Topics:
Today’s hacktivism is not your father’s hacktivism.
These threat actor groups, once characterized by their attention-seeking behavior via website defacements and other nuisance tactics, have a decidedly new approach on their resumes.
“It's been interesting to see the shift in hacktivist operations change from just messaging and DDoS activity to really zeroing in on things that we would call critical infrastructure,” said Joe Slowik, Director of Cybersecurity Alerting Strategy at Dataminr, on this episode of the Nexus Podcast. “Especially in weakly defended or less well-resourced areas like water, wastewater, trying to do things in power with not a whole lot of success there as far as I can tell, but it has been a concerning shift.”
A recent Team82 report called “Analyzing CPS Attack Trends” linked hacktivist groups sympathetic to geopolitical causes to more than 200 incidents where operational technology and other cyber-physical systems and assets were leveraged. Most of the attacks were decidedly low-tech, involving often the exploitation of weak or known default credentials, or ancient communication protocols lacking basic security features.
The key was that most of these assets were exposed online and easily searchable using publicly available internet-scanning tools. These search can return IP ranges on which assets are operating, or whether assets are listening on protocols such as Modbus and DNP3, or others that could be critical, and yet interacted with directly, Slowik said.
“We see with a lot of these hacktivist entities that don't have very good resourcing,” Slowik said, and expands on this in a recent Dataminr report. “But then if we take a step up to more of the concerning state-aligned, state-directed adversaries, like your Russian GRU, like your Volt Typhoon, they are able to develop and implement these scanning mechanisms directly and not rely on the commercial databases to do so. And as a result, I think we see not just direct targeting of such items, but opportunistic targeting of certain technologies or certain platforms for which exploits exist or for which capabilities are present.”
Many simple compromises against human-machine interfaces (HMIs) or programmable logic controllers (PLCs)—often the lowest hanging fruit—come at the expense of weak authentication and utilities that are often under-funded and under-resourced. The issue is that many of these groups and incidents generate alarming headlines and social-media boasts by the threat actors, but have in reality very little real-world impact on critical infrastructure, Slowik said.
“Even the ability to necessarily engage in meaningful disruption is limited because of other safety controls, other security controls that go beyond the cyber realm into physical and engineering safeguards,” Slowik said, pointing out that high-profile incidents in Muleshow, Texas, and a Norway dam are characteristic of this dynamic. “We see these items affect relatively small, under-resourced and similar entities, but you're not going to see this at the Hoover Dam or, a massive Exelon nuclear power plant sitting somewhere in the Midwest or something along those lines.”
Slowik cautions that even with solid asset inventories and an awareness of the problem, there are thousands of exposed assets to contend with. “Without a kind of a wholesale rip down, tear down of these things, the problem isn't going to go away,” he said.
What can help is that scanning services, researchers, and vendors should be diligent about notifying potential victims when an exposure is discovered, or targeting of specific assets is happening.
“Just notify these places when you find them,” Slowik said. “We don't have to score internet cool-points and post it on X or whatever and say: ‘Look what I found.’ It's not that hard to figure out these entities and reach out to them or reach out to the municipality that they operated and say, ‘Hey, we found this. Hopefully someone's listening.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
