Russian Hacktivists Increasingly Tamper with Energy and Water System Controls
Summary:
Two Russian hacktivist groups, the People’s Cyber Army (PCA) and Z-Pentest, have intensified their attacks on critical infrastructure in the U.S. and allied nations. Unlike typical hacktivist methods such as DDoS attacks or website defacements, these groups have accessed operational technology systems in sectors such as oil, gas, and water. Z-Pentest, a relatively new actor active since October, has claimed responsibility for 10 attacks within two months. Their most recent attack involved disrupting critical systems at an oil well, tampering with controls for water pumping, petroleum gas flaring, and oil collection. The group even released a six-minute video showcasing their unauthorized access to operational dashboards and control panels. These claims suggest a concerning level of sophistication and access.
The People’s Cyber Army, better known for its DDoS attacks, has also targeted water and wastewater systems in Texas and Delaware. Notable incidents include tampering with valves to release untreated water and causing storage tanks to overflow. PCA has conducted at least eight attacks on water systems this year alone, targeting communities that are highly dependent on these services. Both groups have justified their actions as retaliation against nations supporting Ukraine, with attacks extending to Canada, Australia, France, South Korea, and more. While PCA and Z-Pentest’s activities have caused limited immediate damage, their ability to access and manipulate OT environments signals a significant risk.
Security Officer Comments:
Adding to these concerns, Cyble researchers have observed increased threat activity in the energy sector, including ransomware attacks and the sale of network credentials and zero-day vulnerabilities on dark web marketplaces. In some cases, credentials for energy systems were sold before larger breaches occurred, emphasizing the need for proactive monitoring of such marketplaces. The emergence of Z-Pentest, coupled with PCA’s ongoing campaigns, demonstrates an escalating threat to critical infrastructure. Organizations must prioritize patching vulnerabilities, segmenting networks to prevent lateral movement, implementing Zero-Trust principles, and conducting regular cybersecurity training.
Suggested Corrections:
Critical infrastructure environments often cannot afford downtime, and end-of-life devices often remain in service long after support has ended. With those challenges in mind, below are some general recommendations from researchers at Cyble on improving the security of critical environments:
- Organizations should follow ICS/OT vulnerability announcements and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly.
- Segregating ICS/OT/SCADA networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation. Devices that do not need to be exposed to the internet should not be, and those that require web exposure should be protected to the extent possible.
- Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks.
- Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with vulnerability intelligence reports is essential for proactive defense. Threat hunting should also be a regular practice for detecting advanced persistent threats (APTs) dwelling in critical environments and adjacent IT networks.
- Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise.
Link(s):
https://cyble.com/blog/russian-hacktivists-target-energy-and-water-infrastructure/