The Cyber Army of Russia Reborn (CARR), a hacktivist group connected to the Russian government, is actively targeting Water and Wastewater facilities across the United States to break into Supervisory Control and Data Acquisition (SCADA) systems, which are commonly used to control and monitor water utilities.
Numerous incidents have been reported nationally, and the frequency of these incidents has spiked in recent weeks. While none of the cyberattacks impacted drinking water for communities, the incidents mark a notable escalation in Russia’s targeting of critical infrastructure in the United States.
In January, a cyberattack against a water facility in Muleshoe, Texas caused a water tank to overflow. During the incident, hackers used a compromised password to break into a remote login system for industrial software that allows operators to interact with the water tanks. Officials took the system offline and switched to manual operations following the attack. Around the same time, authorities in several nearby Texan towns also implemented defensive strategies after detecting suspicious activity on their networks.
Related cyber threat activity targeting water utilities has recently increased, with additional incidents across the United States. CARR has claimed responsibility for the cyberattacks in a series of posts shared online. The posts are accompanied by screen recordings depicting the hackers infiltrating the water supply systems, changing passwords, and manipulating controls. Similar tactics, techniques, and procedures (TTPs) have been employed in the attacks, including using compromised passwords for accounts that did not have multi-factor authentication (MFA) enabled. In all instances, the hackers were observed attempting to access SCADA systems.
Mandiant has recently determined that CARR is connected to Sandworm, also known as APT44. Sandworm is part of Russia’s GRU military intelligence agency. Their research showed that Sandworm helped create CARR and can likely influence CARR’s activities. However, they are still determining if the group is operating independently.
Recommendations:
- Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- Apply the Principle of Least Privilege.
- Keep systems up to date and apply patches after appropriate testing.
- Install endpoint security solutions to help protect against malware. · Employ a comprehensive data backup plan.
- Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
- Ensure operational technology (OT) environments are segmented from the information technology (IT) environments.