Mandiant reveals hacktivists increasingly targeting OT systems, raising likelihood of actual and even substantial OT incidents

Mandiant reveals hacktivists increasingly targeting OT systems, raising likelihood of actual and even substantial OT incidents

Threat intelligence firm Mandiant provided on Wednesday a comprehensive analysis of recent activity by hacktivists targeting OT (operational technology) systems, leveraging information from previously undisclosed and known incidents to discuss the potential implications for OT defenders. Awareness about emerging hacktivism trends helps OT defenders to prioritize countermeasures and differentiate state-sponsored fronts leveraging the hacktivism cloak.

For the last several years, Mandiant has tracked various hacktivists’ claims of targeting OT systems claiming physical damage as a result. Exacerbated by geopolitical tensions in different regions, such as Russia’s ongoing invasion of Ukraine, these hackers have recently intensified their activity, resulting in more frequent claims and new avenues to impact targets.

“In most cases, hacktivists’ claims are exaggerated or unsubstantiated. The number of false claims is at times challenging to debunk,” Mandiant researchers Daniel Kapellmann Zafra, Keith Lunden, and Nathan Brubaker, wrote in a company blog post. “However, despite the inaccuracy of most claims, when hacktivist activity targeting OT becomes commonplace, the likelihood of actual and even substantial OT incidents increases. The risk is higher for organizations that are perceptibly associated with political events or social disputes based on geographic location, nationality, language, or industry of relevance.” 

The researchers said that hacktivism leverages cyber threat activity as a means to convey political or social narratives. “As such, any attempts to inflict damage on a victim may only be a means to this end or one of multiple objectives. Historical hacktivist activity has largely focused on simpler attacks that are intended to get the attention of broad audiences, such as website compromises or denial of service attacks.” 

The shift in hacktivist activity to also target OT can be explained by multiple factors, including attacks against OT systems which are often perceived as impactful, given their potential to damage or modify physical processes. Prioritizing higher-profile targets increases the likelihood that an actor will attract the public’s attention even if they do not damage OT systems or if their compromise results in trivial impacts. Similarly to information operations campaigns, these types of hacktivist claims can also serve to undermine the public’s trust in governments and organizations.

In some cases, targeting OT systems enables hackers to participate and offer support for a cause from distant locations, such as during armed conflicts, Mandiant said. This is illustrated by self-proclaimed hacktivist groups that currently conduct cyber operations in opposition to or favor of the Russian invasion of Ukraine.

The researchers also said that in most cases, Mandiant was not able to fully validate the actors’ claims. “We assess with moderate confidence that hacktivist actors have more often than not, overstated the effects and impact of their attacks. In other cases, it is possible hacktivists provided questionable claims about their independence or non-affiliation with government-sponsored groups,” they added. “Nevertheless, in the majority of the cases, the actors provided evidence of at least being proficient in accessing unidentified internet-exposed OT assets. 

It is important to note that there are also multiple other cases, wherein the actors targeted IT assets from OT organizations, however for the purpose of this analysis, we are not including those instances, the researchers noted.

“Self-proclaimed hacktivist cyber operations have also been used in the past to conceal state-sponsored activity and provide nation-states with plausible deniability—enabling states to conduct attacks with a lower risk of repercussions,” the researchers said. “An example is XakNet Team, which Mandiant has assessed with moderate confidence to be operating in coordination with APT28 actors. Given that hacktivist claims are often difficult to verify, nation-states can also use them to conduct false-flag operations.”

Lastly, Mandiant identified that some hacktivist hackers have likely been inspired by prior cyber threat activity related to both low-sophistication compromises and high-impact OT-oriented threat activity.

In January this year, the Anonymous-affiliated hacktivist group, GhostSec, claimed on social media to have deployed ransomware to encrypt a Belarusian remote terminal unit (RTU)—a type of OT device for remote monitoring of industrial automation devices. The actors’ stated intention was to demonstrate support for Ukraine in the ongoing Russian invasion. Researchers, OT security professionals, and media outlets analyzed the claims and concluded that the actor overstated the implications of the alleged attack. 

Although there was no significant impact in this particular incident, the event highlights the increasing need for a wider discussion regarding the extent of risk hacktivists pose to OT environments.

In 2022, Mandiant observed a significant increase in the number of instances where hacktivists claimed to target OT. “While we observed activity across different regions, most of these cases were conducted by actors that have mobilized surrounding the Russian invasion of Ukraine. The implication of this is that the increase in hacktivism activity targeting OT may not necessarily become consistent over time. However, it does illustrate that during political, military, or social events, OT defenders face a heightened risk,” the researchers identified.

These risks are also exacerbated by the quick evolution of hacktivist actors that have experimented with new tools and exploits during the war in Ukraine. The information and knowledge about OT compromises, which have been produced and shared during the last year, will likely help reduce the learning curve for different actors interested in targeting OT. This may increase the complexity of low-sophistication compromises even after the end of the war. It is also possible that other more sophisticated actors will copy hacktivist techniques to limit the risk of facing consequences when targeting OT, or to support other types of information operations.

