Podcasts
Data Security Decoded
Ep 44
Data Security Decoded 2.3.26
Ep 44 | 2.3.26

When Hacktivists Target Water Utilities: Inside a Russian-Aligned OT Attack

Show Notes
Transcript

>> Daniel dos Santos: If you go back to 2022, when Russia invaded Ukraine, most hacktivist activity focused on defacements, distributed denial of service, and so on, with the goal of sometimes spreading a political message, fighting for freedom of speech or rights on the internet, or things like that throughout the world, right? That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests, and specifically, in this case, pro-Russian interests against Ukraine, against NATO, against the West in general, right? So the motivation that we see with a lot of these groups, at least the main stated motivation, let's say, is to support the war effort of Russia to go against Ukraine, and countries that are supporting Ukraine, to -- in some cases, when they're targeting Ukraine directly, to potentially support the war effort over there. But in many cases, when they're targeting -- for instance, our honeypot was located in the Netherlands, right, which is a country that supports Ukraine. It's more about potentially instilling fear in people who are running critical infrastructure in Europe and the US and the West.

>> Caleb Tolin: Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolin. And if this is your first time joining us, welcome to the show. Thanks for spending some time with us. Make sure you hit that Subscribe button so you're notified when new episodes go live. And if you're already a subscriber, thanks for coming back and spending more of your time with us. Give us a rating. Drop a comment below. Let us know what you think about the show. This helps me know what you want to hear more of, and it helps us reach more listeners just like you. Now, today, I had a conversation with Daniel dos Santos, the Vice President of Research at Forescout Technologies, and we discussed an incident that their team tracked via a honeypot, which caught Russia-aligned hacktivist activity targeting a decoy water treatment plant. Let's get into it.

[ Music ]

Daniel, thank you so much for joining us today. Before we dive into the meat of the conversation, what is something that's not related to cyber that you're completely obsessed with lately? Mine's going to be stained glass. I'm kind of obsessed with it right now. I'm collecting lamps, decor, all sorts of stuff that has stained glass. Ideally, one day I'm going to get something with the Tiffany style. I am realizing I'm a bit of a hoarder -- collector of right now, and really, really enjoy it. So what's the thing that you're obsessed with lately that's not to do with cyber?

>> Daniel dos Santos: I've been having some time lately to finally catch up on series and movies and things like that, and I've been obsessed with this series called "1883," which is kind of a prequel of "Yellowstone," and it's basically, you know, about a Western -- so, you know, following Westerns these days. It's really, really interesting.

>> Caleb Tolin: Very nice. Very nice. Well, for our listeners, now they have a new Netflix recommendation. So to get into it, you are at Forescout Research, which is an organization that focuses on threat intelligence, and you recently released a report on a Russian hacktivist-aligned group targeting OT and ICS environments. The way your team discovered this was by setting a honeypot out to catch threat actors. To start, how did your team identify this attack, and once you discovered it and began to observe the threat actor's behavior, what happened as you watched the attack happen?

>> Daniel dos Santos: Yeah, that's actually a very interesting question because the attack was somewhat fast, right? It lasted only a couple of days. When we actually noticed it first -- because it's a honeypot network, so it's not something that, you know, triggers all alarms, and it's all hands on deck, and we need to go and immediately do something about it. We let the attack happen so we can study the whole thing. We actually noticed it first when it was posted on Telegram. Usually, these groups, these types of hacktivist groups operate by announcing the attacks that they have done, right? Claiming attacks, claiming their victims, and posting it on -- Telegram is the social media of choice, let's say. Sometimes X and other platforms, but Telegram is really the one that they use the most. And we noticed, in one of these groups that were emerging, that we were looking at, that they posted an attack on something that looked very familiar to us. So we looked at the honeypot that we ran, and we were like, "Okay. This was an attack that happened here, just happened yesterday, so let's reconstruct everything that happened." And interestingly, they actually posted a video of the actions that they did, and we could kind of compare the video that they posted, the actions that they had with the firsthand observations that we had behind the scenes to really reconstruct everything that was done and understand kind of what was going on behind the minds of the attackers as well, right? As they were going through this kind of attack.

>> Caleb Tolin: Right. And how -- these organizations, we can step out and talk about these hacktivist groups a little bit more broadly, and this specific use case, too. But what was the entry point, and was it similar to other attacks that you've observed in this similar kind of fashion?

