Russian group’s hack of Texas water system underscores critical OT cyber threats – Source: www.csoonline.com

Cybersecurity threats to water utilities have accelerated in 2024 as Iranian, Chinese, and Russian threat actors increasingly target these critical systems.

A spate of apparent joy-riding intrusions of rural water systems by could-be Russian state-linked hacktivists has continued unabated this year. Experts say these attacks, undertaken primarily by young amateurs, have caused little serious harm. But, they add, if experienced OT hackers took the reins, havoc could be wreaked on any number of the nearly 52,000 local water and irrigation systems in the US and other water facilities around the globe.

One recent water system intrusion in Stanton, Texas, population 2,700, reported here for the first time, illustrates how vulnerabilities in under-resourced water facilities — the lowest-hanging fruit in the OT security space — must be addressed quickly.

It may seem unlikely that such isolated and seemingly unimpressive assets could attract nation-state-level threat actors looking to send a message or gain hacking experience. But security specialists warn that these attacks, even if merely proving grounds, show that all critical infrastructure, no matter how small or remote, should maintain hard separations between OT and IT assets and use multifactor authentication where separations are impossible to help prevent even opportunistic attacks.

Water security under threat

The first-known hacking incident to cause real-world damage to a critical infrastructure facility involved a water facility in 2000, when a disgruntled contractor launched an attack against Maroochy Water Services in Queensland, Australia, causing 800,000 tons of raw sewage to leak into the community.

Since then, a major cyberattack was attempted on Israel’s water infrastructure in 2020; an attempted water system poisoning in Oldsmar, Fla., that turned out to be human error sparked panic among policymakers and cybersecurity leaders in 2021; the US Environmental Protection Agency proposed cybersecurity regulations in 2023 for drinking water systems, which were rescinded; and US federal authorities warned that CyberAv3ngers, an Iranian Government Islamic Revolutionary Guard Corps (IRGC)- affiliated threat group, was targeting water and wastewater systems across the country late last year.

But water systems have been increasingly in the crosshairs in 2024, resulting in the following noteworthy water security developments:

January 2024: CISA, the FBI, and the EPA issued an incident response guide that spells out best practices and federal resources for the water and wastewater sector to deal with cyber incidents.

February 2024: CISA, NSA, and the FBI called out Chinese threat group Volt Typhoon for compromising the critical infrastructure of multiple organizations, including water and wastewater systems.

April 2024: “Hacktivist” group Cyber Army of Russia, aka Cyber Army of Russia Reborn, which may be linked to Russian GRU threat group Sandworm, released videos showing how they manipulated human-machine interfaces (HMIs) for water utility control systems in Texas towns Abernathy and Muleshoe. Earlier videos showed the group attempting to sabotage a wastewater facility in a small Polish village in January 2023.

April 2024: According to a video published by Le Monde, the Cyber Army of Russia accessed the control system for a small water mill in a French village in April 2024 and made false claims to have raised a dam’s water level and shut off the electricity it produced.

April 2024: The Cyber Army of Russia posted a video on its Telegram channel claiming responsibility for an attack on Indiana’s Tipton West Wastewater Treatment Plant.

Sept. 18, 2024: The US EPA issued guidance on improving cybersecurity for drinking water and wastewater systems.

Sept. 20, 2024: The Water Information Sharing and Analysis Center (WaterISAC), a nonprofit that helps protect water utilities from physical and cyber threats, issued a TLP:AMBER threat advisory warning of Russian-linked threat actors targeting the water sector.

Sept. 25, 2024: The City of Arkansas, Kansas, reported a cyber incident involving its water treatment facility. Russian-speaking threat group Z-Pentest (likely connected to the Cyber Army of Russia) took credit via a video on its Telegram channel.

Sept. 25, 2024: CISA warned that threat actors, including pro-Russian hacktivists, were actively exploiting internet-accessible OT and industrial control systems (ICS) devices, including those in the wastewater and water sectors.

Oct. 3, 2024: American Water, a regulated public utility that provides water and wastewater services to around 1,700 communities in 14 states, serving approximately 14 million people, experienced what appeared to be an attack that primarily affected internet-facing assets, such as its customer portal. Its water and wastewater services remained unaffected.

The Cyber Army’s intrusion into small-town Texas

ICS cybersecurity engineer Ron Fabela recently unearthed another video of a not-before-reported intrusion of a US water system in the small town of Stanton, Texas, by the Cyber Army of Russia. The group posted the video on its Telegram channel on Aug. 30.

The video shows an HMI that enables the water company to remotely establish operational levels for various components, including filtration, water turbidity or clarity, water flow rates, and more. Despite the potential linkage to Russia’s Sandworm group, Fabela thinks that, based on the video, the group mainly comprises young amateurs who don’t know what they’re doing.

“They are kids,” he tells CSO. “Just half the time, when they post videos of themselves hacking a water utility, it’s not even like they’re looking to get money. They’re doing it for fun and credibility in their circles.”

