Pro-Russian “hacktivists” are attempting to compromise computer networks for critical industrial sectors of the economy in North America and Europe, Bloomberg reported on May 1, citing cybersecurity agencies in the US, UK, and Canada.
Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency, said the hackers have targeted “small-scale” technology that controls industrial equipment and processes, including in the water and wastewater sectors, as well as dams, energy and food, and agriculture.
The hacking activity dates back to 2022 but was seen as recently as last month, targeting organizations that struggle to implement even basic cybersecurity measures. Such protocols include changing default factory settings, using weak passwords, or failing to add other protections such as multifactor authentication, he said.
Hacktivists break into computer networks for political or socially motivated purposes, though some hacktivist groups are believed to be tied to foreign intelligence operations.
In some cases, the intrusions caused water pumps and blower equipment to exceed normal operating parameters in a way that resulted in the operators reverting to manual operations, Goldstein said. Noting that many of the organizations lack significant resources, he appealed to technology vendors to install safe settings by default.
“There is no reason why any technology product should be coming off the shelf with a factory default password that is not immediately changed upon installation,” he said.
Goldstein’s comments follow a note sent out widely to industry players on April 30, obtained by Bloomberg News, which urged recipients to conduct “targeted outreach efforts” to relevant utilities and equipment manufacturers about the threat. CISA didn’t immediately comment on that note, and a representative for the Russian Embassy in Washington didn’t immediately respond to a request for comment.
In April, cybersecurity company Mandiant detailed claims from a pro-Russia hacktivist group named the Cyber Army of Russia Reborn (CARR) that it had hacked water facilities in the US, causing one water tank in Muleshoe, Texas, to overflow, and affecting other utilities.
John Hultquist, chief analyst at Mandiant Intelligence, said that group has considerable ties to Sandworm, a hacking group affiliated with Russian military intelligence that has carried off a series of high-impact and damaging hacks. Hultquist said it remained unclear if there was any link between Sandworm and CARR’s purported activities targeting US critical infrastructure.
“The impacts may be minimal, but the issue here is they’re crossing the physical barriers,” he said of the recent attacks from pro-Russia hacktivists targeting US water systems.
Asked about a Sandworm connection, Goldstein said, “At this point, the US government is not assessing a connection between Sandworm and the pro-Russia hacktivist activity described.” But he said officials are conducting ongoing analysis to ensure the US government understands the threat as it evolves.