A multi-agency joint cybersecurity advisory warns about “unsophisticated” hackers targeting critical infrastructure organizations, specifically in the U.S. Oil and Natural Gas sectors.
“CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems,” the agency stated.
The Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the Department of Energy (DOE) jointly co-authored the cybersecurity advisory.
They advised network defenders to implement recommended mitigations to prevent the low-tier malicious actors from gaining unauthorized access.
Unsophisticated hackers compromise critical infrastructure organizations
The authoring agencies warned that, while these attacks lack sophistication, they succeed due to the critical infrastructure organizations’ poor cybersecurity practices and result in significant damage.
“Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage,” warned the advisory.
Therefore, co-authoring agencies advised critical infrastructure network defenders to apply the list of recommended mitigations to prevent opportunistic hackers from succeeding.
They advised them to remove internet-facing operational technology (OT) devices to reduce the attack surface that hackers could exploit to gain access.
The agencies noted that most OT devices lack modern authentication and authorization mechanisms and are easy for hackers to find by searching open ports on public IP ranges using search engine tools that target OT components.
“OT cyber threats have evolved dramatically as attackers increasingly target industrial environments with more sophisticated techniques,” said Derek Manky, Chief Security Strategist & Global Vice President of Threat Intelligence with Fortinet’s FortiGuard Labs. “In fact, the latest Global Threat Landscape Report from Fortinet’s FortiGuard Labs found that the OT sector remains one of the top targets for attackers, with industrial organizations experiencing almost half (44%) of the ransomware and wiper activity during that timeframe.”
They also recommended changing default passwords and applying password best practices, such as using strong passphrases that hackers cannot easily guess or crack.
“Recent analysis of this cyber activity indicates that targeted systems use default or easily guessable (using open source tools) passwords,” they warned.
They also recommended securing OT devices using virtual private networks (VPNs) with strong passwords and phishing-resistant multi-factor authentication when remote access was necessary.
“Many times, these systems are provided internet access for remote connectivity from support teams and vendors, but this creates a major security risk without restricting who can access it and adding proper authentication controls,” noted Thomas Richards, Infrastructure Security Practice Director at Black Duck.
Similarly, segmenting networks by introducing demilitarized zones could prevent hackers from pivoting from OT to IT networks in case of a successful cyber attack.
Additionally, they advised critical infrastructure organizations to maintain the ability to operate OT devices manually to regain control and restore operations quickly during a cyber attack.
Lastly, they advised network defenders to maintain constant communication with third-party managed service providers, integrators, or manufacturers and request system-specific configurations to secure OT devices.
Previous cyber attacks on critical infrastructure
It remains unclear what prompted the agencies to issue the cybersecurity advisory. However, U.S. critical infrastructure organizations, such as drinking water and wastewater utilities, have previously experienced cyber attacks stemming from OT devices.
In 2021, a malicious actor gained access to a water treatment facility in Oldsmar, Florida, and tried to increase sodium levels.
In 2023, the pro-Palestinian Iranian hacktivist group Cyber Av3ngers breached a water treatment facility in Aliquippa, Pennsylvania, using an Israeli-made programmable logic controller (PLC).