>> Daniel dos Santos: Yeah. So the entry point is something that we call HMI or human machine interface, which, in operational technology and industrial control systems, is, as the name implies, is the kind of thing that humans use to interact with the machines, right? So it's basically the graphical user interface, the things where you press the buttons to control the processes. In our case, specifically, since we were simulating a water treatment facility, it was a web application showing some tanks, and those tanks were, you know, rising water levels, and then you could control some chemicals that go in, and so on, and then the tanks would, you know, go up and down and all that. So that was the entry point. They basically saw that exposed on the internet on purpose. We had exposed that, and it had default credentials, right, which is something that we see often happening with exposed operational technology to this day. So something simple as admin/admin, or admin1234, and they basically managed to get in, and from there launch the rest of the attack, right? Exploit vulnerabilities and tamper with settings, and so on and so on. But to answer to your question as well, yes, this is very similar to a lot of activity that we see from these types of groups, where they are usually not necessarily focusing on one particular target, one particular organization that they need to attack. It's more like whatever they can find that is of interest, that is relevant, that is exposed on the internet, and that is easy to attack will be attacked, right? So that's most likely how they found our honeypot by using tools such as, you know, Shodan, Censys, one of those mass internet scanning tools that show these exposed systems, and then they just tried a default credential, default username and password, managed to get in, and from there, they launched the rest of the attack. Interestingly, a couple of weeks after this attack, there was an alert from the Canadian government about similar types of attacks from hacktivist groups, also, you know, hacking through HMIs and initial access via exposed devices. So this is something that is happening throughout the world, and it's very similar the attack we caught with other things that we observe often.

>> Caleb Tolin: Right. I want to loop back to something you mentioned about these organizations are targeting targets that are of interest to them. And something that we've explored in previous episodes, we had one just a couple months ago with Morgan Adamski, where we were talking about how China is prepositioning in US critical infrastructure for some type of conflict that relates to China-Taiwan. And that's really their motivation for getting into these critical infrastructure systems. I would love to talk about the motivation for these Russian-based hacker groups, even these hacktivist groups that you're talking about. What is their motivation behind this? Is it disruption? Is it espionage? Is it financial gain? Is it prepositioning for something kind of similar in terms of, like, what's happening with Ukraine and Russia in their conflict? What is the motivation behind these types of groups?

>> Daniel dos Santos: Yeah, it's a very interesting question because different groups have somewhat slightly different motivations, but there's obviously a common theme tying all of them together. And it's a very changing and changing rapidly kind of ecosystem, right? So if you go back to 2022 when Russia invaded Ukraine, most hacktivist activity focused on defacements, distributed denial of service, and so on, with the goal of sometimes spreading a political message, fighting for freedom of speech or rights on the internet, or things like that throughout the world, right? That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests, and specifically, in this case, pro-Russian interests against Ukraine, against NATO, against the West in general, right? So the motivation that we see with a lot of these groups, at least the main stated motivation, let's say, is to support the war effort of Russia, to go against Ukraine and countries that are supporting Ukraine, to, in some cases, when they're targeting Ukraine directly, to potentially support the war effort over there. But in many cases, when they're targeting -- for instance, our honeypot was located in the Netherlands, right, which is a country that supports Ukraine. It's more about potentially instilling fear in people who are running critical infrastructure in Europe and the US and the West and so on. There is also a tendency nowadays for some of these groups to actually be much more involved with actual state activities, right? Some of these groups are known to be fronts for state-sponsored, really, actors. So we've had the examples in the past of CyberAv3ngers. We've had the example of the Cyber Army of Russia Reborn. We've had the example of other groups that have been known to be aligned with actually state-sponsored actors. And there is a third element in terms of motivation that is kind of emerging these days. As I said, it's kind of a fast-moving landscape which seems to connect to financial gain as well, which is something that we wouldn't expect mostly from hacktivists. We would usually expect that from cybercriminals, right? Ransomware gangs and data leak groups and so on. But we do see more and more often, when we are tracking some of these groups' chats on Telegram, the offers for, you know, selling data that was exfiltrated or selling initial access into organizations or selling new exploits and things like that, selling new ransomware services. So, in many cases, we are, you know, still scratching our heads and figuring out, "Is this real? Is this potentially a scam? Are they actually trying to make money or just create confusion and so on?" It's a very -- like I said, an ecosystem that's evolving very fast, and the main motivation remains, you know, supporting state efforts from Russia. But it seems like some of these groups are branching out into other types of activities as well.

>> Caleb Tolin: Right. Right. And if it's confusing so much for the researchers and the threat intelligence community like you, imagine just how confusing it can be for the defenders that are operating these systems, too. So I'd love to kind of shift and focus on, like, okay, we've talked about the problem. It's obviously very rampant. What can organizations do about this? So there was a really great interview with a former senior security official that went out just a couple months ago. It was on 60 Minutes. And he was talking about how once these bad actors are in these environments, it's very difficult to root them out. So, for the organizations that maybe are doing their threat hunting and threat detection, and they're identifying someone in their system, what can they do to start rooting out these attackers from those OT environments?

