National cybersecurity agencies are warning of an increase in attacks on operational technology (OT) devices by pro-Russia hacktivist groups.

These groups are often ideologically, rather than financially motivated, and focus on DDoS attacks, website defacements and/or the spread of misinformation, an NCSC statement said.

The groups ”have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure (CNI), including in the UK” the NCSC said, and the groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term.

Global Support

This has led the call for external assistance from other agencies, with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC) and Canadian Centre for Cyber Security (CCCS) also observing these threat actors compromising small-scale industrial control systems.

EPA issued a warning in March about attacks on water and wastewater systems throughout the United States, which have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.

In that instance, EPA requested support to ensure water systems “comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.”

Issuing Warnings

Now, the global agencies are issuing warnings that whilst most of the activity remains technically unsophisticated, US agencies have responded to some incidents where victims have seen limited physical disruptions from unauthorised users.
In particular, the NCSC said the pro-Russia hacktivists had been observed over the past few months targeting vulnerable, small-scale industrial control systems in North America and Europe.

According to a joint advisory, the attackers have been observed gaining remote access via the exploitation of publicly exposed internet-facing connections and outdated VNC software, as well as using an HMIs’ factory default passwords and weak passwords - which often do not include multi-factor authentication.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.