Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management.

More than ever, hacktivist groups are hitting close to home. Over the past few years, Dragos WorldView OT Cyber Threat Intelligence has continuously reported on intensifying hacktivist activities targeting critical infrastructure. Hacktivist groups, motivated by geopolitical conflicts and wars, have inundated the public with misinformation and have escalated to more harmful targeting of Operational Technology (OT) systems around the globe.

Traditional hacktivism, in the form of denial-of-service (DoS) attacks and website defacements, often goes unnoticed by the public. Attacks on critical infrastructure can disrupt essential services and put public safety at risk. They garner widespread media coverage and public attention and bring these groups closer to achieving their objectives. Recent high-profile incidents involving self-proclaimed hacktivist groups have demonstrated the efficacy of focusing on critical infrastructure.

When hacktivist groups can claim disruptive attacks on industrial control systems (ICS) with relatively little specialized knowledge, it’s time to take a serious look at how hacktivism is changing to comprehend their tactics and position in the cyber threat landscape.

Rising Cyber Risks from Hacktivists Targeting OT

Hacktivist groups have directed their efforts towards OT systems, recognizing their potential to cause substantial disruption and garner notoriety based on successful disruptions.

Hacktivism, defined as conducting various publicly visible cyber attacks to promote social or political agendas, is often portrayed as grassroots activism. However, state actors may influence or directly control some of these groups. Traditionally known for website defacements, denial-of-service (DoS) attacks, or outright exaggeration and false claims that are easily disproven. Their bark is often bigger than their bite, and not everything is at it seems. However, underestimating the role hacktivists play in the threat landscape is just as harmful as taking all their claims at face value.

OT attacks can directly impact public safety and essential services, warranting significant news coverage. The use of social media and subsequent media attention amplifies the perceived impact of such incidents and the hacktivist group’s underlying message, creating a feedback loop that potentially encourages further OT targeting and attacks. These groups appear to be learning from each other and converging on similar strategies, with two hacktivist groups targeting unsecured water utilities with false claims and actual attacks over many months.

Case Study 1 – CyberAv3ngers Hacktivist Group

Characteristics: Connections to state actors, targeted hardware, specific geopolitical message

CyberAv3ngers is an anti-Israel hacktivist group that has been active since approximately 2020. This group has a history of making exaggerated or false claims but their targeted attacks on devices by Unitronics, a company based in Israel, were impactful and credible.

In November 2023, CyberAv3ngers impacted the Municipal Water Authority of Aliquippa in Pennsylvania which, like water systems around the world, uses Unitronics devices. They compromised a Unitronics programmable logic controller (PLC) and manipulated the human-machine interface (HMI) controls, resulting in a need to switch to manual operations. The attack on Aliquippa was part of a broader campaign targeting Israeli companies, most notably Unitronics PLCs and IoT devices, across various sectors, with attacks on water and wastewater systems in the United States, Europe, and Australia. The group compromised multiple devices using relatively unsophisticated methods such as SSH brute-forcing and exploiting default passwords. Their multi-week campaign also led to a shutdown of the Drum/Binghamstown Water Scheme in North Mayo, Ireland, impacting the water filtration and purification process and disrupting water services over two days.

The defacement of the HMI systems with an anti-Israel message points to a geopolitically motivated attack, using cyber intrusions as a platform for delivering a geopolitical statement. The events resulted in significant attention from the media, the public, and government agencies. They may have also set a new bar for hacktivist groups to launch more widespread and ambitious operations.

Watch our webinar, “Crossing the Rubicon: Hacktivist Intrusions Against Israeli-Made OT,” for more information on the attacks targeting Unitronics PLCs.

Case Study 2 – CyberArmyofRussia_Reborn Hacktivist Group

Characteristics: Connections to state actors, broader infrastructure targeting

CyberArmyofRussia_Reborn is a pro-Russia hacktivist group that has been active since 2023. Dragos assesses with moderate confidence that the CyberArmyofRussia_Reborn is acting as a proxy for the state actors APT28 and Sandworm, which has technical overlaps with KAMACITE and ELECTRUM.

