Cool Audit

Microsoft Observed huge-surge in Attacks Targeting Internet-exposed OT Devices in WWS

Microsoft has reported a significant increase in cyberattacks targeting internet-exposed, poorly secured operational technology (OT) devices.

These attacks have particularly focused on the United States’ water and wastewater systems (WWS).

Various nation-backed actors, including the IRGC-affiliated “CyberAv3ngers” and pro-Russian hacktivists, have been implicated in these attacks.


Vulnerability of OT Systems

OT systems control critical real-world processes and are prevalent across various industries, including building HVAC systems, water supply, and power plants.

These systems manage vital parameters such as speed and temperature in industrial processes.

A cyberattack on an OT system can transfer control over these parameters to attackers, potentially causing malfunctions or complete system outages.

According to Microsoft reports, Many OT devices are directly connected to the internet, making them easily discoverable by attackers using internet scanning tools.

Poor security configurations, such as weak passwords or outdated software with known vulnerabilities, further exacerbate the risk.

The attractiveness of OT systems and the ease of exploiting weak configurations were demonstrated during the Israel-Hamas war, where several OT-focused actors broadcasted their attacks on Israeli companies via Telegram channels.


High-Profile Case: Aliquippa Water Plant Attack

In November 2023, a high-profile cyberattack targeted the Aliquippa water plant in Pennsylvania.

The attack, attributed to the IRGC-affiliated “CyberAv3ngers,” resulted in the outage of a pressure regulation pump and the defacement of the device with the attacker’s logo.

The US Department of Treasury sanctioned officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) about the attack.

The Aliquippa incident is part of a broader trend of attacks on OT systems.

The Cybersecurity and Infrastructure Security Agency (CISA) released advisories in December 2023 and May 2024, highlighting the common profile of targeted OT systems:

Internet-exposed with weak sign-in configurations. These advisories emphasized the need for improved security measures to protect against similar attacks.

To mitigate the risk of cyberattacks on OT systems, Microsoft recommends the following measures:

  1. Adopt Comprehensive Security Solutions: Implement solutions like Microsoft Defender for IoT to monitor and protect OT devices.
  2. Enable Vulnerability Assessments: Identify and patch unpatched devices using tools like Microsoft Defender Vulnerability Management.
  3. Reduce Attack Surface: Eliminate unnecessary internet connections to OT devices and close unnecessary open ports.
  4. Implement Zero Trust Practices: Apply network segmentation to prevent lateral movement by attackers and isolate OT devices from IT networks.

The surge in cyberattacks on OT devices underscores the urgent need for improved security measures.

Organizations must adopt comprehensive security solutions, conduct regular vulnerability assessments, and implement best practices to protect their critical infrastructure from cyber threats.