Full Report
Water systems in the United States are being attacked by Russian, PRC, and Iranian state-sponsored groups. These sophisticated and strategic attacks can overwhelm the water sector, which is considered the least secure of all critical infrastructure in the U.S.
Analysis Summary
# Threat Actor: Russian Affiliates (PCA, Z-Pentest, Sandworm, CARR)
## Attribution & Identity
The article discusses multiple threat actors associated with Russia targeting critical infrastructure, specifically water systems:
* **Hacktivist Groups:** People’s Cyber Army (PCA) and Z-Pentest.
* **State-Sponsored/Military Unit:** Sandworm (officially designated "Military Unit 74455") operating within the Russian military intelligence agency (GRU).
* **Related Group:** Cyber Army of Russia Reborn (CARR), linked to Sandworm but believed to operate more recklessly.
## Activity Summary
* **Targeting:** Water systems, energy, food and agriculture, and dams sectors.
* **Actions:** Successfully reconfiguring operating parameters of control systems and changing administrative passwords to lock out legitimate operators.
* **Methods:** Exploiting vulnerabilities in Virtual Network Computing (VNC) software, proprietary water control software, Industrial Control Systems (ICS), and network electronics (e.g., firewalls).
## Tactics, Techniques & Procedures
- Exploiting vulnerabilities in VNC software and proprietary water control software/ICS.
- Attacking network electronics like firewalls.
- Reconfiguring operating parameters of control systems.
- Changing administrative passwords to cause denial of access for legitimate operators.
## Targeting
- Sectors: Water and Wastewater Systems (primary focus), Energy, Food and Agriculture, Dams.
- Geography: United States (implied by discussion of US water systems and EPA regulations).
- Victims: Public drinking water systems, community water systems (CWS), wastewater treatment systems, and non-community water systems serving factories, hospitals, etc.
## Tools & Infrastructure
- Malware families used: Not explicitly named, but TTPs point toward ICS/OT focused tooling.
- Infrastructure (C2, domains, IPs - defang URLs): No specific indicators provided in the excerpt.
## Implications
Russian-affiliated actors pose a significant threat to US Critical Infrastructure, particularly water systems, demonstrating capabilities to disrupt essential services by taking control of operational technology (OT) and locking out operators. This poses a national security risk.
## Mitigations
* **Basic Cybersecurity Hygiene:** Changing default passwords, requiring MFA, and enforcing the principle of least privilege.
* **Visibility & Segmentation:** Gaining full visibility of IT/OT hybrid networks and implementing thoughtful network segmentation.
* **Compliance:** Completing mandated Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs).
* **Response Planning:** Developing and testing cybersecurity incident response and recovery plans, including procedures for manual operation of automated systems.
***
# Threat Actor: IRGC Threat Actors (Iranian)
## Attribution & Identity
Threat actors associated with the **Iranian Revolutionary Guard Corps (IRGC)**.
## Activity Summary
Reportedly targeting individuals with a nexus to Iranian and Middle Eastern affairs to gain access or execute further campaigns. The article uses this as an example of credential targeting in the context of infrastructure security awareness.
## Tactics, Techniques & Procedures
- Strategically targeting individuals (such as government officials, think tank personnel, journalists, activists, lobbyists, and political campaign associates) to obtain credentials to facilitate larger attacks.
## Targeting
- Sectors: Not fully specified in the context of infrastructure impact, but used as a cautionary example relevant to infrastructure personnel protection.
- Geography: Associated with individuals connected to Iranian and Middle Eastern affairs.
- Victims: Current or former senior government officials, senior think tank personnel, journalists, activists, lobbyists, and persons associated with US political campaigns.
## Tools & Infrastructure
- Malware families used: Not specified.
- Infrastructure (C2, domains, IPs - defang URLs): Not specified.
## Implications
Credential targeting against personnel linked to critical infrastructure sectors by state-sponsored actors remains a high-probability vector for initial access.
## Mitigations
* **Credential Protection:** Users and employees of water infrastructure systems must diligently protect their credentials.
* **Security Culture:** Encourage a culture of security awareness and practice good cyber hygiene among staff.