In January 2024, CyberArmyofRussia_Reborn posted a video showing the manipulation of water tanks in later-confirmed attacks on two water authorities in Texas. They accessed the human-machine interface (HMI) systems via known vulnerabilities in Virtual Network Computing (VNC) technology and changed setpoints that regulate water tank pressure. This group has since claimed responsibility on its Telegram channel for subsequent attacks across the United States, Poland, and France.

The claims and confirmed incidents demonstrate that the hacktivist group CyberArmyofRussian_Reborn has the intent and ability to compromise and disrupt OT environments using known vulnerabilities. Targeting the United States, France, and Poland suggests a few possibilities: a retaliation, an influence campaign to disrupt services, gather intelligence, or distract from other state-backed objectives. These operations further evolve the hacktivist trend and involve a more organized group targeting critical infrastructure in a geopolitical context.

Case Study 3 – Blackjack Hacktivist Group and the Fuxnet Malware

Characteristics: Custom malware usage, specific country targeting

In April 2024, the pro-Ukraine self-proclaimed hacktivist group Blackjack claimed responsibility for a cyber attack on Moskollektor, a Russian organization managing Moscow’s municipal infrastructure. Blackjack allegedly used Fuxnet malware to disrupt sensor operations within Moskollektor’s OT monitoring network. The targeting of Russian OT infrastructure suggests a countermeasure or a reciprocal attack within the current geopolitical context, possibly part of a broader warfare strategy. The Fuxnet malware would require significant modification to pose a threat to other environments; it was specifically developed to exploit vulnerabilities in Moskollektor’s infrastructure. 

In addition to disrupting 87,000 sensors using the Fuxnet malware, Blackjack claimed to have accessed the Russian 112 emergency services number, invalidated key cards to office buildings, defaced websites, and social media pages, and more. In support of these claims, Blackjack posted information stolen during the alleged operation and screenshots of the Fuxnet malware’s source code to a data leak site.

Blackjack’s claims, though partially unverified, show an escalation in the complexity and ambition of hacktivist operations. They also demonstrate that the perception of impact, fueled by media coverage, is a significant outcome regardless of the actual damage.

Download the latest OT cyber threat intelligence on the Fuxnet malware. We provide both a strategic analysis and more detailed technical analysis on the Fuxnet malware.

Accelerated Evolution of OT-Targeted Hacktivism

While these are just three examples the progression from the CyberAv3ngers’ compromise to Blackjack’s claims of more sophisticated malware attacks illustrates an escalation of tactics and effects and a substantial variability in technical capabilities.

CyberAv3ngers focused on exploiting default configurations in OT systems, causing disruptions amplified through social media. Possibly inspired by these tactics, CyberArmyofRussia_Reborn adopted similar methods with increased sophistication and state-backed support, leading to broader and more impactful attacks to sow fear, uncertainty, and doubt (FUD).

Finally, the Blackjack group has taken hacktivism further by developing and deploying custom malware. There is still a lot of misinformation, and organizations should not make their moves based on the pronouncements from hacktivists’ Telegram channels; nonetheless, what was once unthinkable—attacks on physical systems in critical infrastructure —is now a potent strategy for hacktivists seeking widespread attention and influence within the context of geopolitical conflicts. 

Strengthening OT Cyber Defenses

Securing OT environments against unpredictable hacktivist threats is a technical necessity and a vital step in safeguarding public safety and essential services. 

Organizations must adopt OT-native monitoring solutions. These solutions should be explicitly designed for OT environments and capable of understanding and responding to ICS protocols and threats. Incident response plans should be enhanced to include OT-specific scenarios, ensuring rapid recovery and minimal disruption. Additionally, best practices such as changing default passwords, implementing multi-factor authentication (MFA), and conducting regular security training for OT personnel are essential.

Considering the risk and related threats, Dragos recommends organizations implement the Five Critical Controls for World-Class OT Cybersecurity [link] identified by the SANS Institute – which presents a framework for implementing a world-class OT cybersecurity program to defend against adversary activity directed against OT networks.

Get the Complete Analysis

Learn more about hacktivist operations targeting operational technology in our OT cyber threat intelligence brief and technical whitepaper on the Fuxnet malware.

Download Now