Hacktivist groups on both sides of the Ukraine war increasingly claim to have infiltrated critical infrastructure networks in a bid to stoke fears about their abilities to disrupt sensitive operations, the cybersecurity firm Mandiant said in a report released Wednesday.
Groups and hacktivists such as Team OneFist and GhostSec have all alleged to have infected operational technology networks in recent months in hopes that their claims of destructive hacks will get the public’s attention along with messages either for or against the war.
And while the majority of the hacks may be exaggerations or fabrications, Mandiant notes, the increasing interest from non-state actors in OT networks is troubling.
“Despite the inaccuracy of most claims, when hacktivist activity targeting OT becomes commonplace, the likelihood of actual and even substantial OT incidents increases,” according to Mandiant, which is now part of Google Cloud. “The risk is higher for organizations that are perceptibly associated with political events or social disputes based on geographic location, nationality, language, or industry of relevance.”
As Mandiant points out, hacktivists have tended to go after easier targets: website defacements, denial of service attacks or hack-and-leak operations. “Historical hacktivist activity has largely focused on simpler attacks that are intended to get the attention of broad audiences, such as website compromises or denial of service attacks.”
But the Ukraine war has shifted that focus for many, said Daniel Zafra, Mandiant analysis manager at Google Cloud. Hacktivist groups are seeking the attention that comes from these types of attacks so their messages get more attention online and the groups themselves may appear to have more technical abilities than they actually possess. Zafra said the war attracted hackers looking to support either side, but also warned that state-backed hackers could pose as hacktivists in order to disrupt OT while having plausible deniability.
Zafra said Mandiant began tracking hacktivists’ claims of having a physical impact through OT attacks around 2021. In 2022, the firm saw a marked increase in such declarations and the growing use of Telegram and Twitter to boast about accomplishments.
One of the more active groups last year was Team OneFist, also called Joint Cyber Center, which claims to be associated with the IT Army of Ukraine. It purported to have to have attacked Russian power plants, airports, a paper mill and other industrial targets all in support of Ukraine.
It’s not hard to make those claims, says Zafra. One of the more common methods appears to be posting a screenshot of a human-machine interface while declaring to have hacked an OT device on an industrial organization.
What is hard, however, is verifying these claims. Mandiant noted that it often could not confirm or debunk the assertions with the limited data presented. However, that does not stop the assertions — and the political message — from being spread online or or receiving media attention.
Team OneFist has been caught exaggerating before. In June 2022, the group said that it disabled a cellular router supporting OT in Russia, causing an outage at a nearby power plant. However, local media reports said that the outage was at a different power plant nearly 400 miles away.
GhostSec, which has links to the hacktivist collective Anonymous, is one such group that was not borne out of the Russian invasion of Ukraine. In January, it claimed to have been the first group to have conducted a ransomware attack on a remote terminal unit, which is a device that connects to industrial valves and relays to provide controls and status updates. The claim was quickly debunked as overstated online by industrial cybersecurity experts, but even the claims show an increased interest and better understanding of some of the terminology used inside critical infrastructure — a marked difference from years past experts note.
Zafra noted that while the Ukraine war may be the biggest driver for hacktivists focusing on OT in the past year, that doesn’t mean that the target is going to go away anytime soon. “The rate at which it’s growing might slow down because there’s not that immediate need, but I do think that it’s going to continue happening.”