CISA calls them hacktivists, I call them a threat to your pumps. It is time to secure your operational technology.
CISA just dropped Advisory AA25-343A, warning that “Pro-Russia Hacktivists” are conducting opportunistic attacks against global critical infrastructure. They call them hacktivists; I am disturbed by this demotion. These aren’t kids in a basement; they are bad actors causing physical damage to water systems and energy grids. The vector? Accessible Virtual Network Computing (VNC) endpoints that you left open. If you are running operational technology and relying on a porous firewall, you are exposed. The advice to “reduce exposure” is sound, but how you do it matters. It is time to stop pretending your air gap works and start acting like the internet is hostile territory.
Hacktivists or Soldiers in Hoodies
CISA recently dropped advisory AA25-343A, labelling the perpetrators “Pro-Russia Hacktivists.” I find that term adorable, but dangerously misleading. Make no mistake: when a group targets the Water, Wastewater, and Energy sectors with the intent of causing physical damage, they aren’t activists; they are threats to national security. While CISA calls the targeting “opportunistic,” the outcome is strategic. The “Cyber Army of Russia” isn’t looking to deface your website with a political manifesto. As we noted in our analysis of the Inbound HMI attacks, these actors are manipulating set points on your pumps. They are creating conditions for overflows, manual overrides, and equipment destruction.
Their weapon of choice isn’t some complex zero-day magic; it is simply scanning for exposed VNC (Virtual Network Computing) endpoints. If you leave VNC open to the internet, you aren’t just being negligent; you are rolling out the red carpet for a foreign military unit. This isn’t a game of tag; it involves real-world safety risks, and treating these actors like mere vandals underestimates the threat to your physical operations.
Your Firewall is a Picket Fence
CISA tells us to “reduce exposure” and “map data flows.” That sounds reasonable until you look at the actual state of operational technology. We like to pretend we have “Air Gaps,” but let’s be honest: your fortress is made of plywood. In reality, that air gap is a myth, riddled with holes punched by integrators who needed remote access five years ago and forgot to close the door. This isn’t just poor hygiene; it’s a welcome mat for disaster.
The result? Protocols that were never meant to see the light of day, like VNC, are naked on the public internet. As we discussed regarding the exploitation of Unitronics PLCs, search engines like Shodan pick these devices up instantly. It’s not sophisticated hacking; it’s window shopping. And don’t get me started on the standard VPN defence. A VPN is just a really long Ethernet cable. Once an attacker breaches that perimeter — perhaps via a stolen credential — they have full lateral access to your soft underbelly. You aren’t managing assets; you’re facilitating shadow IT.
Locking the Door with Zero Trust
CISA’s demand for robust authentication sounds reasonable, but let’s get real: asking a legacy PLC for a multi-factor authentication code is like asking a toaster to solve calculus. These devices were never built for the Internet. This is where Agilicus AnyX bridges the gap between 1990s hardware and modern security. We treat your HMI and VNC connections as protected resources without requiring a complex network re-architecture.
By deploying an Identity-Aware Proxy, AnyX allows you to slap modern protections like Single-Sign-On and Multi-factor Authentication right on top of that vulnerable operational technology. Crucially, this works via an outbound-only connection. We close the inbound ports, making your infrastructure invisible to the opportunistic scanning scripts these ‘hacktivists’ use. Stop relying on the broken VPN model; a VPN is essentially just a long Ethernet cable that grants network-wide access once breached. With AnyX, you authenticate the user to the specific machine, ensuring they only touch what they are authorised to see.
Conclusions
CISA has handed us a roadmap, but it is up to us to drive the car. Whether you call them hacktivists or Kremlin proxies, they are knocking on your digital door, and your current locks are rusty. The advisory highlights a critical failure in how we protect operational technology. You cannot rely on obscure passwords or hoping nobody finds your IP address. You need robust authentication and a true Zero Trust architecture. Agilicus AnyX offers a fast, simple way to wrap those vulnerable VNC connections in a layer of iron-clad security. Don’t wait for a “Labour Day present” from these bad actors. Close the ports, enforce MFA, and get serious about defence.