Hacktivism wants to be Life-threatening
Our critical infrastructure, public water supplies, are under attack
As western U.S. water resources come under increasing pressure and acquifers in the southwestern U.S. continue their depletion at increasing rates,1 another threat is on the rise. Targeting public water systems in the U.S. from outside the U.S. has become a growing threat from cyberattacks, and the focus seems to be on West Texas, now.
Criminals or Military Personnel?
There is an international book about 5 inches thick, that outlines how the international laws of war apply in cyberattacks. It is called the Tallinn Manual and was developed by a group of international cybersecurity lawyers, government officials and military personnel2 after the attacks on Tallinn, Estonia by Russia in 2007.3 The Tallinn Manual is in its second edition and is used to analyze cyberattacks as non-binding legal guidance to determine when and what kind of response is legal in international law.
The problem with international law guidance is that it is interpretations provided by scholars and practitioners and is not really binding law. However, diplomatic pressure remains the most effective way to enforce these guidelines. The world’s biggest cyberattacker is China, which tends to deny responsibility along with the second largest cyberattacker, Russia. (Cyberattacks must be state-sponsored to fall under the laws of war and the Tallin Manual guidance. Attacks by individuals reported by their targets to the home country is often met with surprise or promises to investigate.4) Diplomatic pressure is much harder if they are not exposed to the world, and sometimes that happens, as in the Sony Entertainment attack by North Korea,5 an cyberattack in retaliation for the movie, The Interview (2014), that depicted a North Korean leader (apparently insulting Kim Jong Un, the leader of North Korea).6
Countries seeking asymmetric warfare and deniability, develop their own “armies” of cyberattackers. Using the term hacktivists tends to suggest they are civilian, but they are all likely supported by their countries, usually China, Russia, North Korea, Iran and sometimes Syria. Many of these cyberattack groups claim they are associated with their country, while their governments’ deny any knowledge of these activities.7
These countries’ cyberattackers are making hundreds of thousands of strikes a day against government resources and the private sector in hopes of gaining information or disabling our critical infrastructure.8
Absent other effective responses to cyberattacks in international law, the U.S. has resorted to the only legal strategy we have— using our own domestic criminal laws based on the acts of cyberattacks in the jurisdiction of the U.S.. When we can identify the individual cyberattacker(s), we issue a Red Alert (Interpol’s notice to watch for persons to be arrested) and we file a complaint in federal court, if the individual hackers are identified. We have done this on numerous occasions, but the chances of one of these hackers leaving China or Russia for a vacation out of their countries where they might be identified and arrested in transit is highly unlikely.
Early attacks on U.S. water supplies
Here is a poster for the perpetrators of the Iranian attack on the dam controlling water flow in Rye, New York in 2013.9 This is one of the earliest attacks on a water control system using the internet to control or disable a SCADA system. This SCADA device has been used for decades, but now it is connected to computer controls connected to the internet and so this makes it vulnerable to cyberattack. SCADAs are the control systems for oil field pumps, wind turbines, water systems and other utilities.10
In 2021, the city of Oldsmar, Florida’s water supply was cyberattacked. This time, the intruders successfully added excessive chemicals to the water, adding one hundred times the normal amount of sodium hydroxide to the drinking water.11 These cyberattacks are learning experiences for the cyberattackers and they are gaining knowledge that may help them add lethal amounts of chemicals to water supplies, perhaps even before they can be detected.
In 2023, there were at least six cyberattacks on water systems in the U.S., some attributed to Iranian cyberattackers.12
Recent attacks on water supplies
The Cybersecurity and Infrastructure Security Agency (CISA), founded in 2018 to address an increasing number of cyberattacks on U.S. infrastructure,13 issues alerts to industry sectors when there is intelligence on credible threats. In February 2024, CISA along with EPA and the FBI released a set of steps for water and wasterwater systems sector to take to secure against cyberattacks.14
In Texas, small cities have been recently cyberattacked, targeting the public water supply.
