Russian hackers claim cyberattack on Indiana water plant

A Russia-linked hacker group has claimed responsibility for a cyberattack on a water and wastewater treatment plant in Indiana.

The threat actor known as the Cyber Army of Russia posted a video on its Telegram channel over the weekend showing how the hackers allegedly interacted with the systems of the Tipton Wastewater Treatment Plant.

The group hasn’t published any other details about the hack, but an Indiana official told CNN that the plant had indeed been a victim of a cyberattack on Friday evening, “prompting plant managers to send maintenance personnel to investigate the suspicious activity.”

The general manager of Tipton Municipal Utilities (TMU), Jim Ankrum, said in a comment to CNN that the facility was targeted but hasn’t been compromised. 

“TMU experienced minimal disruption and remained operational at all times,” he said.

The enterprise operates four separate utilities that serve the city of Tipton and parts of the surrounding areas with electric power, water, and wastewater collection and treatment.

The investigation into the recent incident is still ongoing, and not much is known about how hackers got into the plant’s system and what the real damage of the attack was, if any.

The Cyber Army of Russia announced its purported operation against TMU a few days after the Google-owned security firm Mandiant released a report claiming that the group is linked to another Russian state actor, Sandworm, and was responsible for an attack on a water facility in Texas in January. The attack caused a tank at a water facility in Muleshoe, Texas, to overflow.

Mandiant said it cannot independently verify this intrusion or the group’s links to APT44. However, researchers noted that officials from the affected U.S. utilities publicly acknowledged incidents at entities advertised as victims in a video that the Cyber Army of Russia posted on its channel.

"Comrades, today the collective rotten West recognized us as the most reckless hacker group," the hackers wrote in response to the release of the Mandiant’s report. "As long as they fear us, let them hate us as much as they want."

Over the weekend, the group said that the operation against Indiana’s facility is just one in a series of attacks on U.S. infrastructure.

According to Mandiant, the Cyber Army of Russia poses as a hacktivist collective, but in reality has a close operational relationship with Sandworm.

The group carries out attacks, mostly distributed denial-of-service (DDoS), against countries deemed unfriendly to Russia. It often collaborates with other Russian hackers, including NoName057(16).

The group announced an attack over the weekend on an LGBTQ+ organization in Spain, and last week it claimed to attack Spanish banks and retail organizations.