>> Daniel dos Santos: Yeah, I would like to start by trying to prevent them from getting there in the first place. Obviously, once they're in, you know, it's all hands on deck, and we need to respond, and we need to root them out, as you said. But I think that really an activity that helps both in the preventional side, in the proactive side, and the reactive side that I always start with as, like -- the first recommendation is increasing visibility on the network, right? And what I mean by that is making sure that you can actually, from a central point of view, see all the assets that you have connected to your network, who they're communicating with, you know, what vulnerabilities they have, what are the credentials that they have, right? Like I said, you know, default credentials being used in a device is never a good idea. And once you have this increased visibility, then you can start proactively understanding what you can do to reduce risk and potentially decrease the likelihood of an attack happening, and then reactively understanding what is the actual compromise that has happened in your network. Because part of the reason why it's difficult to root out the attackers, as you mentioned, is that nowadays they're not only using the traditional endpoints for attacks anymore. They're not just, you know, getting into your Windows workstation, and then once you uninstall a malware, then the attacker is gone. No, they will often get initial access from a networking equipment, then move to the Windows workstations, then move to domain controller, then move to IP cameras on your network or whatever else that might be that is unmanaged, right? So there is always a place to hide in the network where, if the defender doesn't have enough visibility, doesn't know what's actually going on, the attacker can start again from there and kind of recreate the infection. That's one of the reasons why it's kind of difficult to root out these actors once they are inside, and it's also why it's so relevant to make sure that you can see all the devices in the network and understand, you know, which of those will be potentially more likely to be entry points so you can do something beforehand, right? Obviously, we can go into specific recommendations once you have visibility to, you know, not use default credentials, as I mentioned, or weak credentials or reused credentials that have been leaked in the past, you know, patch devices, not expose them on the internet, have network segmentation. All of those are relevant, and we could spend a whole podcast, a whole hour here discussing those, but it's really start with making sure that you have visibility into everything, which means don't just rely on the traditional, you know, endpoint detection response or your traditional agents on your Windows machine that are very relevant. You should have them, but you should not only rely on them for visibility.

>> Caleb Tolin: Absolutely. Absolutely. And for our listeners who are absorbing all of this and trying to figure out what they do about this challenge, what is really, like, the one, two, maybe even three things that you really want them to walk away from this conversation understanding how they can address these threats? Anything else that you haven't already mentioned?

>> Daniel dos Santos: Yeah. No, no, for sure. So I think that one thing -- when I talk about this type of threat, the attacks that we captured, the attacks that we analyzed, and so on, one thing that I always like to leave people with is that attacks are not only the targeted super sophisticated nation-state attacks these days, right? Obviously, people are very focused on talking about the Russian threat or the Chinese threat or whatever other threat might be, you know, targeting your network with sophisticated malware and unlimited budgets from nation-states and all that. And all that is happening and all that is scary and is something you should worry about and protect against. But there is also the kind of attack that I just -- we just discussed, right, which is much more opportunistic, much less targeted, and much more focused on just kind of spreading chaos, right? And that is the hacktivists we mentioned. There is botnets. There is, you know, automated exploits out there, and so on, and so on. A lot of this is happening kind of in the background. It's kind of the background noise of the internet these days, and it does affect critical infrastructure organizations, right? So my main takeaway is pay attention to all the targeted stuff, all the fancy sophisticated malware out there, that's very relevant, but make sure that you have done the basics as well to protect against the more opportunistic attacks, and that you are not the easy prey. Because that's kind of the point of the opportunistic attackers, right? They will go after the easy prey, and if they can get those, then, you know, it doesn't matter if they can get also harder targets or not. Leave those for the state-sponsored super sophisticated actors. So that's my main takeaway, really. Pay attention to not just what sounds fancy and sophisticated, but the whole threat landscape.

>> Caleb Tolin: Absolutely. Absolutely. Well, Daniel, thank you for joining us. Where can folks find you and learn more about the amazing work that you and your team are doing?

>> Daniel dos Santos: Yeah, so you can find me on LinkedIn, Daniel dos Santos at Forescout, and you can email me as well, daniel.dossantos@forescout.com, and just, you know, have a look at all the work that we're doing. We often publish reports, blogs. I post on LinkedIn from time to time. We have a newsletter. We have lots of ways that you can, you know, consume the research that we're doing, but also discuss things of interest, and that we can, yeah, have a conversation.

>> Caleb Tolin: Wonderful. Well, thank you again for joining us, and until next time.

>> Daniel dos Santos: Thank you, Caleb.

[ Music ]

>> Caleb Tolin: Thank you for spending some time with me today. If you like what you heard, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback really helps us understand what you want to hear more about. And if you want to reach out to me directly about the show, email me at data-security-decoded@n2k.com. That's the letter N, number 2, letter K.com. Thank you, Rubrik, for sponsoring this podcast. The team at N2K includes senior producer Alice Carruth and executive producer Jennifer Eiben. Content strategy by Mayan Plaut. Sound design by Elliott Peltzman. Audio mixing by Elliott Peltzman and Tré Hester. Video production support by Brigitte Criqui Wild and Sarelle Joppy. Thank you so much, and see you next time.

[ Music ]

Data Security Decoded
Podcast Info
HOST(S):
Caleb Tolin
As the host of Data Security Decoded, Caleb Tolin dives deep with cyber experts to deliver actionable, vendor-agnostic insights to reduce data security risks and improve cyber resilience outcomes. Caleb asks the incisive questions that you need answered, extracting actionable guidance for defenders. Come be obsessed with improving your organization's cyber resilience.
Schedule: Two times per month. Every other Tuesday.
Credits: Data Security Decoded is a podcast by Rubrik.
Creator: Rubrik
Data Security Decoded