National Cyber Warfare Foundation (NCWF)

Welcome back, cyberwarriors. We continue our series on SCADA system compromise with another significant breach that recently occurred. In the context of the ongoing cyber conflict in Ukraine, our team of Cyber Cossacks successfully compromised yet another Russian organization responsible for deploying and overseeing meter systems throughout Russian regions and occupied Crimea. For years, this […]

The post SCADA Hacking and Security – Compromising Russian IoT Systems first appeared on Hackers Arise.

Welcome back, cyberwarriors.

We continue our series on SCADA system compromise with another significant breach that recently occurred. In the context of the ongoing cyber conflict in Ukraine, our team of Cyber Cossacks successfully compromised yet another Russian organization responsible for deploying and overseeing meter systems throughout Russian regions and occupied Crimea. For years, this entity has directly supported the Russian state by conducting business in Crimea. Due to operational security reasons, we are unable to share specific company details or unredacted screenshots. Nonetheless, this article will provide a clear overview of what occurred and the technical aspects behind the compromise.

Introduction

The company was established in the early 2000s. It focuses on designing and implementing integrated solutions related to automation, control, and monitoring, primarily within the IoT space. Their solutions are installed across a broad range of sectors, including energy management, environmental monitoring, telemetry systems, and industrial automation.

They manufacture both software and hardware in-house, delivering end-to-end packages that include the development of smart meters, data loggers, programmable logic controllers (PLCs), industrial routers, and protocol converters. These systems are widely deployed in the Russian Federation, with a reported installation base exceeding 50,000 units.

Initial Access and Infection

Earlier this year, access to one of their internal systems was obtained via a phishing attack. The payload was embedded into an email attachment that successfully bypassed antivirus detection. This was not a single case, as security software like Kaspersky often fails to keep up with newer remote access trojans (RATs) that are custom-built and updated to evade standard detection methods.

IoT System Monitoring and Interference

Over the course of several days, we examined the internal network and operational structure of the target environment. We maintained access for approximately six months, during which we monitored activities, reviewed logs, and altered certain datasets. Rather than simply wiping systems, which would have a temporary impact, our goal was to make long-term strategic alterations.

During the reconnaissance, we retrieved images from these locations, which helped us better understand the configuration and physical deployment of the hardware.

The thick cable carries all the data back and forth, while the smaller wires tap into each meter’s output and feed it into the controller. Behind the scenes it translates those pulses or signals into digital readings and makes sure everything stays within safe limits before sending the information on for analysis.

We also found several types of control cabinets. More sophisticated control panels featured compact PLCs with a series of I/O modules snapped onto DIN rails. The thin wires at the top connected sensors, such as pressure or temperature monitors. Beneath those modules, power cables and output lines were routed to devices like valves or relays.

This entire setup essentially functions as a small industrial control center. The PLC receives data from sensors, makes logical decisions, and then triggers specific outputs. All managed in a compact and structured cabinet.

As highlighted in previous articles, having a clear understanding of the systems you are compromising is essential. Without this, an attacker is no different from an amateur causing blind damage. But with detailed knowledge, strategic interference becomes possible, whether that is destruction or stealthy manipulation.

Impact on Private Consumers

Beyond interfering with commercial systems, we extended our efforts to installations intended for private consumers. These were smart meters responsible for monitoring water and electricity usage. Each meter in our compromised dashboard displayed cumulative consumption, voltage, power factor, pressure, temperature, and other live telemetry.

In response to ongoing Russian attacks on Ukrainian energy infrastructure, we selectively disabled electricity to certain end-users.

We also interfered with water meter operations, effectively cutting access to water where it was possible.

These installations were all centrally connected to the main server through antenna links mounted on rooftops, allowing us to receive telemetry from them.

Impact

A redacted list of affected companies reveals the true scope of the compromise. Each item in the list represented a node within the system, and each node required manual inspection and adjustment. Changes were made to various parameters such as voltage levels, pump pressure values, valve states, and sensor thresholds.

As discussed, the most strategic part of the attack was poisoning of backup datasets. Once operators attempt a recovery from these backups, the restoration will bring back corrupted values, leading to incorrect billing, system failures, or both.

It is important to note that altering the actual values displayed on consumer-facing meters was not technically feasible due to hardware limitations. However, the burden of proof would fall on the consumers, who would need to challenge billing discrepancies. Given the lack of infrastructure and dedicated support personnel within the target organization, this would likely lead to extended downtime, customer dissatisfaction, and eventually financial penalties for the provider.

By late June, after successful implementation of all modifications, we wiped the primary systems responsible for processing and managing the connected nodes. In total, we affected approximately 3,500 meter installations across Russia.

Conclusion

By this operation we wanted to demonstrate how a deep understanding of industrial control systems, paired with patient, strategic planning, can produce long-lasting and widespread impact. The goal was not short-term disruption. Instead of destroying systems outright, we chose a more effective strategy by sabotaging the mechanisms that underpin restoration and continuity.

Through backup poisoning, administrative credential harvesting, and localized data manipulation, we were able to affect infrastructure far beyond what could be accomplished through simple malware deployment. This approach not only damages the present but ensures the chaos continues well into the future, all while remaining under the radar of conventional defensive tools.