The researchers assessed that the most recent OT-oriented hacktivist activity was allegedly conducted in response to geopolitical events, with the vast majority of that activity targeting Russia as a result of its invasion of Ukraine, as well as targeting Israeli regional policies. These hacktivists often depicted their OT-oriented operations as contributing to militias fighting on behalf of Ukraine or Palestine.

“The most active group we tracked in 2022 was Team OneFist (also known as Joint Cyber Center). Team OneFist issued multiple claims via social media, alleging to conduct attacks against power plants, an airport, uninterruptible power supply (UPS systems), a paper mill, and SCADA systems, among others,” Mandiant identified. “The actor’s promoted narrative suggests the group’s main motivation is to target Russian organizations in support of Ukraine.”

In June 2022, Team OneFist claimed to have disabled a cellular router supporting OT in Russia, the post said. “The actor took advantage of a publicly reported physical incident at a nearby power plant and claimed that it was the result of their operation. However, the primary cause of the outage was reportedly a fire at a different power plant situated nearly 400 miles away.”

Although most messaging associated with hacktivist claims appeared responsive to geopolitical developments, the researchers “observed at least one case where the actor opposed domestic policies in the United States. In July 2022, the threat actor ‘SiegedSec’ targeted U.S.-based IP addresses with exposed ICS ports to protest abortion restrictions in the United States. The attack was part of a broader Anonymous-related hacktivism campaign known as Operation Jane (aka #OpJane).”

Mandiant identified that some hacktivists leverage known OT exploits to target victims’ assets. “Recently, we have observed hacktivist groups leveraging specialized exploits and exploit modules to increase the likelihood of impacting OT devices. Such evolution in hacktivist techniques results both from the existence of an active community sharing knowledge, and the increasing availability of resources shared publicly to interact with OT,” they added. 

For example, in June and July 2022, hackers ‘GhostSec’ and ‘SiegedSec’ targeted OT assets in the U.S., Israel, and Russia using OT-oriented exploit modules. The hackers leveraged an IEC-104 and EtherNet-IP CIP Metasploit modules, and a custom Modbus-based tool dubbed ‘Killbus.’

In other cases, hackers exploited known vulnerabilities to reach their target, according to Mandiant. “For example, in June 2022, pro-Ukraine threat actor Team OneFist targeted a cellular router allegedly supporting OT in Russia by exploiting a known cross-site request forgery (CSRF) vulnerability in the system that leads to remote code execution.” 

Between April and July last year, multiple hacktivist groups targeted ELNet OT assets in Israel, possibly by exploiting a missing authentication vulnerability reported in the assets’ web consoles. “We have not identified evidence indicating formal collaboration between these actors, but it is possible that mutual awareness of each other’s activity prompted interest in reusing similar vulnerabilities to target their victims,” the researchers added.

Mandiant also disclosed that hacktivists share documentation of physical incidents to gain credibility. “In most of the hacktivist claims we tracked, the actors leveraged documentation, such as videos or screenshots, to provide evidence of their actions and gain credibility. Often, the actors shared images of real physical incidents to claim responsibility for the destruction of assets – even if they were not caused by their attacks. This is likely a strategy used by actors to help bring attention to their political and social messaging,” the researchers added.

For example, in July 2022, Iraqi group Altahrea Team claimed it was responsible for a fire at the Orot Yosef power plant in the Negev in southern Israel, according to the post. “The actor shared a video of the fire to illustrate their claim. A couple of days later, GhostSec shared a video of a physical incident at a hydro-power plant in Russia and claimed credit for the incident. The actor noted their recent activity targeting internet-accessible electricity assets in Russia as proof of their claims. In both cases, we found no evidence connecting the hacktivist actions to the physical incidents,” it added.

The researchers also said that some hackers emphasize intent to avoid impacts to or endanger human safety, while some hacktivist hackers have also claimed to avoid impacts to human safety. However, there is no evidence to verify their intentions. It is plausible that the hacktivists emphasized safety either because of the perception of OT-oriented attacks as potentially harmful or simply to improve their reputation and gain sympathy from their audiences.

One example was the case of GhostSec in July 2022, which claimed to cause an incident at a power plant in Russia. The actor then claimed the attack was ‘executed with 0 casualties in the actual explosion due to our proper timing while performing our attacks.’

The Mandiant researchers called upon asset owners and operators to maintain situational awareness of trends in hacktivist threat activity targeting OT systems to anticipate potential risks. “We also highlight that most often, hacktivist threat activity can be prevented following common best practices for remote access to critical and internet-accessible systems.”

Earlier this year, Forescout Technologies’ Vedere Labs released research on deep lateral movement, looking into how attackers can move between devices and access OT networks at the controller or L1 level. It details how attackers can cross security perimeters in interfaced Basic Process Control Systems (BPCS)/Safety Instrumented Systems (SIS) architectures or perform detailed manipulation of equipment in fieldbus networks nested behind PLCs (Programmable Logic Controllers). The move bypasses functional and safety constraints that would otherwise prohibit cyber-physical attacks with the most serious consequences.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related