A report published by cybersecurity firm Mandiant last week claimed that a gang of hackers linked to the Russian government has attacked water utility companies around the world, including a treatment plant in the northern Texas town of Muleshoe.
The hackers were allegedly able to cause a tank overflow that wasted some water, but did not jeopardize the health of residents.
Mandiant traced the exploits of a group designated as an Advanced Persistent Threat (APT) 44 by security professionals. The group calls itself “Sandworm” and “FROZENBARENTS” in its online proclamations and styles itself as a band of “hacktivists” who support the Russian invasion of Ukraine. It works under a variety of other aliases or front groups as well.
Mandiant said APT44 is, in reality, “sponsored by Russian military intelligence” and has been active far beyond the Ukraine theater. The group is not a loose collection of political activists, it claimed, but rather a “dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations,” including efforts to meddle in foreign elections.
“While most state-backed threat groups tend to specialize in a specific mission such as collecting intelligence, sabotaging networks, or conducting information operations, APT44 stands apart in how it has honed each of these capabilities and sought to integrate them into a unified playbook over time,” Mandiant said.
The report held APT44 responsible for “nearly all of the disruptive and destructive operations against Ukraine over the past decade,” with a recent shift in focus to intelligence-gathering operations that can assist forward-deployed Russian military units.
“Sandworm” does far more than directly assist the Russian military, however. Among other malign activities, it appears to be using skills developed in attacks on Ukrainian infrastructure to conduct probing attacks of vital public utilities in countries the Kremlin views as threats or rivals. At the same time, the Russian military is developing defenses against precisely the kind of sabotage that APT44 pioneered.
According to Mandiant, a group calling itself “CyberArmyofRussia_Reborn” attacked the water treatment plant in Muleshoe on January 18 and took credit for the assault soon afterward on the Telegram messaging platform. The claim of credit was accompanied by screen captures of what appeared to be compromised water management software.
Mandiant analysts were fairly confident that CyberArmyofRussia_Reborn is a front or puppet group of APT44, although the U.S. intelligence community has not officially made that determination yet.
The attack was relatively harmless, causing a water tank to overflow without compromising water quality in the area, but the fact that it succeeded at all represents a disturbing escalation of cyberwar capabilities. Hackers from various countries have conducted probing operations against infrastructure for years, but they usually do not draw attention to themselves. The Texas caper could also be seen as a warning shot – a signal from Moscow that direct assaults on water, power, and other vital infrastructure are no longer beyond the pale.
The hack was not exactly subtle. Three other small towns in Texas reported intrusion attempts on the same night. One of them, Hale Center, reported 37,000 attempts to penetrate its firewall over a four-day period.
Hale Center city manager Mike Cypert thwarted the attack by driving to his office and literally unplugging the city’s water management computer from the Internet, running everything manually for a few days, and handing their security logs over to the FBI and Department of Homeland Security (DHS) for investigation. Investigators traced many of the 37,000 hits on the Hale Center firewall back to a location in St. Petersburg, Russia.
The other towns, Lockney and Abernathy, said they were able to thwart the hackers before they could gain access to the city water systems. Abernathy city staff said the hackers were able to slip into their system through a virtual network connection, but they were detected and cut off with in 30 seconds, interrupting their attempt to change some of the system passwords.
“It didn’t cause any problems except being a nuisance,” said Lockney city manager Buster Poling.
The same front group that reportedly hit the Muleshoe water treatment plant claims to have pulled off a similar attack in France, and security researchers believe it also sabotaged water plants in Poland.
“This is a nightmare scenario for many defense experts. Bad actors and nation states no longer need to rely on bullets and missiles. They can tamper with or shut down critical infrastructure by exploiting vulnerabilities in converged IT and OT systems,” judged chief security officer Bob Huber of Tenable, another cybersecurity firm.
“OT” stands for Operational Technology, the computer systems that control industrial and public works devices.
The Environmental Protection Agency (EPA) and National Security Agency (NSA) issued a warning to state governors in March that foreign hackers were attempting to sabotage water and sewage plants across the United States.
“These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” the EPA and NSA cautioned.
The warning pointed to Iranian and Chinese hackers as likely culprits, pointing to the enormous Chinese cyber-espionage campaign known as “Volt Typhoon” as an example of the threat. Both Iranian and Chinese state-linked hackers have attacked American utility systems over the past six months.
“The water sector is poorly resourced and is under siege from three fronts. This is now Iran, China and Russia,” Mandiant Intelligence chief analyst John Hultquist said when releasing his report on the Muleshoe hack.
Apollo Information Systems chief technology officer Andy Bennett, a former Texas cybersecurity official, speculated that hackers from the axis of tyranny are hitting small-town systems to polish their skills before tackling bigger targets. He thought they might also be hoping to sow fear in rural communities.
“Small-town America feels safe, and if the water supply is in jeopardy, it undoes that,” Bennett told Bloomberg News.