Security agencies warn of heightened threat to critical national infrastructure

Cloud security concept image showing digitized cloud symbol on a circuit board with data flowing out of the cloud.
(Image credit: Getty Images)

UK and US authorities are warning that pro-Russian hacktivists have been targeting vulnerable, small-scale industrial control systems (ICS) in North America and Europe.

The UK’s National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) say victims have seen 'some limited physical disruption' to operations.

"The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects," CISA said in an advisory.

"However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments."

The hacktivists have targeted industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including water and wastewater systems, dams, energy, and food and agriculture.

The NCSC added that while they often align to Russian government interests, this isn't always the case - making them less predictable.

"While the cyber activity of these groups often focuses on DDoS attacks, website defacements and/or the spread of misinformation, some have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure (CNI), including in the UK," the NCSC warned.

"We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected."

The hackers' techniques involve manipulating ICS equipment to create nuisance effects. However, CISA said its investigations have revealed they can also pose physical threats against insecure and misconfigured OT environments.

They have been spotted gaining remote access by exploiting publicly exposed internet-facing connections and outdated virtual network computing (VNC) software, as well as by using the factory default passwords of human machine interfaces (HMIs) and weak passwords, without multifactor authentication.

Similarly, they’ve been able to alter the settings for water pumps and blower equipment to make them exceed their normal operating parameters, and were also able to max out set points, alter other settings, turn off alarm mechanisms, and change administrative passwords to lock out the WWS operators.

But while some victims experienced minor tank overflows, most victims reverted to manual controls in the immediate aftermath and were able to quickly restore operations.

"Without external assistance, we consider it unlikely that these groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term," said the NCSC.

"But they may become more effective over time, and so the NCSC is recommending that organizations act now to manage the risk against successful future attacks."

Organizations should take immediate steps to improve their cyber security capabilities, according to security experts, by following official guidance for heightened security threats and advice on secure system administration.

"Cyber resilience should be the top priority for the NCSC, government and businesses, underpinning comprehensive cyber defense measures to combine reactive, preventative and recovery procedures," said Achi Lewis, area VP EMEA for Absolute Security.

"With cyber attacks being a case of when, not if, particularly when it comes to critical national infrastructure, it is vital that organizations ensure their endpoint devices are best protected against threats to best mitigate the threat and impact of a breach."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.