Critical infrastructure operators urged to harden systems against pro-Russia hackers

Pro-Russia “hacktivists” are targeting North American and European critical infrastructure, U.S. and international partners warned on Wednesday, urging operators and equipment vendors to take urgent action to better defend their systems.

The hackers have remotely accessed infrastructure entities through human machine interfaces that largely relied on factory default passwords or lacked multifactor authentication, according to the advisory from the Cybersecurity and Infrastructure Security Agency (CISA). It does not specify the identities or affiliations of the attackers. 

The U.S. and its partners “have not identified any operational impact from any of the reported intrusions,” Eric Goldstein, executive assistant director for cybersecurity at CISA, told reporters on a conference call.

The advisory comes in the wake of a series of cyberattacks on American infrastructure sites claimed by Russian hackers. 

The Google-owned security firm Mandiant last month issued a report that said a group purportedly behind a January attack on a water facility in rural Texas, the Cyber Army of Russia, is linked to notorious Russian state actor Sandworm. The group later claimed credit for a cyberattack on an Indiana water plant.

The CISA document refers to the Texas incident, noting that some intrusions into water systems caused pumps to "exceed their normal operating parameters" or disabled alarms. 

"Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations,” according to the advisory.

Goldstein said the federal government is “not assessing a connection” between the recent malicious activity and Sandworm. He noted the U.S. is “conducting ongoing analysis to ensure that we are continuously understanding the threat as it evolves.”

Goldstein similarly demurred when asked how much of the hacking campaign is driven by Washington’s support of Ukraine in its war with Russia.

“Russian hacktivist groups have publicly stated their intent to undertake these kinds of activities to reflect their support for the Russian regime,” he told reporters.

Goldstein challenged the vendor community to “deploy as a default” technology with better security controls to prevent such breaches.

“There is no reason why any technology product should be coming off the shelf with a factory default password that is not immediately changed upon installation. There is no reason why any technology product does not have a multi factor authentication, at least for external access,” he said, highlighting the security standards called for in last year’s National Cybersecurity Strategy and CISA’s own “Secure by Design” effort.

In a statement, Dave Luber, the head of the National Security Agency’s Cybersecurity Directorate, urged administrators at critical infrastructure organizations to “implement the mitigations outlined in this report, especially changing any default passwords, to improve their cybersecurity posture and reduce their system’s vulnerability to this type of targeting.”