Control panel showing Russian hackers attack on water treatment plant

State-Sponsored Russian Hackers Linked to Breach of Texas Water Treatment Plant

Leading cybersecurity firm Mandiant believes that a notorious group of Russian hackers is behind a recent rash of attacks on water utilities in several countries, including the United States. On January 18 the group was able to induce a tank overflow at a Texas water treatment plant, and has made similar incursions in France and Poland.

The group directly responsible calls itself “Cyber Army of Russia Reborn” or “Xaknet,” and poses as an independent “hacktivist” group that supports its home country. Researchers believe that this group is actually a puppet for Sandworm, a well-known team of Russian hackers that is directly controlled by the Russian military.

Russian hackers show off ability to disrupt operations at water utilities

The headline item from Mandiant is the January tank overflow induced in the town of Muleshoe in north Texas. The security researchers uncovered a Russian-language Telegram channel in which the supposed “hacktivists” took credit for the breach. The group claims to be independent, but researchers have previously linked it to the GRU-controlled Sandworm squad that has been active for about two decades now.

The attack was relatively harmless, not posing a threat of contamination to the 5,000 Muleshoe residents served by the water treatment plant. It essentially just wasted water as the Russian hackers caused a tank to overflow for about half an hour. Local utility workers were able to put an end to the attack by switching to manual offline operations.

Two nearby north Texas towns reported suspicious activity at the time of the breach, though neither was compromised. One town noted unusual cyber activity in a SCADA system used to oversee a different water treatment plan, and another saw a failed attempt on a firewall protecting a similar system. It is unclear if these attempts were also the work of the Russian hackers.

There have been allegations and documentation of Russian hackers breaking into US utilities for at least a decade now, but to date this has been thought to mostly be espionage and testing of defenses that was not meant to draw attention. If a GRU group is behind the active manipulation of water treatment plants on foreign soil, it would represent a significant escalation. Open attacks on critical infrastructure are a relatively new phenomenon, only becoming a major issue with 2021’s Colonial Pipeline and JBS incidents, and thus far have mostly been the work of private for-profit criminal actors. Russia even took the unusual step of voluntarily assisting the US in breaking up the Darkside ransomware gang by making arrests of members in early 2022, about a month ahead of its invasion of Ukraine.

This may indicate that attacks on critical infrastructure are no longer considered “over the line” by Moscow. Mandiant’s report described the Russian hackers as both the most brazen and most capable and dangerous advanced persistent threat group currently operating.

Bob Huber, Chief Security Officer and Head of Public Sector at Tenable, notes that the federal government can only be expected to do so much to prevent attacks of this sort: “This is a nightmare scenario for many defence experts. Bad actors and nation states no longer need to rely on bullets and missiles. They can tamper with or shut down critical infrastructure by exploiting vulnerabilities in converged IT and OT systems. The U.S. and its allies must do better in their collective defence against these adversaries. In the meantime, critical infrastructure providers should follow a few basic guidelines to prevent attacks from landing. Among them, employing multi-factor authentication solutions, using cryptographic keys in addition to password protection protocols like password rotation, securing remote access, and logging and auditing OT network activity by contractors and employees to prevent identity and credential-based attacks.”

Water treatment plants in US, Poland and France hit

The Russian hackers also used their Telegram channel to post a video claiming a similar attack on a hydroelectric facility in France, temporarily disrupting electricity generation by using industrial controls to alter water levels. The group is also thought to have compromised at least one water treatment plant in Poland.

Mandiant has laid out a variety of evidence backing up its assertion that the Russian hackers are secretly government-controlled. The researchers cite the creation of a Youtube channel by the group that was traced back to known Sandworm infrastructure, and previous instances of it referencing an attack made by the APT group before the incident had become known to anyone. The only element in question, according to these researchers, is exactly how much autonomy the supposed “hacktivist” group has in its operations. The hackers seemed to have only partial knowledge of how water treatment plant controls work, and have been more brazen in their attacks than Sandworm is generally known for, leading to some speculation about how tightly the group is controlled and trained by the GRU.

The Environmental Protection Agency and National Security Council recently issued a joint warning about cyber attacks on the water sector, but their focus was on Iranian and Chinese hacking teams. An attack on a water treatment plant in Pennsylvania this past November was attributed to an Iranian state-backed team, and a report recently revealed that numerous Chinese state-backed hackers were thought to be infiltrating critical infrastructure systems of all sorts and leaving backdoors for future use in the event of a military conflict.

Sandworm is known to specialize in critical infrastructure attacks, but as of late has directed most of its energy to targets in Ukraine as the invasion of that country continues. That team is also generally more interested in knocking out electricity and satellite communications in the region, as well as infiltrating government agencies to steal military secrets.

Tom Kellermann, SVP of Cyber Strategy at Contrast Security, thinks that the Russian government has ordered these attacks for a specific purpose and that more are coming: “Russian cyber militias are targeting critical infrastructure as revenge for American support for Ukraine.  These attacks will become more punitive as Putin has unleashed the hounds.”

And Roger Grimes, data-driven defense evangelist at KnowBe4, believes that more critical infrastructure attacks are already occurring than are making the news: “It’s much worse than you think. Anytime you hear of a single entity or name of some company that has been successfully hacked using some method, just realize that it’s only because that one made the news that day and there are literally hundreds of thousands of similar entities make the exact same mistakes right now. And they are either currently compromised or just waiting to be compromised when some adversary just tries. So, don’t just blame these victims for the problems, because the problems are far more widely spread than anyone outside the cybersecurity industry could imagine. This isn’t the exception that many casual readers might think. The sad part about this, despite politicians killing requirements to prevent this sort of attack, is that everyone knows how to prevent this sort of attack…requirement or not, and we still don’t do it. The idea that anyone from the Internet can reach a system that controls critical safety infrastructure is insane! We know it’s insane. Yet, we still let it happen because the controls that make it much less likely to happen might cause some real or imagined inconvenience.”

“I’ve been watching successful attacks against our critical infrastructure happen since before the mainstream rollout of the Internet (i.e., early 1990’s) and the fact these sorts of attacks not only still occur, but are occurring with greater frequency blows my mind! We know we have a problem. Everyone agrees it’s a serious problem. And yet many/most entities in charge of protecting those same systems just don’t try to prevent it. It’s like leaving your car unlocked with a gun in it and acting surprised when a thief opens your car door during the night, steals your gun, and uses it against you. It’s almost like you were welcoming the crime. I don’t mean to belittle the large majority of cybersecurity defenders who are actively spending their lives trying to prevent this from happening, because they get it. It’s the rest of the organization that’s preventing them from being more successful. The whole system is stacked up against the cybersecurity defenders who are trying to do the right thing. And if the cybersecurity defender does do what it takes to stop this type of thing, and it doesn’t happen, you can bet there’s someone in the organization questioning why they are spending so much money or causing so much inconvenience,” added Grimes.