Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Global cybersecurity agencies issue a critical alert regarding the immediate threat to operational technology (OT) systems posed by ongoing hacktivist activity linked to pro-Russia entities. While the hacktivist activity primarily involves unsophisticated techniques that disrupt ICS (industrial control systems) equipment to create nuisance effects, investigations have revealed that these actors are capable of employing techniques that could pose physical threats to insecure and misconfigured OT environments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), U.S. Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) have collaborated to provide information and mitigations related to cyber operations conducted by pro-Russia hacktivists targeting ICS and small-scale OT systems in critical infrastructure sectors across North America and Europe. These sectors include water and wastewater systems, dams, energy, and food and agriculture.
The agencies have released the fact sheet to share insights and mitigation strategies concerning this malicious activity observed since 2022 and as recently as April of this year. They further detail that the hacktivists have sought to compromise modular, internet-exposed ICS through their software components, such as human machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords.
The fact sheet also noted that several HMIs compromised by these hacktivists were unsupported legacy, foreign-manufactured devices rebranded as U.S. devices.
“This year we have observed pro-Russia hacktivists expand their targeting to include vulnerable North American and European industrial control systems,” Dave Luber, NSA’s director of cybersecurity, said in a media statement. “NSA highly recommends critical infrastructure organizations’ OT administrators implement the mitigations outlined in this report, especially changing any default passwords, to improve their cybersecurity posture and reduce their system’s vulnerability to this type of targeting.”
“Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects,” the fact sheet identified. “However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments. Pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.”
These hacktivists have, historically, been known to exaggerate their capabilities and impacts on targets. Since 2022, they have claimed on social media to have conducted cyber operations (such as distributed denial of service, data leaks, and data wiping) against a variety of North American and international organizations. Based on victim incident reporting, this activity has caused limited disruption to operations.
Early this year, the authoring organizations observed pro-Russia hacktivists targeting vulnerable industrial control systems in North America and Europe. CISA and the FBI have responded to several U.S.-based WWS victims who experienced limited physical disruptions from an unauthorized user remotely manipulating HMIs. Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters.
In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.
The agencies disclosed in the fact sheet that they have observed pro-Russia hacktivists using a variety of techniques to gain remote access to HMIs and make changes to the underlying OT. These techniques include using the VNC Protocol to access HMIs and make changes to the underlying OT. VNC is used for remote access to graphical user interfaces, including HMIs that control OT systems. They also leveraged the VNC Remote Frame Buffer Protocol to log into HMIs to control OT systems and used VNC over Port 5900 to access HMIs by using default credentials and weak passwords on accounts not protected by multifactor authentication.
The fact sheet called upon critical infrastructure organizations to implement mitigations that align with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.
Pro-Russian hacktivists have exploited cybersecurity weaknesses, including poor password security and exposure to the internet. To safeguard against this threat, the fact sheet called upon critical infrastructure organizations to harden HMI remote access by disconnecting all HMIs from the public-facing internet. If remote access is necessary, implement a firewall and/or virtual private network (VPN) with a strong password and multifactor authentication to control device access. It also called for implementing multi-factor authentication for all access to the OT network; changing all default and weak passwords on HMIs and using a strong, unique password; and keeping the VNC updated with the latest version available and ensuring all systems and software are up to date with patches and necessary security updates.
The agencies also suggest establishing an allowlist that permits only authorized device IP addresses; and logging remote logins to HMIs, taking note of any failed attempts and unusual times.
Focusing on strengthening security posture, the fact sheet called upon organizations to integrate cybersecurity considerations into the conception, design, development, and operation of OT systems; practice and maintain the ability to operate systems manually; create backups of the engineering logic, configurations, and firmware of HMIs to enable fast recovery; check the integrity of PLC ladder logic or other PLC programming languages and diagrams and check for any unauthorized modifications to ensure correct operation; and update and safeguard network diagrams to reflect both the IT and OT networks.
It also recommended that organizations be aware of cyber/physical-enabled threats; take inventory and determine the end-of-life status of all HMIs; and implement software and hardware limits to the manipulation of physical processes, limiting the impact of a successful compromise.
The fact sheet also advised limiting adversarial use of common vulnerabilities by reducing risk exposure and assessing security posture.
Although critical infrastructure organizations can take steps to mitigate risks, the fact sheet identifies that ‘it is ultimately the responsibility of the OT device manufacturer to build products that are secure by design and default.’ The agencies urge device manufacturers to take ownership of the security outcomes of their customers in line with previously announced measures.
It calls upon critical infrastructure organizations to eliminate default and require strong passwords. “The use of default credentials is a top weakness that threat actors exploit to gain access to systems. Manufacturers can eliminate this problem at scale through any of the approaches recommended in CISA’s Secure by Design Alert on this topic.”
The fact sheet also mandates multi-factor authentication for privileged users. Changes to engineering logic or configurations are safety-impacting events in critical infrastructure. Any changes should require multi-factor authentication. It also includes logging at no additional charge. Change and access control logs allow operators to track safety-impacting events in their critical infrastructure. These logs should be free and use open standard logging formats.
The agencies also seek to publish Software Bills of Materials (SBOM). Vulnerabilities in underlying software libraries can affect wide swathes of devices. Without an SBOM, it is nearly impossible for a critical infrastructure system owner to measure and mitigate the impact a vulnerability has on their existing systems. By using secure-by-design tactics, software manufacturers can make their product lines secure ‘out of the box’ without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.
Commenting on the fact sheet, Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote in an emailed statement “These are not hacktivists. Rather, they are cyber militias, and their attacks are geared to poisoning the U.S. water supply. Water utilities have never been sufficiently funded for cybersecurity, and now they are on the front lines.”
He added that the U.S. government must endow cybersecurity grants to these critical infrastructures, “as we face a clear and present danger.”
On Tuesday, the U.S. White House announced that President Joe Biden signed a National Security Memorandum (NSM) to enhance the resilience of the nation’s critical infrastructure sector. This action replaces a previous policy document from former President Barack Obama and initiates a comprehensive effort to safeguard U.S. infrastructure against current and future threats. The National Security Memorandum 22 (NSM-22) aims to clarify federal government roles in critical infrastructure security, resilience, and risk management. It focuses on identifying and prioritizing security and resilience based on risk, implementing a coordinated national approach to assess and manage sector-specific and cross-sector risks.
Related
