groups acting on ideological grounds – these are not necessarily the threat groups rejoicing in names such as Cozy Bear that are officially backed by the Kremlin, rather more technically unsophisticated groups acting of their own accord.
As of early 2024, such groups have been seen targeting vulnerable, small-scale industrial control systems in both Europe and North America, and this has resulted in some physical disruption in the US.
Specifically, several American water and wastewater systems victims saw water pumps and blower equipment briefly exceed their operating parameters, and some experienced tank overflow events, after their human-machine interfaces (HMIs) were hacked.
In these attacks, the hacktivists maxed out set points, altered other settings, switched off alarms and alerts, and changed admin passwords to lock out the operators.
They used a variety of techniques to obtain access to the system, chiefly exploiting various elements of the virtual network computing (VNC) protocol.
“There continues to be a heightened threat from state-aligned actors to operational technology (OT) operators,” said the NCSC. “The NCSC urges all OT owners and operators, including UK essential service providers, to follow the recommended mitigation advice now to harden their defences.”
Hacktivist or mercenary groups may be unsophisticated in the scope of their cyber attacks, but they are considered particularly dangerous because they are not subject to direct oversight from Russian intelligence agencies, therefore their actions may be less constrained, their targeting broader, and their impact more disruptive and less predictable.
Their attacks have generally focused on distributed denial of service attacks, website defacement and misinformation, but many groups are now openly stating they want to go further and achieve a more disruptive, even destructive, impact on CNI organisations.
“We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected,” said the NCSC.
“Without external assistance, we consider it unlikely that these groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term. But they may become more effective over time, and so the NCSC is recommending that organisations act now to manage the risk against successful future attacks.”
Next steps for defenders
The NCSC is recommending CNI operators refresh their cyber security postures immediately, in particular following its advice on secure system administration. It has also resurfaced its Cyber Assessment Framework guidelines to help utilities and others better identify areas for improvement.
In the US, CISA has additionally published guidance on defending operational technology from hacktivists. As an immediate step, CNI operators should harden remote access to their HMIs, disconnecting them from the public-facing internet and implementing next-gen firewalls and/or virtual private networks if remote access is genuinely needed, hardening credentials and access policies, keeping VNC updated and establishing an allowlist to permit only authorised device IP address to access the systems.