Ukrainian Hackers Hijacked 87,000 Sensors to Shut down Sewage System

Ukrainian hackers have successfully infiltrated and disabled a vast network of industrial sensors and monitoring infrastructure in Russia, leading to a significant shutdown of sewage systems, among other utilities.

The group, known as BlackJack, executed the attack on the 9th of April, 2024, causing widespread disruption to Russia’s essential services.

The initial breach occurred in June 2023, when the hackers gained access to Russia’s Network Operation Center (NOC). The NOC oversees the functioning of various utilities, including gas, water, and fire alarm systems.

The NOC is a critical infrastructure component that controls a network of remote sensors and Internet of Things (IoT) controllers.

The attack has led to the disabling of approximately 87,000 sensors and controls across Russia.

This includes systems within airports, subways, and gas pipelines.

However, the hackers claim to have carefully excluded targets that could affect civilian safety, such as hospitals and airports.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The Malware: Fuxnet

The hackers deployed a potent malware, dubbed ‘Fuxnet’—a reference to the infamous Stuxnet worm, but with enhancements.

Fuxnet was designed to cause physical damage to the sensory equipment by exhausting NAND/SSD memory and corrupting firmware with wrong CRC values.

The malware has begun to flood communication protocols such as RS485/MBus, sending random commands to the compromised control and sensory systems.

One of the most affected utilities is the sewage system, which relies heavily on sensor data to manage the flow and treatment of wastewater.

The disruption caused by the hijacking of these sensors has led to operational failures and potential environmental hazards.

The group responsible for the attack has made available hacked data at ruexfill, which includes:

  • GPS coordinates of all affected sensors
  • A database of the internal messaging platform used by Moscollector employees
  • Screenshots of the Network Operation Centre and various servers, routers, and databases
  • Screenshots of maps and blueprints of buildings
  • Evidence of access to the domain registrar
  • Screenshots of the FuxNet source code and its mode of operation
  • Video footage of FuxNet deploying and disabling sensors
  • Selected dumps of firewall and router configurations

Following the cyberattack, approximately 1,700 sensor routers were reported destroyed, and the central command dispatcher and database were destroyed.

The hackers also disrupted web and email traffic, took down firewalls, and defaced the Moscollector webpage, leaving a message indicating their presence.

This cyberattack marks a significant escalation in the ongoing digital warfare between Ukraine and Russia.

The international community is closely monitoring the situation, as the impact of such cyber operations extends beyond national borders, potentially affecting global cybersecurity protocols and the stability of international infrastructure.

The Ukrainian hackers’ operation against Russian industrial infrastructure demonstrates cyber warfare’s increasing sophistication and potential consequences.

As nations grapple with the security of their critical infrastructure, this incident is a stark reminder of the vulnerabilities inherent in our interconnected digital world.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.