According to Fabela, the video shows the hackers randomly adjusting settings until they think they’ve caused something to happen. “They spend three minutes randomly clicking, then they’ll put in some numbers and try it. They don’t know what they’re doing. So, they do this over and over and over until something happens.”

Jessie Montez, Stanton’s city manager, tells CSO that the hackers did have an impact fiddling with the settings. “What they did is just waste raw water,” he says. “They opened up some valves and were able to waste some untreated water.”

Montez agrees with Fabela that the hackers were likely young. “My guess is that they were just showing everyone that they can do it. They were having a little fun with it, I guess.”

For Montez, the group’s hack was no big deal. “I like to say it was an easy, quick fix,” which the town assigned to the systems integrator used for the water supply, Strata Innovative Solutions. How Strata fixed the situation is unclear; the lead Strata engineer assigned to the case didn’t respond to an interview request. (Montez also worked with CISA and the FBI when the agencies contacted him following a report to CISA from Fabela.)

Could these kinds of hacks threaten public safety?

Even if the Cyber Army of Russia and other water utility attackers are amateurish, experts say their activities could threaten public safety in the small towns they target.

Gus Serino, founder of cybersecurity firm I&C Secure and a former staffer at a water utility, tells CSO that the access the hackers gained in the videos could, in more knowledgeable hands, cause serious problems. “We’re seeing these low-hanging fruit, easy stuff being compromised, and then the actors will post a video of them clicking away, not really in any intelligent way, but they do cause impacts,” he says. “They cause overflowed tanks and things like that.”

But, he adds, “with the level of access that they have once they get access to these systems, they could do far worse if they have the capability.”

Tim Erlin, security strategist at Wallarm, thinks these kinds of hackers could cause damage but discounts the malicious intent of threat actors who publicize their activities the way the Cyber Army of Russia and others have done. “I’m always suspicious of the motives when attackers claim or publicize responsibility,” he tells CSO.

OT security expert Patrick Miller, CEO of Ampyx Cyber, says water systems are easy targets because they are “so under-resourced and underfunded.” Still, it’s difficult for malicious actors to cause serious problems. “It’s not easy to cause a significant impact in a water system because they are engineered to prevent this at the physical level,” he says.

Why are hackers doing this?  

Some ICS experts think the hackers’ motives for infiltrating water systems and posting videos of their intrusions extend beyond having fun. “It’s an attempt to intimidate, project power, and sow distrust of the system,” Miller says. “The only other possible M.O. I see is that they are cranky about our support for Ukraine, and this is a way to give us the finger.”

The possible geopolitical connection to these hacks contradicts the notion that the Cyber Army of Russia and other Russian threat groups are merely amusing themselves. Erlin thinks the hackers may be showing off their skills to get jobs as official Russian state hackers. “If you want to get hired for a job, you might want to demonstrate that you’re capable of doing that job,” he says.

“And so, if these groups are not arms of the Russian government but would like to work for the Russian government, that may be who the message is for. Let’s compromise something interesting, claim responsibility for it, and gain some notoriety that might get us future paid opportunities from other employers.”

Serino says his threat intelligence colleagues take it a step further. “I am not a threat intelligence person,” he says. “But I have colleagues who are, and they’re surmising that Sandworm is encouraging and feeding this. [Sandworm and the hacktivists] are not part of the same team, but there may be a piece of wire between those two groups.”

Steps CISOs and OT security professionals can take to minimize risk

In the absence of regulations enforcing cybersecurity requirements on water systems, there are some steps OT security professionals and CISOs, who are increasingly responsible for OT systems, can take to minimize water system intrusions.

Given the often-hidden nature of water system assets sprawled across mostly unpopulated areas, the first step is to realize that these assets could be attractive targets. Fabela thinks water asset owners must shake off a small-town mentality. They often think, “Why would anyone else want to access this and do something malicious?” he says.

“It’s just like living in a small town and leaving your front door unlocked because who would possibly want to come through my front door and steal something? I know everyone in town. Then they’re surprised when people from out of town come in and smash-and-grab a few houses in a row,” he says.

Connectivity to the internet is the ultimate concern. Water utilities often connect assets to the internet to make it easier to deal with issues remotely rather than asking a technician, if one even exists, to drive for hours to check out a problem.

Serino says, “Stanton, Texas, is probably like, ‘Who the heck is going to harm us, this tiny little water utility?’ But guess what? You’re sitting on the internet. You’re findable, and you have this vulnerability. Now, you’re just as likely to be a victim as anybody else. And that’s where we’re at and how this is happening.”

Miller likewise thinks there should be a “very hard and tightly restricted separation” between OT and IT technologies in these environments. But if those hard boundaries are not feasible, mandatory multifactor authentication is a must.

Finally, “practice incident response like your job depends on it,” he says.