CISA warns pro-Russia hacktivists exploit VNC to access OT

CISA, the Federal Bureau of Investigation, the National Security Agency, the Department of Energy, the Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners reported that pro-Russia hacktivist groups are exploiting internet-facing virtual network computing (VNC) connections to access Operational technology (OT) control devices in critical infrastructure, producing outcomes that range up to physical damage.

The advisory states Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16 conduct less sophisticated, lower-impact attacks than Advanced Persistent Threat (APT) groups and use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate or gain access to OT control devices, exploiting the widespread prevalence of accessible VNC devices to target systems from water treatment facilities to oil well systems while employing similar tactics, techniques, and procedures and selecting victims based on availability and existing vulnerabilities.

The incidents are reported to produce varying degrees of impact, including physical damage, and the groups often seek notoriety by making false or exaggerated claims about their attacks.

OT owners and operators and critical infrastructure entities should reduce exposure of OT assets to the public-facing internet; adopt mature asset management processes, including mapping data flows and access points; and ensure OT assets are using robust authentication procedures.

For more information on Russian state-sponsored threat actor activity, the advisory refers readers to CISA’s Russia Cyber Threat Overview and Advisories page.