Hacktivist Activity, Iranian Conflict

Following the February 28 US–Israeli strikes on Iranian infrastructure, Iran‑aligned and pro‑Palestinian hacktivist groups rapidly increased operations. The activity is high‑volume, opportunistic, and propaganda‑driven, but poses real risk to US critical infrastructure due to:

  • Increased posting of groups claiming access to US‑based operational technology (OT) and Human Machine Interface (HMI), including water and fire‑suppression pump control systems.
  • Surge in global distributed denial-of-service (DDoS) activity targeting symbolic or politically resonant public‑facing portals.
  • Widespread exploitation of internet‑exposed HMIs, weak remote‑access services (often VNC), and default or reused credentials.
  • Risk of spillover and copy‑cat behavior, where low‑skill actors leverage publicly shared access paths, screenshots, and simplistic tools.

Although most claims lack validated operational impact, the volume, visibility, and demonstrated access to live HMIs underline a credible threat to poorly segmented, externally reachable OT environments in the US.

Systems Affected

US critical infrastructure environments with:

  • Internet‑accessible HMIs, SCADA panels, fire‑suppression pump controllers, water/wastewater interfaces, or environmental/HVAC control systems.
  • Exposed VNC, RDP, TeamViewer, or vendor‑maintenance portals lacking multi-factor authentication (MFA) or network restrictions.
  • Default or weak credentials on OT gateways, HMIs, PLCs, and remote management consoles.
  • Public‑facing state or municipal portals susceptible to DDoS (rail, emergency information, local government, utilities, public safety).

Threat Activity Overview

  • Pro‑Iran and anti‑Israel hacktivist groups (e.g., Z_PENTEST, Cyber Islamic Resistance, FaD TeaM, Arabian Ghosts/DieNet) are posting screenshots and videos of OT interfaces, primarily water and pumping systems, HVAC panels, agricultural systems, and other utilities.
  • Claims include start/stop pump access, parameter change interfaces, alarm suppression screens, and configuration menus, consistent with Unauthorized Command Message (T0855) and Modify Parameter (T0836) opportunities when HMIs are misconfigured or exposed.
  • A March 5 post on Telegram by Z_PENTEST allegedly demonstrates access to a US fire‑suppression pump control interface, with visible passwords and configuration options.
  • DDoS campaigns continue to accompany OT‑access claims, distracting operators and overwhelming public‑facing portals.
  • Hacktivists share “access for sale,” tool lists (e.g., DDoSia, SpaceStresser), and unproven simplistic SCADA “tools”, lowering barriers for inexperienced adversaries to tamper with exposed devices.

US‑Relevant Risk Considerations

  • Small or rural utilities, fire districts, municipal water authorities, and agricultural/irrigation sites remain the most likely to have internet‑exposed HMIs.
  • Vendor‑provided remote maintenance paths are frequently exploited when passwords are shared or unchanged.
  • Public safety and emergency service portals (e.g., alerting, transit, civic services) may face DDoS that disrupts coordination.
  • Spillover risk is high: indiscriminate scanning for exposed interfaces often affects US systems even when claims center on Middle Eastern targets.

Recommendations for Stakeholders

These recommendations adapt Dragos’s mitigations specifically for US public‑sector and critical infrastructure operators.
1. Eliminate Internet Exposure of OT Systems
  • Immediately identify and remove public exposure for:
    • HMIs/SCADA dashboards.
    • VFD and pump control panels.
    • Historian views, Building Management System (BMS)/HVAC interfaces.
    • Vendor maintenance portals.
  • Where remote access is essential, enforce VPN + MFA + IP allowlisting.
  • Disable all default credentials on PLCs, gateways, HMIs, and OT appliances.
2. Harden Remote Access Pathways
  • Audit vendor and contractor accounts; eliminate dormant and shared credentials.
  • Enforce per‑user accounts, short‑lived access tokens, and strict session logging.
  • Prohibit unsecured VNC/RDP on public IPs; ensure remote protocols traverse secured channels only.
3. Strengthen OT Process Protections
  • Lock down mode changes between manual/automatic operations and ensure interlocks cannot be overridden remotely.
  • Review alarm logic so acknowledgment cannot suppress critical trips.
  • Verify safe bounds for pump pressure/flow, chemical dosing, thermal processes, or other ICS parameters.
4. Increase Monitoring and Anomaly Detection
  • Monitor for:
    • Unusual UI activity (rapid page‑switching, configuration writes, parameter changes).
    • Logins from unexpected geolocations or IP ranges.
    • Excessive VNC/RDP/HTTP sessions on OT devices.
  • Apply geo‑fencing and egress filtering for admin access.
5. Prepare for Public‑Facing DDoS
  • Ensure Content Delivery Network (CDN)/Web Application Firewall (WAF) coverage for state portals and utility websites.
  • Separate public‑facing infrastructure from operational networks.
  • Maintain communication contingency plans to avoid operational disruption during DDoS noise.
6. Local Operators
  • Local utilities, water districts, public works departments, and emergency services are encouraged to validate segmentation and remote‑access hygiene.
  • Report abnormal HMI behavior, suspected tampering, or unexplained changes to setpoints/alarms to the NJCCIC.