ALERT: Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity (May 2024 UPDATE)

*(Information courtesy of the NCSC: https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups

Fact sheet available here: https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity)

The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, EPA, DOE, USDA, FDA, MS-ISAC, CCCS, and the UK's National Cyber Security Centre (NCSC-UK)—collectively known as “the authoring organisations”—have issued a fact sheet to raise awareness and protect against ongoing malicious cyber activities. These are primarily conducted by pro-Russia hacktivists targeting operational technology (OT) devices across North America and Europe.

The threat involves these hacktivists aiming at small-scale OT systems in sectors like Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture. They typically compromise internet-facing industrial control systems (ICS) and their software components, such as human machine interfaces (HMIs). They exploit weaknesses like virtual network computing (VNC) remote access software and default passwords.

Since first noticed in 2022 and as recently as April 2024, these malicious activities have persisted. To combat these threats, the authoring organisations are sharing this information and recommend immediate actions. If you’re operating within critical infrastructure sectors—including WWS, Dams, Energy, and Food and Agriculture—it's crucial to implement the mitigations listed in this fact sheet to defend against these cyber threats.

Actions To Take Immediately

• Change all default passwords on your OT devices, including PLCs and HMIs. Make sure these passwords are strong and unique.
• Keep your OT systems away from internet exposure as much as possible.
• Set up multifactor authentication for any access to the OT network.

Overview of Threat Actor Activity

Pro-Russia hacktivists targeting various sectors tend to use relatively unsophisticated methods that tamper with ICS equipment, mainly causing annoying disruptions. However, deeper investigations reveal that these actors are also capable of actions that could physically threaten insecure and poorly configured OT environments. They typically gain remote access by exploiting publicly exposed internet connections and outdated VNC software. Additionally, they often use factory default passwords or weak passwords on HMIs, usually without the security of multifactor authentication.

Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity

It's important to note that historically, these hacktivists have tended to overstate their capabilities and the impact of their attacks on targets. Since 2022, they've claimed on social media to have carried out cyber operations—including distributed denial of service attacks, data leaks, and data wiping—against a range of North American and international organizations. However, according to reports from those affected, the actual disruption caused by these activities has been relatively minor.

2024 Year-to-Date Activity

Since the start of 2024, the authoring organizations have noticed pro-Russia hacktivists focusing on vulnerable industrial control systems across North America and Europe. In response, CISA and the FBI have been actively assisting several U.S.-based Water and Wastewater Systems (WWS) that were disrupted by unauthorized users remotely tampering with Human Machine Interfaces (HMIs). Specifically, these hacktivists have tweaked HMIs to push water pumps and blower equipment beyond their usual limits. They've cranked up set points, altered various settings, switched off alarm systems, and changed administrative passwords to lock out the operators of these systems.

Although some affected facilities reported minor tank overflow incidents, the majority managed to switch to manual controls quickly after these breaches and restored normal operations without significant delays.

Remote Access to HMIs

The authoring organizations have noted that pro-Russia hacktivists employ a range of techniques to gain remote access to Human Machine Interfaces (HMIs) and alter the operations of the underlying Operational Technology (OT). These techniques include:

• Utilizing the VNC Protocol to access HMIs and make modifications. VNC allows remote access to graphical user interfaces, which are integral in controlling OT systems.
• Leveraging the VNC Remote Frame Buffer Protocol to log into HMIs and manage OT systems directly.
• Accessing HMIs via VNC over Port 5900, often using default credentials and weak passwords, which are not secured by multifactor authentication.

It's important to highlight that several HMIs compromised in these attacks were outdated, unsupported legacy devices or foreign-manufactured devices that had been rebranded as U.S. products.

MITIGATIONS

To guard against the described cyber threats, the authoring organizations urge critical infrastructure organizations to adopt specific mitigations. These recommended actions are in line with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs offer a foundational set of practices and protections that CISA and NIST advise all organizations to implement. These guidelines are derived from established cybersecurity frameworks and guidance, aimed at shielding against the most prevalent and harmful cyber threats, tactics, techniques, and procedures. For further details on the CPGs, including additional recommended baseline protections, visit CISA’s Cross-Sector Cybersecurity Performance Goals website.

Network Defenders

Pro-Russia hacktivists have been exploiting cybersecurity vulnerabilities, such as weak password security and excessive exposure to the internet. To protect against these threats, the authoring organizations recommend organizations take the following actions:

Harden HMI Remote Access

To strengthen the security of Human Machine Interfaces (HMIs), such as touchscreens used to monitor or alter systems, or programmable logic controllers (PLCs), the authoring organizations advise taking the following steps:

• Disconnect all HMIs from the public-facing internet: If remote access is still required, establish a firewall and/or a Virtual Private Network (VPN) with a robust password and multifactor authentication to regulate device access [CPG 2.W] [CPG 2.X].
• Implement multifactor authentication for all access to the OT network. For more details, refer to CISA’s guide titled 'More than a Password' [CPG 2.H].
• Change all default and weak passwords immediately: Use strong, unique passwords for HMIs and ensure that factory default passwords are not in use. Verify in the remote settings panel that the old password is no longer visible [CPG 2.A] [CPG 2.B].
• Keep VNC updated: Always use the most recent version of VNC and ensure that all systems and software are up to date with the latest patches and security updates.
• Establish an allowlist: This should only permit IP addresses of authorized devices. Refine the allowlist to specific times of the day to further block malicious activities. It's advisable to set up alerts to monitor access attempts.

