Two Russian groups, the People’s Cyber Army and Z-Pentest, claim to have taken attacks on critical infrastructure in the US to a new and more dangerous level. Dark web researchers at threat intelligence firm Cyble have discovered Telegram videos detailing attacks on US energy and water facilities far beyond the previously supposed capabilities of such groups.
Cyble believes that the two groups may be working in cooperation with one another. Previously, the People’s Cyber Army, which also goes by the name of the Cyber Army of Russia Reborn, and lesser-known groups such as Z-Pentest, have largely confined their attacks on US critical infrastructure to simple and easy-to-repel distributed denial of service (DDoS) attacks.
But, according to Cyble, Z-Pentest’s attacks have now escalated to disrupting one US oil well system, including systems responsible for water pumping, petroleum gas flaring, and oil collection. A 6-minute screen recording shows detailed screenshots of the facility’s control systems, showing tank setpoints, vapor recovery metrics, and operational dashboards allegedly accessed and changed during the breach.
According to Cyble: “It is not clear where that oil facility is located, but the other two U.S. oil facility claims appear to correspond with known locations and companies.”
The so-called People’s Cyber Army also struck twice in late August and September, releasing screen recordings showing the group tampering with system settings on control panels at the Stanton Water Treatment Plant in Stanton, Texas, and New Castle, Delaware water towers. A January attack also caused water storage tanks to overflow in Abernathy and Muleshoe, Texas – the hackers were able to open valves and release untreated water, but otherwise, no significant damage is believed to have occurred. Cyble has documented eight water-system attacks by the People’s Cyber Army this year in the U.S. and elsewhere.
Z-Pentest claims 10 attacks since October
Z-Pentest, however, appears to have been active only since October. But, since then, Cyble’s dark web research team has reported no less than 10 claims of attacks by the group. All accessed control panels in critical infrastructure environments. The group’s main Telegram channel was recently shut down but the group maintains a presence on X and claims to be based in Serbia.
Critical infrastructure in the US and elsewhere is particularly vulnerable to cyber-attacks. The reason is that the operational technology (OT) systems that manage the plant equipment of facilities such as water treatment were originally designed to be stand-alone systems. But they are now linked to IT systems that are connected to the internet.
Cyble recommends that, wherever possible, companies running critical infrastructure segregate OT systems from other parts of the network. Other recommendations include continuous vulnerability and penetration testing to tackle weaknesses before they can be exploited by bad actors.
