Pro-Russian Hacktivist Attacks on Water Infrastructure (May 2024): OT Systems Targeted in U.S. and European Water Facilities

In May 2024, pro-Russian hacktivist groups launched a coordinated series of cyberattacks on water infrastructure in both the United States and Europe. These attacks targeted Operational Technology (OT) systems, which control critical processes in water treatment plants, distribution networks, and wastewater management facilities. The attacks, attributed to pro-Russian hacktivist groups, were intended to cause widespread disruption and create public safety risks in response to ongoing geopolitical tensions involving Russia.

Attack Overview: Critical Water Infrastructure as a Target

Water infrastructure has become an increasingly attractive target for nation-state actors and politically motivated hacktivists. This specific campaign was part of a broader effort by pro-Russian groups to destabilise critical infrastructure in nations aligned against Russia, particularly those providing support to Ukraine or imposing sanctions on the Russian state. By disrupting water supply systems, attackers sought to create widespread panic, economic damage, and public health crises.

The attack methods involved breaching OT systems—the specialised hardware and software that controls physical operations like water filtration, chemical dosing, and flow rates. Compromising these systems can lead to operational failures such as:

• Altered Chemical Levels: Hackers could modify the chemical dosing process used to purify drinking water, either under-dosing or over-dosing chemicals like chlorine, which could render water unsafe for consumption.
• Shutting Down Pumps: Attackers could cause service disruptions by turning off pumps or valves, leading to shortages in water distribution networks.
• Tampering with Wastewater Treatment: In wastewater facilities, attackers could alter treatment processes, potentially leading to the release of untreated or partially treated water into public waterways.

Notable Hacktivist Groups Involved

The primary groups responsible for these attacks were Killnet and NoName057(16), two well-known pro-Russian hacktivist groups with a history of targeting critical infrastructure across NATO member states and Western-aligned nations.

1. Killnet

• Tactics: Killnet specialises in Distributed Denial-of-Service (DDoS) attacks aimed at disrupting public services. While DDoS attacks on water systems are less common, Killnet reportedly expanded its focus to water infrastructure in May 2024. By overwhelming the network infrastructure controlling OT systems, Killnet was able to temporarily knock key systems offline, causing brief service outages.
• Previous Activity: Killnet has been responsible for numerous attacks on healthcare, government, and financial sectors, and it claimed responsibility for attacks on European water utilities in response to sanctions imposed on Russia.

2. NoName057(16)

• Tactics: This hacktivist group is known for its focus on politically motivated attacks, including DDoS, website defacement, and attempts to breach and manipulate OT systems. In the water infrastructure attacks, NoName057(16) used social engineering techniques to compromise administrator accounts, gaining access to SCADA (Supervisory Control and Data Acquisition) systems controlling water flow and chemical dosing processes.
• Target Selection: NoName057(16) has primarily targeted critical infrastructure in countries openly supporting Ukraine in its war against Russia. Water systems were a natural extension of their broader strategy to weaken public services in these nations.

Tactics, Techniques, and Procedures (TTPs) Used in the Attacks

The pro-Russian hacktivists employed a combination of technical exploits and social engineering to breach water infrastructure OT systems. Some of the notable Tactics, Techniques, and Procedures (TTPs) used during the attacks include:

