US warns of Russian hackers targeting operational technology in water systems
The East Bay Municipal Utility District Wastewater Treatment Plant Oakland, California. The Cybersecurity and Infrastructure Security Agency and international counterparts warned on cyber threats to US water systems from Russian threat actors. Justin Sullivan/Getty Images
The advisory represents official U.S. confirmation that Russian operatives have breached water systems.
U.S. agencies are warning North American and European water treatment systems operators to be wary of and take steps to prevent a surge of Russia-linked hackers trying to break into their operational technology.
The advisory, which also includes French, Canadian and British authorities, says that pro-Russia activists are “targeting and compromising” operational technology platforms that underpin wastewater and water treatment systems, at times posing physical threats to safety.
The NSA, FBI, Department of Energy and Department of Agriculture were also included in the notice. CNN first reported on the release.
According to the advisory, this malicious activity "has been observed since 2022 and as recently as April 2024.”
The alert says that water operators are employing poor security standards that have allowed the hackers to breach their networks, including the use of default passwords that are included when the water system management tools are first installed.
The hackers have “manipulated [human-machine interfaces], causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords” to lock real users out of their wastewater treatment systems, it later adds.
Private sector research from mid-April linked a breach of a water facility near the Texas-New Mexico border and marked the first known case where Russian hackers targeted U.S. water facilities.
The research, conducted by Google-owned Mandiant, said the hackers were a possible activist unit of Sandworm, an operation tied to Russia’s military intelligence directorate.
CISA executive director of cybersecurity Eric Goldstein said the U.S. was not linking activity outlined in the advisory to Sandworm or affiliated operatives, though later said that the groups are acting in support of the Kremlin. He declined to name any specific groups.
Russia’s state-centered economy allows Moscow to easily steamroll contracts for military and intelligence operations. A leak last year revealed the intricacies of this relationship, showing a vast network of military consultants working on behalf of the Kremlin, including Sandworm.
The Environmental Protection Agency and National Security Council in March urged states to stay alert for Iranian and Chinese cyber threats targeting water sector infrastructure. “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” their missive to states said.