The Australian Cyber Security Centre and several global allies have released a joint advisory that critical infrastructure providers should take steps to prevent threats from pro-Russia hacktivist activity.
According to the advisory, the hacktivists are targeting operational technology using basic and easily deployable methods that can be quickly and widely adopted to enable “escalating frequency of intrusions”.
The attacks infiltrate operational technology control devices via virtual network computing (VNC) connections with minimal security, targeting water and wastewater systems, food and agriculture, and energy.
While the attacks have not yet caused any injury, there is risk that compromised systems could result in employee harm as the groups “demonstrate a lack of consideration for human safety”.
The most common impact so far is a temporary loss of view that requires manual intervention to manage processes, but the advisory warns that “any modifications to programmatic and systematic procedures can still result in damage or disruption, including substantial labor costs from hiring a programmable logic controller programmer to restore operations, costs associated with operational downtime, and potential costs for network remediation.”
The advisory outlines the hacktivists approach: “These pro-Russia hacktivist groups abuse popular internet-scraping tools, such as Nmap or OPENVAS, to search for visible VNC services and use brute force password spraying tools to access devices via known default or otherwise weak credentials.
Threat actors typically search for these services on the default port 5900 or other nearby ports (5901-5910). Their goal is to gain remote access to HMI devices connected to live control networks.”
They will then use this access to manipulate settings on HMI devices such as parameter and setpoint changes.
There are four groups named in the warning: Cyber Army of Russia Reborn, NoName057(16), Z-Pentest and Sector16. Each have links back to Russian government agencies.
The advisory notes that the groups’ capabilities and understanding of the technology they are targeting is limited, making it difficult to predict the impact of their attacks. Regardless, the groups have successfully managed to do physical harm to critical systems and infrastructure.
There are a number of mitigation recommendations in the advisory, with further detail on each one, but the top level recommendations are:
- Reduce exposure of OT assets to the public-facing internet.
- Adopt mature asset management processes.
- Ensure OT assets use robust authentication procedures.
- Enable control system security features.
- Implement and practice business recovery/disaster recovery plans.
- Collect and monitor the traffic of OT assets and networking devices.
_(21).jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
