Critical alert: Pro-Russia hacktivists target global critical infrastructure through opportunistic attacks

Summary: CISA, FBI, NSA, and international agencies issue joint warning on unsecured Operational Technology

The latest warning from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, NSA, and a coalition of global partners, underscores a significant and persistent threat to our most essential services. A joint Cybersecurity Advisory (AA25-343A) details how pro-Russia hacktivist groups are leveraging simple, opportunistic tactics to breach and disrupt critical infrastructure (CI) worldwide, with the potential for real-world physical damage.

This advisory represents another opportunity for OT operators to improve their security posture and pay a bit more attention to:

• State of network segmentation

• State of patches and vulnerabilities

• State of training and empowerment of employees. Are they sufficiently trained and empowered to detect and respond to threats?

• Have your risk assessment findings been addressed?

• State of account privileges

• Assess the state of incident response in your organisation

If you are paying attention to these aspects, you should be in a strong position to ward off this threat.

In today post, we do a deep dive into the recent advisory issued by CISA for OT operators.

Before we move forward, don’t forget to check out our previous blog on “plant head’s strategic guide to IEC 62443-based vulnerability management, here. 

You can read the full advisory here. 

What the threat from Russian hacktivists all about?

While these hacktivist groups are generally less sophisticated than state-sponsored Advanced Persistent Threats (APTs), their attacks are as far from harmless as 3I Atlas is from earth right now. Their primary motivation is to create nuisance driving them to exploit readily available vulnerabilities for maximum media attention and to please their handlers who could have strong ties to Russian APT groups as well.

What are the key takeaways from the advisory:

• Focus on OT: The attackers are primarily targeting Operational Technology (OT) and Industrial Control Systems (ICS), which manage and control physical processes like power generation and water treatment. This means they are focusing on citizen-facing critical infrastructure.

• Low-sophistication, high-impact potential: Their methods are crude but effective, focusing on minimally secured, internet-facing Virtual Network Computing (VNC) connections.

• Indiscriminate targeting: These groups are opportunistic, targeting victims based on ease of access rather than strategic value. This broad approach includes sectors like:

o Water and Wastewater Systems

o Energy Sector

o Food and Agriculture

The attack could possibly be classified as a wave.

• The goal: disruption and physical damage: Despite their technical limitations, these groups have demonstrated the intent and capability to cause physical damage, leading to significant disruption, resource loss, and the need for manual intervention by operators.

• The threat and risk to OT operators is real

The anatomy of the attack

The success of these hacktivists hinges on finding and exploiting weakly secured remote access to industrial control devices, specifically Human-Machine Interfaces (HMIs), often connected via VNC.

Tactics, Techniques, and Procedures (TTPs):

• Reconnaissance: Scan the public internet for vulnerable devices with open VNC ports (such as for instance port 5900).

• Initial Access: Initiate temporary Virtual Private Servers (VPS) to run password brute-force or password spraying software.

• Exploitation: Use VNC software to gain access to HMI devices, frequently leveraging default, weak, or non-existent passwords.

• Action on Objectives: Once inside, they manipulate settings on the HMI's graphical interface, including:

o Changing device settings or parameters.

o Modifying or locking out operator usernames/passwords.

o Disabling alarms.

o Causing a "loss of view" that necessitates immediate, hands-on, local operator intervention.

Notorious groups involved:

The advisory specifically names several pro-Russia hacktivist groups involved in these activities:

• Cyber Army of Russia Reborn (CARR)

• Z-Pentest

• NoName057(16)

• Sector16

These groups often collaborate and use social media to dramatically exaggerate their successful intrusions to gain publicity.

Immediate mitigation actions

The most critical defense against these opportunistic attacks is to eliminate the initial point of compromise: the exposed and weakly secured OT asset. CISA urges all critical infrastructure owners and operators to implement the following actions immediately:

Reduce public internet exposure (The #1 Priority)

• Restrict access: The most important step: Ensure all OT and ICS assets are not directly exposed to the public-facing internet.

• Attack surface management: Use automated tools to scan your own IP ranges for any exposed VNC or other remote access systems that may have been configured by third parties.

• Network segmentation: Implement strict network segmentation between your IT (Information Technology) and OT networks, using a robust Demilitarized Zone (DMZ) for all necessary traffic transfer.

• Monitor port hygiene

• Scan the dark web for any disclosure of access credentials

• Inform and sensitize employees on vishing campaigns

Strengthen authentication and access

• Robust authentication: Eliminate default credentials on all devices and enforce the use of strong, unique passwords.

• Mandate MFA: Implement Multi-Factor Authentication (MFA), especially for privileged users who can make safety-critical changes to engineering logic or configurations.

• Strict Access Control: Use firewalls and/or VPNs with a default-deny policy for all traffic, explicitly permitting only authorized destinations and protocols.

Monitor, audit, train and prepare

• Asset management: Adopt a mature asset management process to map all data flows and access points across your OT environment.

• Network monitoring: Collect and actively monitor network traffic and logs for anomalies indicative of threat actor activity.

• Practice incident response: Implement and regularly practice business recovery and disaster recovery plans to ensure a swift and effective response if an intrusion occurs.

Call to action for OT device manufacturers/OEMs

CISA is also urging manufacturers of Operational Technology to adopt a "secure-by-design" approach to reduce risk before products ever reach critical systems:

• Eliminate default credentials: Mandate strong authentication right from the initial days.

• Secure by default: Design components to prioritize security when connected to the internet.

• Provide full logging: Offer change and access control logs at no additional cost, using open standard formats.

• Publish SBOMs: Provide a Software Bill of Materials (SBOM) to help asset owners track and mitigate vulnerabilities in underlying software libraries.

The cumulative impact of this opportunistic, low-sophistication malicious activity poses a persistent and disruptive threat to essential services. This could be part of an extended campaign by Russian APT run through trainee hackers who may be getting trained in the real world through low intensity cyber-attacks.

By taking immediate and decisive action, critical infrastructure organizations can significantly strengthen their defenses against this evolving landscape of cyber threats while reducing their overall risk exposure.

Talk to us for a custom briefing on this advisory.  

Learn more about our OT security NDR solution for OT operators.