The hacking talents of script kiddies may not have matured much in the past two decades, but their marketing skills sure have. Most of these groups operate under the label of hacktivism and carry out defacements and other relatively low-skilled attacks increasingly against operational technology and industrial control systems.
In this episode of the Nexus podcast, Ron Fabela dissects the activities of some of these groups, explaining exactly what their capabilities are and how successful they are at marketing themselves. Fabela delivered a presentation on the topic at the recent S4 conference in Tampa. Fla.
“They see it as fun, almost like the old Anonymous days. Just the trolling aspect of this is really what they're focused on,” Fabela said.
The reality of it, however, is that when attacks such as the CyberAv3ngers’ defacements of Unitronics integrated PLC/HMI units, or the activities of the Russian Cyber Army (RCAT/CARR) or Z-Pentest reach the public eye, entities such as CISA and law enforcement are forced to investigate. Internal security teams must understand whether this “threat” is a risk to their respective organizations, and also must soothe chief information security officers who are reading headlines and asking questions.
“Maybe CNN picks up on it. CISA puts out a Joint Report, and us in the community just read that and say, ‘Oh my gosh, stuff's happening,’” Fabela said.
In the end, most of this activity is “for the LULz” and credibility on Telegram and other communities where these groups are overly vocal about their exploits. All of this, of course, is in sharp contrast to the approach of a true advanced attacker who relies on stealth and quiet access to critical systems to carry out their missions. Fact of the matter, Fabela said, is that these groups are skilled marketers.
“The joke is when you watch the Cyber Army Russian Reborn and their videos, it's like they have a Canva Pro account. They have the intros and the music and they have logos, and you really got to hand it to them,” Fabela said. “They sometimes do better marketing than vendors and consultants do.”
Fabela urges security leaders to see for themselves by finding these groups on Telegram, watching their videos, and understanding whether there is a level of sophistication to these groups.
“I have worked with some government folks, and they have said, ‘I don't even feel comfortable going to that web page,’” Fabela said. “As you demystify these things, then they become less scary, and more manageable.”
During his talk at the S4 Conference, Fabela recommends asking a few simple questions when any of this activity surfaces: Is it targeted? Advanced? Was the target truly critical infrastructure? Was there operational impact? The answer is generally “no” to many of these questions, which allows for better mitigation and remediation prioritization.
“Part of the observation or the kind of observation bias that at least I admit that I have is that based on public information, they all matched a pattern, which was log into something that's already online, push buttons, make a video, have LULz, get community credit,” he said.
Fabela added that this is a good reminder to lock down basic security hygiene. With regard to OT, that means not connecting PLCs and other critical devices directly to the internet, changing default or weak passwords, and monitoring everything.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
