Russian-Backed Cyber Attacks: Targeting Water Service Providers & Critical Infrastructure 

Saying there has been an increase in cyber-attacks is a little like stating that energy and food prices are increasing. Recently, however, international media has reported particularly on large scale cyber-attacks, targeting elements of Critical National Infrastructure sectors: 

• A Swedish, centralised human resource system, servicing several Swedish Government agencies, reports ransomware attack in January 2024. 

• Texas water facilities targeted and sabotaged in January 2024. 

• Energy, heating and water sites targeted in Ukraine in March 2024. 

• Flights to Baltic countries reporting GPS signal errors leading up to March 2024. 

• Wastewater treatment plan in Indiana, US, targeted on 19th April 2024. 

These events have taken place in several countries. Responsibility has been claimed by several groupings, previously identified as operating with the support of Russia. Though this activity has been taking place for some time, it’s the frequency and disparate geographic nature that has sparked conversation. 

How Did We Get Here? 

Cyber-attacks on national infrastructure have become a global concern, with Russian-based cyber groups being among the most prominent actors in this space. The motivations behind these attacks include espionage, disruption of services, financial gain, or geopolitical objectives.

Russian cyber groups are known for their sophistication in carrying out targeted cyber operations. These groups often operate with the support or tacit approval of the Russian government, blurring the lines between state-sponsored and independent cyber activities.  

Previous Attacks on National Infrastructure:

Russian-based cyber groups have a history of targeting national infrastructure in various countries. In 2015, a cyber-attack on Ukraine’s power grid left thousands without electricity. It was attributed to the Sandworm Team, a group believed to have ties to the Russian military intelligence agency, GRU.  

In 2017, the NotPetya ransomware attack was also linked to Russian cyber groups. While NotPetya was primarily aimed at financial institutions and multinational corporations, it demonstrated the potential impact of cyber-attacks on critical infrastructure. 

Modus-Operandi: 

1. Password Spray: APT29 often attempts to gain unauthorised access by systematically trying a few common passwords across multiple accounts. This technique allows them to identify weak credentials and gain initial access. 

2. API Abuse: Threat actors exploit vulnerabilities in APIs (Application Programming Interfaces) to gain access to sensitive data or execute unauthorised actions. 

3. Phishing: APT29 uses targeted phishing emails to deceive victims into revealing login credentials or downloading malicious attachments. These emails appear legitimate, making it challenging for recipients to discern the threat. 

4. Token Theft: By stealing authentication tokens or session cookies, APT groups can impersonate legitimate users and access sensitive resources. 

5. Post-Exploitation Malware: APT29 develops custom malware, capable of maintaining persistent access to compromised environments. This allows them to continue their operations, even after initial infiltration. 

6. Exploiting Known Vulnerabilities: Russian APTs take advantage of known software vulnerabilities to gain access to systems.  

7. Credential Roaming: APT29 has been observed using a lesser-known Windows feature called Credential Roaming. This technique allows them to move laterally within a network by stealing credentials from one system and using them on another. 

Detailed Analysis of More Recent Attacks:  

In 2024, there have been several reported cyber-attacks targeting water companies in different regions. These attacks were allegedly orchestrated by Russian-based cyber groups, aiming to disrupt water supply systems. Southern Water reported in February 2024 that up to 500,000 customer records had been stolen in the previous month. Further reports by other national agencies have raised suspicion that the attack has been conducted by groups supported by Russia and its intelligence services. 

The most recent incident took place in North America, where hackers targeted a major water utility company responsible for supplying drinking water to millions. The attackers launched a coordinated ransomware attack that encrypted crucial systems controlling water purification and distribution. 

The ransom demand issued by the hackers threatened to release harmful chemicals into the water supply if their demands were not met within a specified timeframe. This alarming threat prompted emergency response measures by local authorities and cyber security experts working tirelessly to contain the situation and restore normal operations. 

The most recent attack on 19th April 2024, targeted a wastewater treatment facility in Tipton, Indianapolis. Only limited information has been released to date. However, it has been stated that the attack resulted in limited consequences and targeted units of Operational Technology that are connected to the internet for communication purposes. 

Attackers recorded the activity and released the footage on social media channels, reportedly showing them manipulating the software that handles equipment that aerates fluids. However, the representative from the wastewater facility stressed that the facility continued to operate throughout the attack.

Why Attack Water Companies (And Other Critical National Infrastructure)? 

1. Complex Environment: Any environment that presents a crossover and dependency between IT and OT will raise the likeliness of exploitable vulnerabilities. 

2. Training Ground: This complex environment is a fantastic training ground for cyber groups to test their capabilities or develop new methods of attack. 

3. Reconnaissance: Large customer bases and delivering vital services presents a good opportunity to test and identify emergency response capabilities of a nation. 

4. Strategic Importance: Water infrastructure is critical for any nation’s stability and well-being, operations and even, public health. 

5. Misdirection Through Destabilisation: Disrupting water utilities can have significant economic, political and environmental consequences. Ransomware attacks can cause financial losses and operational disruptions, which, in turn, can lead to other activity conducted by Russia or its allies, going relatively unnoticed. 

Mitigation Efforts for Attacks on Water Companies: 

In response to the increased attacks on water companies, governments and organisations have ramped up cyber security measures. Enhanced monitoring systems, incident response plans, employee training programs, and information sharing initiatives have been implemented to strengthen defences against future attacks. 

International cooperation amongst cyber security agencies has also played a crucial role in attributing attacks to specific threat actors and holding them accountable. Sanctions, indictments, diplomatic pressure, and public attribution statements have been used as tools to deter malicious behaviour.

What Can Water Companies Do to Protect Themselves from Cyber Threats? 

1. Secure Connections Between OT and IT 

2. Continually Monitor and Remediate Vulnerabilities 

3. Secure and Monitor Remote Desktop Protocol (RDP) 

4. Increase Security Awareness and Training

Cyro Cyber work with organisations of all sizes to ensure that they identify and protect their environments. Cyro understands that this activity is not merely a compliance or legal obligation, but a matter of national security. To harness this expertise, contact Sam Sorrell (sam.sorrell@cyro.uk). 

Conclusion:

As threat actors become more sophisticated, collaboration between public and private sectors at both national and international levels has never been more essential for building resilience against threats and ensuring the reliability of vital public services.  

The 2024 attacks on water companies serve as a stark reminder of the vulnerabilities inherent in interconnected systems that underpin essential services like water supply. Enabling a legacy asset to communicate with a modern command and control system is a delicate process and the subsequent security measures must not be overlooked.  

____________________________________________________________________________________________________ 

Author: Peter Lane, Principal Information Assurance Consultant, Cyro Cyber  

Cyro's decades of combined experience can help understand and implement and test the necessary controls to satisfy the regulators whilst improving the end goal of protecting your data to avoid the potential impact of breach costing in fines and reputational damage.  

Drop us a line to discuss your compliance challenges: peter.lane@cyro.uk