Two Russian hacktivist groups were observed targeting critical infrastructure in the United States and around the world, most notably in the oil and gas, and water systems sectors.
Cyble researchers said in a Dec. 6 post that the attacks on critical infrastructure by the hacktivist groups go well beyond the distributed-denial-of-service (DDoS) attacks and website defacement these groups tend to engage in.
The researchers said the groups — The People’s Cyber Army (PCA) and Z-Pentest — posted videos to their Telegram channels allegedly showing the hackers tampering with operational technology (OT) controls on critical infrastructure.
Such attacks have also taken place in many other countries, including Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany, and Poland — often claiming retaliation for a country’s support for Ukraine in its longstanding war with Russia.
The researchers said some OT security specialists say water and wastewater systems are especially vulnerable, partially because many communities around the world are ill-equipped to cope without water for any length of time.
“I have long warned and written that if you want to bring a nation to its knees, target power and water,” said Morgan Wright, chief security advisor at SentinelOne. “Most Russian-aligned hacktivist groups are not operating in a vacuum — they are expressing the will of Russian policy through their activities. These continued attacks serve various purposes, including establishing credibility for the proxy group, providing deniability for Russia, and creating an ongoing pattern of disruption.”
Wright, an SC Media columnist, said while’s he’s concerned about the critical infrastructure organizations already compromised, he’s also very worried about the ones we don't know about.
“Another danger is inspiring other groups also to launch their own attacks,” said Wright. “Showing others how easy a target is will lead to more incidents.”
Given the press and focus on the revelations and extensive penetration of critical infrastructure by the Chinese threat actor Volt Typhon, it would appear the Chinese have been far more successful than Russia with targeting these OT operations, said Ian Thorton-Trump, chief information security office at Inversion6.
“This is not surprising as Russian cyber operations have been working extensively in support of the Ukraine war, Middle East conflicts and election disinformation and misinformation campaigns in several countries,” Thorton-Trump said. “An uptick in DDoS attacks on American critical infrastructure may be a precursor to more Russian espionage and implant operations to build a foothold in critical information systems and to cause a level of discomfort and uncertainty for operators and government officials."
Thorton-Trump added that Russian cyber forces have been on a high tempo for 1,000 or more days since the start of the Ukraine conflict. Conversely, the Chinese have had breathing space and no major conflicts to deal with like the Russians in Ukraine or the Middle East.
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, added that U.S. water systems continue to be at risk with various forms of governance and authority behind state, local, federal, and commercial entities responsible for management of facilities, where some have largely ignored security practices.
“Operators of these facilities must meet compliance as well as foster a culture of security and best practices to lower risk,” said Dunham. “They should also adopt a mindset and awareness of critical infrastructure and the importance of protecting operations and assets, respectively. Involve trusted third parties for roadmap planning, audits, and additional support to ensure robust security planning and integrity in SecOps.”
