A report published by cybersecurity firm Mandiant last week claimed that a gang of hackers linked to the Russian government has attacked water utility companies around the world, including a treatment plant in the northern Texas town of Muleshoe.
Mandiant traced the exploits of a group designated as an Advanced Persistent Threat (APT) 44 by security professionals. The group calls itself “Sandworm” and “FROZENBARENTS” in its online proclamations and styles itself as a band of “hacktivists” who support the Russian invasion of Ukraine. It works under a variety of other aliases or front groups as well.
Mandiant said APT44 is, in reality, “sponsored by Russian military intelligence” and has been active far beyond the Ukraine theater. The group is not a loose collection of political activists, it claimed, but rather a “dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations,” including efforts to meddle in foreign elections.
The report held APT44 responsible for “nearly all of the disruptive and destructive operations against Ukraine over the past decade,” with a recent shift in focus to intelligence-gathering operations that can assist forward-deployed Russian military units.
“Sandworm” does far more than directly assist the Russian military, however. Among other malign activities, it appears to be using skills developed in attacks on Ukrainian infrastructure to conduct probing attacks of vital public utilities in countries the Kremlin views as threats or rivals. At the same time, the Russian military is developing defenses against precisely the kind of sabotage that APT44 pioneered.
According to Mandiant, a group calling itself “CyberArmyofRussia_Reborn” attacked the water treatment plant in Muleshoe on January 18 and took credit for the assault soon afterward on the Telegram messaging platform. The claim of credit was accompanied by screen captures of what appeared to be compromised water management software.
Mandiant analysts were fairly confident that CyberArmyofRussia_Reborn is a front or puppet group of APT44, although the U.S. intelligence community has not officially made that determination yet.
The hack was not exactly subtle. Three other small towns in Texas reported intrusion attempts on the same night. One of them, Hale Center, reported 37,000 attempts to penetrate its firewall over a four-day period.
Hale Center city manager Mike Cypert thwarted the attack by driving to his office and literally unplugging the city’s water management computer from the Internet, running everything manually for a few days, and handing their security logs over to the FBI and Department of Homeland Security (DHS) for investigation. Investigators traced many of the 37,000 hits on the Hale Center firewall back to a location in St. Petersburg, Russia.
The other towns, Lockney and Abernathy, said they were able to thwart the hackers before they could gain access to the city water systems. Abernathy city staff said the hackers were able to slip into their system through a virtual network connection, but they were detected and cut off with in 30 seconds, interrupting their attempt to change some of the system passwords.
“It didn’t cause any problems except being a nuisance,” said Lockney city manager Buster Poling.
“This is a nightmare scenario for many defense experts. Bad actors and nation states no longer need to rely on bullets and missiles. They can tamper with or shut down critical infrastructure by exploiting vulnerabilities in converged IT and OT systems,” judged chief security officer Bob Huber of Tenable, another cybersecurity firm.
“OT” stands for Operational Technology, the computer systems that control industrial and public works devices.
The Environmental Protection Agency (EPA) and National Security Agency (NSA) issued a warning to state governors in March that foreign hackers were attempting to sabotage water and sewage plants across the United States.
“These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” the EPA and NSA cautioned.
The warning pointed to Iranian and Chinese hackers as likely culprits, pointing to the enormous Chinese cyber-espionage campaign known as “Volt Typhoon” as an example of the threat. Both Iranian and Chinese state-linked hackers have attacked American utility systems over the past six months.
“The water sector is poorly resourced and is under siege from three fronts. This is now Iran, China and Russia,” Mandiant Intelligence chief analyst John Hultquist said when releasing his report on the Muleshoe hack.
Apollo Information Systems chief technology officer Andy Bennett, a former Texas cybersecurity official, speculated that hackers from the axis of tyranny are hitting small-town systems to polish their skills before tackling bigger targets. He thought they might also be hoping to sow fear in rural communities.
“Small-town America feels safe, and if the water supply is in jeopardy, it undoes that,” Bennett told Bloomberg News.
The post Report Claims Russian Hackers Disrupted Texas Town’s Water Supply appeared first on Breitbart.