April 19, 2024, the Texas Tribune reported that Hale Center’s public water supply had been attacked by a Russian hactivist group. Times reported that Abernathy, another nearby small city was also targeted.15 A second city, Muleshoe, just 60 miles from Hale Center in West Texas was also attacked and actually made the water system overflow 10,000s of gallons of water into the street16 before being disabled by city officials. Both cities have small populations, Hale Center with 2000 residents and Muleshoe with 5000 residents. The third city, Lockney, with about 1500 people and just about 25 miles east of Hale Center was also attacked, but they were unable to access the city water computer.17 The hub city in the region and the area of the cyberattacks is Lubbock with a population of about one quarter of a million people in its county. Lubbock has been silent as to the status of their public water system— not even assurances — but it is highly likely that cyberattacks were made against the largest city in the center of these small cities.
The group with fingerprints on this attack is the CyberArmyofRussia_Reborn, and it has been involved in other cyberattacks particularly since the attack of Ukraine by Russia.
They may have targeted West Texas based on the well-known scarcity of water in West Texas, which may have led them to target small towns in West Texas presumably with fewer resources for cybersecurity. They have by no means been limited in their exploits to West Texas but this is definitely an area of concentrated effort on by this group.
In all of these cyberattacks from the Russian cyberattackers, they may also be engaged in vulnerability testing to determine how responses are made to attacks and where vulnerabilities lie. But at the same time, we are learning their methods, too.
International reports of water attacks
Crowdstrike, a cyberattack tracking organization, reported in their 2023 report on world hacktivism that attacks on water systems are part of the modus operandi of pro-Palestinian hacktivists. Russia has also increased its cyberattacks after the invasion of Ukraine:
Throughout the duration of the conflict, pro-Palestine hacktivists have consistently targeted critical infrastructure in Israel, including disruptive activity against energy-distribution infrastructure and water pumps, DDoS attacks against utility companies, and hack-and-leak operations against water treatment and energy plants. This activity is likely an attempt to inflict physical and psychological damage on Israeli citizens and will likely continue throughout the duration of the Israel-Hamas conflict. This assessment is made with high confidence based on consistent targeting to date and similar activity observed in other recent conflicts, such as the Russia-Ukraine war.18
Hacktivism v. Cyberattacks
Hacktivism is a new term to describe these activities but it obscures the state-supported efforts to learn about our vulnerabilities and exploit them on behalf of the government, not as a harmless prank from someone’s basement. When hacktivism wants to be life threatening and attack critical infrastructure like water supply systems, it requires a response through international law, at least through diplomatic pressure to control cyberattacks within one’s jurisdiction.
https://www.texastribune.org/2023/06/20/texas-ogallala-aquifer-farming-climate-change/
https://ccdcoe.org/research/tallinn-manual/
https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia
https://www.reuters.com/world/asia-pacific/china-says-it-opposes-cracks-down-all-forms-cyberattacks-2024-02-06/
https://time.com/3639275/the-interview-sony-hack-north-korea/
https://en.wikipedia.org/wiki/The_Interview
https://apnews.com/article/technology-business-china-hacking-6cd7d59f1b6aa4a0539d987e5340b705
https://www.reuters.com/technology/cybersecurity/microsoft-says-it-caught-hackers-china-russia-iran-using-its-ai-tools-2024-02-14/
https://www.nytimes.com/2016/03/26/nyregion/rye-brook-dam-caught-in-computer-hacking-case.html
https://scada-international.com/what-is-scada
https://stateline.org/2021/03/10/florida-hack-exposes-danger-to-water-systems/
https://www.newsweek.com/russia-water-hackers-cybersecurity-1891611
https://www.cisa.gov/about/2023YIR
https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release-top-cyber-actions-securing-water-systems
https://www.newsweek.com/russia-water-hackers-cybersecurity-1891611
https://www.newsweek.com/russia-water-hackers-cybersecurity-1891611