1. T0817 – Remote System Access via OT Protocols
   • Hackers used vulnerable or exposed OT protocols, such as Modbus or DNP3, to remotely manipulate physical water treatment processes. These protocols are often not secured with encryption, making them vulnerable to unauthorised access by attackers.
   • Exploit in the Wild: These types of vulnerabilities have been exploited by multiple threat actors, including APT33 and APT34, both linked to nation-state activity, particularly in energy and water infrastructure sectors.
2. T1499 – Network Denial of Service (DDoS)
   • As part of their strategy to disrupt operations, the attackers launched DDoS attacks against the IT systems that interface with OT environments, particularly on the networks that control SCADA systems. These attacks flooded the network with traffic, rendering critical systems unresponsive.
   • Exploit in the Wild: Killnet has previously used similar tactics to disrupt hospitals and government services in NATO countries during major political events, and their DDoS capabilities are well-documented.
3. T0890 – Targeted Phishing
   • NoName057(16) employed spear-phishing techniques to compromise the credentials of engineers and administrators who managed OT systems. These phishing emails were highly customised to appear as internal communications, resulting in successful breaches of water utilities in multiple regions.
   • Exploit in the Wild: Targeted phishing is a common method used by groups such as Fancy Bear (APT28) and Sandworm, both of which have conducted similar attacks on critical infrastructure in the past.
4. T0851 – Manipulation of OT Systems
   • Once inside, the attackers manipulated key OT systems to alter water treatment processes. This included adjusting water pressure, turning off critical pumps, and tampering with chemical dosing controls, creating significant operational disruptions.
   • Exploit in the Wild: Manipulation of OT systems was seen in earlier attacks on water utilities, such as the 2021 breach of a Florida water treatment facility, where attackers altered the chemical balance of the water supply.

Impact of the Attacks

The attacks caused varying degrees of disruption across water utilities in the U.S. and Europe, with the following key impacts:

1. Service Interruptions: Several water treatment plants reported temporary shutdowns or interruptions in water distribution due to manipulated OT systems. In some cases, DDoS attacks knocked essential SCADA systems offline, leading to delays in water delivery to customers.
2. Health and Safety Risks: In at least two documented cases, hackers successfully tampered with chemical dosing systems, which resulted in unsafe water being distributed for short periods. These incidents were quickly identified, and corrective actions were taken before significant harm occurred, but they underscored the public health risks associated with such attacks.
3. Economic and Reputational Damage: The water utilities targeted in these attacks incurred significant costs related to system recovery, incident response, and security upgrades. In addition, the breach damaged public trust in the security of essential infrastructure.

Mitigation and Prevention Strategies

To prevent future attacks on water infrastructure, organisations must adopt a range of cybersecurity strategies focused on securing OT systems. Key mitigation strategies include:

1. Network Segmentation: Ensuring that OT networks are isolated from IT networks can prevent attackers from using compromised IT systems as a jumping-off point to access critical OT systems.
2. Regular Patching and Vulnerability Management: Water utilities must regularly update and patch their OT systems, including SCADA platforms, to fix known vulnerabilities that can be exploited by attackers.
3. Multi-Factor Authentication (MFA): Implementing MFA for all user accounts, particularly those with access to OT systems, can mitigate the risk of compromised credentials leading to unauthorised access.
4. DDoS Protection Solutions: Implementing DDoS mitigation tools and services can help water utilities defend against network flooding attacks that disrupt OT systems.
5. Security Awareness Training: Engineers and staff working in water utilities should be trained to recognise phishing attempts and other social engineering tactics used to breach OT systems.

Conclusion

The pro-Russian hacktivist attacks on water infrastructure in May 2024 mark a significant escalation in the targeting of critical infrastructure. By exploiting OT systems, these attacks highlight the vulnerability of essential services like water treatment to cyberattacks. The use of tactics such as DDoS, remote access via OT protocols, and phishing illustrates the increasing sophistication of hacktivist groups aligned with geopolitical objectives.

As water utilities continue to modernise their systems and integrate IT with OT environments, it is crucial that cybersecurity defences are enhanced to protect against these emerging threats.

Further Reading

• Securing Water and Wastewater Systems – CISA’s guide on protecting water infrastructure from cyber threats.
• Killnet: Pro-Russian Hacktivist Group Profile – Analysis of Killnet’s DDoS tactics and capabilities.
• Understanding OT System Attacks – SANS white paper on attacks targeting operational technology.
• Florida Water Treatment Plant Cyberattack – An overview of the 2021 attack on a Florida water treatment facility and its implications for OT security.