cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

US warns of pro-Russian activists attacking critical infrastructure OT environments

Pro-Russian hacktivists are reportedly targeting US critical infrastructure operations and water facilities, according to a US government advisory.

user icon Daniel Croft
Fri, 03 May 2024
US warns of pro-Russian activists attacking critical infrastructure OT environments
expand image

The joint advisory was released by a mess of agencies worldwide, including the US FBI, National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency (EPA), Department of Energy (DOE), the USDA and the Multi-State Information Sharing and Analysis Centre (MS-ISAC), alongside the UK’s National Cyber Security Centre (NCSC) and Canada’s Centre for Cyber Security (CCCS).

According to the advisory, pro-Russian hacktivists are targeting operational technology (OT) devices that are insecure or misconfigured to gain access to critical infrastructure systems and infrastructure and cause issues.

“The authoring organisations are aware of pro-Russia hacktivists targeting and compromising small-scale OT systems in North American and European water and wastewater systems (WWS), dams, energy, and food and agriculture sectors,” said the advisory.


“These hacktivists seek to compromise modular, internet-exposed industrial control systems (ICS) through their software components, such as human-machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords.”

The advisory added that while most of these hacktivists are utilising unsophisticated techniques that create more “nuisance effects” than real damage, investigations have revealed that these threat actors are capable of doing much more damage to these insecure OT environments.

Largely, these threat actors oversell their capabilities, and victim incident reporting has shown that disruption to operations is limited. However, the advisory said that in 2024, disruptions have become more serious.

“In early 2024, the authoring organisations observed pro-Russia hacktivists targeting vulnerable industrial control systems in North America and Europe,” the advisory read.

“CISA and the FBI have responded to several US-based WWS victims who experienced limited physical disruptions from an unauthorised user remotely manipulating HMIs [human-machine interfaces].

“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters.”

The hacktivists reportedly were gaining remote access to these HMIs using a number of techniques, largely utilising virtual network computing (VNC) to control OT systems, such as leveraging its Remote Frame Buffer Protocol to log into HMIs, using VNC over Port 5900 to access HMIs and using weak or default credentials to log in on non-MFA protected accounts and just using VNC Protocol to directly access HMIs.

The document advises that a number of mitigations be implemented, such as protecting against HMI remote access through disconnection, implementation of MFA and more.

The advisory also has recommendations for OT manufacturers themselves, such as requiring stronger details, mandating MFA and including logging without additional charge.

“This year, we have observed pro-Russia hacktivists expand their targeting to include vulnerable North American and European industrial control systems,” said the NSA’s director of cyber security, Dave Luber, via BleepingComputer.

“NSA highly recommends critical infrastructure organisations’ OT administrators implement the mitigations outlined in this report, especially changing any default passwords, to improve their cyber security posture and reduce their system’s vulnerability to this type of targeting.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.