In a world where digital threats are increasingly spilling over into the physical realm, few voices are as crucial as Malik Haidar’s. A seasoned cybersecurity expert with a deep background in analytics and intelligence for multinational corporations, he possesses a unique ability to translate complex cyber threats into tangible business risks. Following a recent joint advisory from CISA and the FBI on pro-Russian hacktivists targeting U.S. critical infrastructure, we sat down with Malik to understand the real-world implications of these attacks. Our conversation explored how low-sophistication attacks can cause significant physical disruption, the distinct motivations that drive these visibility-seeking groups, practical defense steps for under-resourced operators, and how the industry must respond to the evolving, collaborative nature of these cyber adversaries.
The advisory mentions groups like the Cyber Army of Russia Reborn are “low-skilled,” yet they’ve caused physical impacts. Can you walk us through the step-by-step process of how a simple password-guessing attack against an HMI can lead to costly manual recovery for an operator?
It’s a disturbingly simple chain of events, which is precisely what makes it so dangerous. It begins with a threat actor, often using widely available scanning tools, sweeping the internet for exposed systems. They’re essentially rattling digital doorknobs on an industrial scale. When they find an internet-facing human-machine interface—a control panel for a water pump or a food processing line—they move to the next step: brute-forcing the password. They aren’t using sophisticated exploits; they’re just using automated software to guess common, weak credentials like ‘12345’ or ‘admin’. Once they’re in, they have the same controls as a plant operator. They can alter system parameters, disable critical alarms meant to warn of a problem, or simply restart devices. The operator suddenly loses their view of the process, and the recovery is anything but simple. It’s a costly, all-hands-on-deck manual effort to physically verify every setting and ensure the system is safe to bring back online.
These hacktivists reportedly seek visibility over strategic advantage, often overstating their impact. From your experience, how does this motive change their tactics compared to state-sponsored groups, and what metrics would show the true, rather than publicized, damage from one of their attacks?
The difference in motive is night and day, and it fundamentally shapes their entire operational playbook. A state-sponsored group operates with stealth and precision, like a spy. Their goal is long-term access for intelligence gathering or positioning for a future strategic strike. Their success is measured by their invisibility. These hacktivist groups are the exact opposite; they are performers playing to an online audience. Their currency is notoriety, not espionage. Their tactics are loud and messy by design—they compromise a system, take a screenshot of the control panel, and immediately post it online to brag. They aren’t trying to hide; they’re trying to get noticed. The true damage isn’t found in their exaggerated online claims. We measure the real impact in operational metrics: hours of downtime, the cost of the emergency manual recovery, and the long-term erosion of public trust in that utility.
The advisory stresses reducing public internet access for OT assets and implementing MFA. For a small utility operator that might be resource-strapped, could you outline the first three practical steps they should take and share an anecdote illustrating the risk of inaction?
For a smaller operator feeling overwhelmed, it’s about prioritizing the most impactful actions first. The absolute first step is to conduct a thorough inventory and eliminate all non-essential internet connections to your operational technology. If a device doesn’t absolutely need to be online, take it offline. That alone drastically reduces your attack surface. Second, enforce strong password policies. Even if rolling out multi-factor authentication across the board is a challenge, you can immediately ban weak and default passwords, which stops these brute-force attacks in their tracks. Third, develop and drill a contingency plan for manual operations. Know exactly what you will do if the screens go dark. I’ve seen a small water utility that believed they were too insignificant to be a target. They had an exposed HMI with a factory-default password. An attacker got in and changed chemical dosing levels, and it was pure luck that a routine manual check caught the anomaly before it caused a public health crisis.
CISA is calling on OT manufacturers to prioritize “secure-by-design” principles. Beyond just shipping devices with strong default passwords, what are two or three specific engineering changes a manufacturer could implement to make their systems inherently more resilient to these types of brute-force attacks?
The call for “secure-by-design” is a fundamental shift from placing the security burden on the end-user to the manufacturer. It’s about building resilience in from the ground up. A huge step would be to ship devices with all remote access ports disabled by default. This would force the operator to make a deliberate, conscious decision to connect a system to the internet, rather than having it be the default state. Another crucial change is implementing robust, granular access controls within the device itself. A basic operator login shouldn’t have the same privileges as an engineer; this segmentation contains the damage if one set of credentials is compromised. Finally, manufacturers could build in automatic lockout mechanisms and alerting for a high number of failed login attempts. This would provide an inherent, early-warning system against the very password-guessing techniques these groups are using, stopping an attack before it even begins.
What is your forecast for the evolution of these hacktivist threats against critical infrastructure?
I see this as a concerning inflection point. The collaboration we’re seeing, with groups like CARR and NoName057(16) merging to form new entities like Z-Pentest, signals a maturation process. They are evolving from disorganized, individual collectives into more structured and capable organizations. This means they will likely share tactics, refine their tools, and coordinate their attacks for greater impact. My forecast is that while their core motivation may remain visibility, their capabilities will increase, and they will start causing more significant and potentially more dangerous physical disruptions. We must stop thinking of them as a low-level nuisance. We have to adapt our defensive strategies to account for an adversary that is actively learning, organizing, and becoming more potent over time.