Note: An allowlist is not a complete security solution on its own but can make it more difficult for a threat actor to compromise a device.

• Log remote logins to HMIs: Keep track of any failed login attempts and any logins at unusual times [CPG 2.T]. This logging helps in identifying potential security breaches and understanding access patterns.

Strengthen Security Posture

To enhance the security measures for your Operational Technology (OT) systems, consider these strategic steps:

• Integrate Cybersecurity Early: Include cybersecurity considerations from the start—during the conception, design, development, and operation phases of OT systems. For more insights, refer to the Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER)’s publication on Cyber-Informed Engineering.
• Maintain Manual Operation Skills: Regularly practice and retain the capability to operate systems manually to ensure readiness in case of cyber incidents [CPG 5.A].
• Backup Important Data: Create backups of the engineering logic, configurations, and firmware of HMIs for quick recovery. Make sure your team is well-versed with factory resets and deploying backups [CPG 2.R].
• Monitor PLC Integrity: Regularly check the integrity of PLC ladder logic or other programming languages and diagrams used in your PLCs. Look for any unauthorized modifications that might indicate tampering and could affect safe operation.
• Secure and Update Network Diagrams: Keep your network diagrams for both IT and OT updated [CPG 2.P]. Implement strict access controls based on the principles of least privilege and need-to-know for accessing these diagrams. Use encryption, authentication, and authorization techniques to secure these files, and maintain audit logs to monitor who accesses or modifies them.
• Be Cautious of Cyber/Physical Threats: Stay vigilant about cyber-physical threats. Adversaries might try to acquire network credentials through various means, such as during official visits, trade shows, conferences, or even via social media platforms.
• Inventory and Update HMIs: Conduct an inventory to determine the end-of-life status of all HMIs [CPG 1.A]. Plan to replace any end-of-life HMIs as quickly as possible.
• Implement Operational Safeguards: Place software and hardware limits on the manipulation of physical processes to reduce the impact of any successful compromise. This can include operational interlocks, cyber-physical safety systems, and the principles of cyber-informed engineering.

These steps can significantly bolster your organization’s defenses against sophisticated cyber threats and ensure resilience in the face of potential cyber attacks.

Limit Adversarial Use of Common Vulnerabilities

To minimize the risks posed by common vulnerabilities, organizations can take several proactive steps:

• Utilize Available Resources to Reduce Risk Exposure: U.S. organizations can access a variety of services provided by CISA at no cost. These include scanning and testing that help organizations reduce their exposure to threats by identifying and mitigating potential attack vectors. The CISA Cyber Hygiene services offer an additional layer of review for internet-accessible assets and provide regular reports with recommendations to mitigate vulnerabilities. To avail these services, email vulnerability@cisa.dhs.gov with the subject line, "Requesting Cyber Hygiene Services." UK organizations can benefit from the NCSC’s free Early Warning service, which similarly aims to alert and help mitigate incoming cyber threats.
• Assess Your Security Posture: CISA’s regional Cybersecurity Advisors are available to provide assessments using the CPG framework to help organizations gauge their current security posture. Reach out to your regional CISA office to schedule such an assessment. This step is crucial for understanding vulnerabilities within your systems and making informed decisions about where to allocate resources for improvement.

These measures are designed to limit adversaries' ability to exploit common vulnerabilities effectively and ensure a robust defensive stance against cyber threats.

OT Device Manufacturers

While critical infrastructure organizations play a key role in mitigating risks, the primary responsibility for ensuring the security of OT devices rests with the manufacturers. These devices should be secure by design and default. The authoring organizations strongly encourage device manufacturers to take responsibility for the security outcomes of their customers, in accordance with the principles outlined in the joint guide "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software" and on CISA’s Secure by Design webpage.

Recommended Actions for Manufacturers:

• Eliminate Default Passwords and Require Strong Passwords: Using default credentials is a significant vulnerability that threat actors frequently exploit. Manufacturers can address this issue on a large scale by following the approaches recommended in CISA’s Secure by Design Alert.
• Mandate Multifactor Authentication for Privileged Users: Any modifications to engineering logic or configurations can have safety implications in critical infrastructure. Such changes should always require multifactor authentication to enhance security.
• Include Logging at No Additional Charge: It is vital for operators to be able to track changes and access within their infrastructure. Change and access control logs should be provided for free and use open standard logging formats to ensure transparency and accessibility.
• Publish Software Bills of Materials (SBOM): Vulnerabilities in underlying software libraries can impact a wide range of devices. An SBOM is crucial as it allows critical infrastructure system owners to assess and mitigate the impact of vulnerabilities on their systems.

For further guidance, manufacturers can refer to CISA’s Secure by Design Alert, which includes advice on how software manufacturers can protect web management interfaces from cyber threats. By employing secure by design principles, manufacturers can ensure their products are secure right out of the box, reducing the need for customers to make extensive configuration changes, purchase additional security software, or engage in constant monitoring and updates.

REPORTING

Organizations are urged to report any suspicious or criminal activity related to the information in this fact sheet through the following channels:

US Organizations:

• CISA: Contact CISA’s 24/7 Operations Center at report@cisa.gov or by calling 888-282-0870. When reporting, please provide as much of the following information as possible: the date, time, and location of the incident; type of activity; number of people affected; type of equipment used; the name of your company or organization; and a designated point of contact.

UK Organizations:

• Organizations should report any suspected compromises to the NCSC via their incident reporting website: https://report.ncsc.gov.uk/

This collective effort in reporting helps enhance security responses and mitigates further risks across various sectors.