There is a sweeping ominous breeze blowing its way into cybersecurity, one that eschews ransomware and other forms of criminal profiteering but instead resembles traditional warfare tactics such as false flags, political statements, and shows of force.
Cyberattacks on U.S. Utilities
The targets are not banks, hospitals, or universities; they are specifically utilities, namely water treatment and supply and energy power and logistics sources. The attackers are both stealthy and loud and often their attempted intimidation is flaunted; they only seem to be interested in reconnaissance and generating panic, anger, and insecurity among public officials charged with safeguarding their domains.
Here are some examples.
Attack on the State of Alabama Networks
In March 2024, there was an attack on the State of Alabama Networks. A responsible party calling themselves Anonymous Sudan launched a DDOS attack on various government IT services, however, they were neither anonymous nor from Sudan, even though for a while one may have thought so. Instead, researchers rapidly concluded they were part of the Russian-based group Killnet, who did such a poor job of trying to create a false flag and imitate Sudanese hacktivists, it makes one wonder if they desired to be caught.
Attack on the Aliquippa, PA Water and Wastewater Plant
In November 2023, there was an attack on the Aliquippa, PA Water and Wastewater Plant. The Cyber Av3ngers, an Iran group with strong ties to their government, used very poor security measures to their advantage to infiltrate Program Logic Controllers. An Israeli company made these PLCs and the hack was reportedly one of hacktivism against those who use instruments made in Israel. No real damage was done and the act was contained, but the reasons stated mimicked much of the motives seen in the Hamas-Israel cyber war.
Volt Typhoon
From early 2021 to late 2023, there was Volt Typhoon. This Advanced Persistent Threat, sponsored by the PRC government, intruded into various critical infrastructure, including Water and Wastewater Treatment Facilities in the United States and Guam, and stayed in networks for months undetected. Volt Typhoon used Microsoft administrative tools to escalate privileges and roam servers looking for weaknesses while harvesting information. The attacks were advanced and the behavior definitely persistent but no degrading of the actual targets seemed to occur.
Pro-Russian hacktivists Attack U.S. water facilities
Finally, just within the last few weeks, pro-Russian hacktivists exposed cybersecurity weaknesses in U.S. water facilities, mildly disrupting operations, all while not making any effort to disguise or protect their identity. While Hacktivists are often loud as to be identified intentionally as the responsible party, they also like to make a grand entry with website defacing, exposing sensitive information, or even Denial of Service attacks. This begs the question: was it more for intimidation than politically motivated?
FBI Weighs in on Cyber Threats to Utilities
FBI Director Wray in a recent interview offered the following thoughts:
“The PRC has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.
We’ve been countering this growing danger for years now. China-sponsored hackers pre-positioned for potential cyberattacks against U.S. oil and natural gas companies way back in 2011. And while it’s often hard to tell what a hacker plans to do with their illicit network access—that is, theft or damage—until they take the final step and show their hand, these hackers’ behavior said a lot about their intentions.
When one victim company set up a honeypot—essentially, a trap designed to look like a legitimate part of a computer network with decoy documents—it took the hackers all of 15 minutes to steal data related to the control and monitoring systems while ignoring financial and business-related information, which suggests their goals were even more sinister than stealing a leg up economically.”
The line “suggests their goals were even more sinister than stealing a leg up economically” is of course concerning, and more importantly, seems to fit the behavior and characteristics of the recent public utilities intrusions by Chinese tied actors and other countries as well.
Enemies of other enemies often become friends in the dark world of cybersecurity and thus word spreads quickly of vulnerabilities in infrastructure. Three different countries attacking essentially the same type of targets with little to no actual damage inflicted could indeed signal the beginning of a shadowy campaign of significant consequences. We must pay attention, more than ever, to the above attacks, not to what happened but to what did not happen.
