An early 2024 string of breaches at water treatment plants around the world is the work of a GRU sockpuppet hacking team, according to researchers with Mandiant. The Russian hackers, who pose as an independent “hacktivist” collective but have long been believed to be controlled by the GRU, have boasted about attacks in multiple countries in a Telegram channel.
The group calls itself “Cyber Army of Russia Reborn” or “Xaknet” and is roughly comparable to a Russian nationalist version of Anonymous, but for some years now security researchers have believed it is under the direction of Russian military intelligence and takes on projects that would be considered too bold to directly link to the government. Mandiant has linked the group to a January attack on a water treatment plant in Texas as well as similar incidents in France and Poland.
Brazen attacks on water treatment plants involved manipulation of industrial controls
The item that the Mandiant report highlights is a January attack on a water treatment plant in Texas that resulted in minor flooding at the facility. However, the same group has also recently breached a similar facility in Poland and a hydroelectric plant in France. In all cases, the Russian hackers used industrial controls to cause at least some minor damage.
The water treatment plant incidents appeared to be more of a show of capability than a serious attempt to cause damage, with the Russian hackers taking videos of at least two of these incidents to boast about on Telegram. That has raised questions about how closely the GRU is monitoring and directing the group. The “hacktivists” are thought to be a managed project of Sandworm, widely considered one of the world’s most advanced and polished APT groups. Causing physical damage to critical infrastructure is generally outside this team’s MO (unless it is in Ukraine), as is gloating about it and posting silly videos on Telegram set to Super Mario Brothers music.
The Russian hackers also appeared to be playing around with the industrial system controls more than executing a targeted scheme, not always sure of what the inputs they were manipulating would do. This may suggest an opportunistic follow-on after more recent and more serious attacks by Chinese and Iranian APT groups of this nature on critical infrastructure were disclosed to the public. Instead of looking to cause real damage, the hackers are essentially just looking to expose the troubled state of critical infrastructure security in rival nations and ongoing failure to shore up defenses.
Russian hackers follow China and Iran into foreign water utilities
The small town of Muleshoe in north Texas was the site of the January incident, in which the Russian hackers simply caused a tank to overflow. The incident was contained with a switch to manual operations, which reportedly took local workers about 30 to 45 minutes. Two other Texas towns that are not far away from Muleshoe reported failed attempts to hack SCADA systems used to control other water treatment plants at about the same time.
There are enough layers of obfuscation between the Russian hackers and the GRU (and the damage was minimal enough) that this won’t cause an international incident, though it does appear to be a possible escalation in how far foreign intelligence agencies are willing to go in causing physical damage.
At the US end, the incident highlights bureaucratic and budget issues that are keeping smaller municipalities from having even a basic level of cybersecurity protection. The Biden administration has rolled out some grant and loan programs to address this issue, but many utility companies are still uncovered and may find they have to sacrifice a great deal of convenience to keep foreign adversaries at bay.