Justin Sullivan/Getty Images
In an aerial view, pools of water are visible at a wastewater treatment plant on March 20, in California. US security officials are asking water authorities to shore up their defenses after finding weak security practices at water plants breached by pro-Russia hackers.
CNN  — 

Pro-Russia hackers have exploited shoddy security practices at multiple US water plants in recent cyberattacks that have hit a wider swathe of victims than was previously documented, according to an advisory by US federal agencies obtained by CNN.

Though the attacks have not impacted drinking water, the advisory lays bare the cybersecurity challenges facing the thousands of water systems across the US, many of which are often short of cash and personnel to deal with threats. The document helps explain the plea that US national security adviser Jake Sullivan made in March to water authorities to shore up their defenses.

US officials investigating the cyberattacks have found that the hacked facilities often had outdated equipment connected to the internet protected by weak passwords, making it relatively easy for hackers to breach the sensitive networks that handle water treatment and other industrial operations, the document says. The Cybersecurity and Infrastructure Security Agency, FBI and other agencies are set to release the advisory publicly later on Wednesday.

The advisory covers a string of recent cyberattacks claimed by Russian-speaking hackers — some of which have been reported publicly — that have alarmed US officials because of the hackers’ brazen willingness to infiltrate computers at US industrial plants using rudimentary attack techniques.

US officials have in recent weeks been privately telling electric utilities, water facilities and other critical infrastructure firms to take industrial equipment off the internet before the hackers can exploit it, multiple people familiar with the efforts told CNN.

The document alludes to multiple incidents that are publicly known, including a cyberattack in north Texas in January that caused a water tank to overflow. But the document also suggests the scope of the hacks is wider than was previously known, hitting at least one victim in the food and agriculture sector. The hackers also have publicly claimed to have targeted a French dam and a Polish water facility.

The FBI and CISA have responded to “several” US water and wastewater (WWS) facilities that have “experienced limited physical disruptions” from the hackers, according to the document, which was also produced by the National Security Agency and the Department of Energy, among other agencies.

“In each case, hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the [water and wastewater systems] operators,” says the draft advisory. All of the water facilities quickly cut off public internet access to their industrial computers and restored normal operations, according to the advisory.

It’s the type of document that US agencies regularly produce after a hacking campaign and includes security recommendations for affected facilities.

A group of Russian-speaking hackers have claimed responsibility for the hacks, which began in January but have continued in recent weeks. The hackers claimed credit for a cyberattack on an Indiana wastewater treatment plant on a Friday night last month that prompted plant managers to send maintenance personnel to investigate.

The hackers have been finding vulnerable industrial systems online and then opportunistically breaking into them. They use Telegram, a Russian social media platform, to exaggerate the impact of their hacks with eye-grabbing videos.

In a report published last month, Google-owned cybersecurity firm Mandiant found multiple links between a unit in the Russian GRU military intelligence agency and the online infrastructure used by the hackers to publicize their attacks. But it was unclear, Mandiant said, whether it was Russian government-affiliate hackers who were behind the hacks on US facilities or Russia-speaking cybercriminals.

Regardless, US officials see the incidents as just the latest episode in Russia’s long-running harboring of hackers who target US critical infrastructure. Moscow has denied US allegations that it provides a safe haven for hackers.

The alleged Russian hacks are not the only opportunistic cyberattacks on US water facilities in recent months. In November, hackers breached Israeli-made industrial equipment at multiple US water facilities, in some cases displaying anti-Israel slogans on the computer screens. US officials blamed the Iranian government. CNN has asked Iran’s UN mission to comment on the allegation.

None of the cyberattacks have affected drinking water, but they have served as a stern wakeup-call to a sector often short of resources to defend itself. Some US lawmakers have called for more federal resources to water plants and to the EPA to help defend against the hacks.

“Community water systems are often funded by the rates charged to the consumers,” Gus Serino, a water-sector cyber specialist, told CNN. “Increasing rates to cover the cost of elective cybersecurity is not easy to get through budgetary processes. It essentially results in higher rate or additional tax burden to the community they serve.”

Greater public attention on the issue has brought improvements. The Water Information Sharing and Analysis Center, an industry hub for cyber threat data and best practices, says its membership includes facilities that provide water to most of the US.

“Any money spent to defend a system from these attacks is money well worth it,” Robert J. Bible, the general manager at a Pittsburgh-area water utility hit by alleged Iranian hackers in November, told CNN this week. “It may cost much more as far as money plus public confidence if an attack occurs.”

The utility, the Municipal Water Authority of Aliquippa, spent “something over” $10,000 in equipment and labor to recover from the cyberattack, according to Bible. He said he plans on “contacting the feds to conduct the vulnerability assessment of our entire operation.”