CISA’s latest joint advisory exposes a trend security teams have long suspected: pro-Russian hacktivist groups are exploiting unintentionally exposed industrial control interfaces to disrupt critical infrastructure. These groups lack deep technical ability, misrepresent their own capabilities, and often misunderstand the systems they are manipulating. Their tactics may be clumsy, but the operational consequences for victims are real: lost visibility, forced manual intervention, and costly recovery work.
The advisory highlights a structural issue across food and agriculture facilities, local governments, water utilities, and energy operators. Many organizations still have internet-reachable xIoT and OT devices with weak credentials, outdated configurations, and remote access services that were never meant to be exposed.
For CISOs and CIOs, the takeaway is clear: your xIoT blind spot is no longer abstract. It’s being exploited in the open.
How the Intrusions Actually Work
The attacks described by CISA are not sophisticated. They are opportunistic, repeatable, and enabled by common misconfigurations.
At the center of these campaigns are VNC-connected HMI devices.
An HMI (Human–Machine Interface) is the control screen an operator uses to run industrial equipment. It is an OT/ICS device, not an IT system. HMIs control pumps, valves, mixers, heaters, blowers, treatment systems, and other physical processes.
VNC (Virtual Network Computing) is simply remote screen access, similar to remote desktop tools in IT. It lets someone view and click buttons on that control screen from anywhere in the world.
CISA describes a troublingly simple pattern:
Hackers are discovering industrial control screens that have been made accessible online, without protection, and clicking buttons on them as if they were plant operators.
They don’t need to bypass a firewall or exploit a zero-day. They log in because:
- The system is visible on the internet
- VNC is open
- The password is weak, default, or missing entirely
Once inside the control interface, attackers can interact with real operational devices. CISA reports that intruders have:
- Changed pump or valve settings
- Turned alarms off
- Renamed devices
- Adjusted process parameters
- Forced operators to intervene manually
- Caused temporary shutdowns or “loss of view.”
Even though these groups often don’t understand the process they’re manipulating, the operational impact is real. A loss of view forces technicians onsite to regain monitoring of operations. Resetting parameters or logic often requires specialized engineering support. And every unnecessary change increases safety risk.
In some intrusions, these hacktivists even run DDoS attacks against related networks to create confusion or impair operator response—despite lacking the engineering knowledge to understand the consequences.
The goal isn’t espionage or long-term persistence. It’s notoriety, and the advisory notes these groups frequently exaggerate the effects of their intrusions on social media. But even a clumsy attacker can create downtime, misconfigurations, or expensive remediation efforts, especially when critical equipment is exposed.
Why This Matters for Executive Leadership
The advisory highlights a fundamental challenge for modern critical infrastructure operators: the systems most crucial to physical operations often have the weakest security controls.
CISA’s findings match what Phosphorus encounters across enterprise xIoT environments every day:
- Default or weak passwords remain widespread
- VNC, Telnet, FTP, and other legacy services are still enabled
- HMIs, PLCs, and OT gateways are reachable from untrusted networks
- Firmware is outdated, sometimes containing known exploited vulnerabilities
- Visibility is incomplete, especially for ICS/OT devices that never touch IT asset inventories
Phosphorus research shows:
70% of xIoT devices ship (and are often deployed) with default credentials
Default Credentials
70%
68% run outdated or vulnerable firmware
Vulnerable Firmware
68%
26% are end-of-life and unsupported by manufacturers
End-of-Life
26%
These conditions make the TTPs described in the advisory cheap, fast, and easily replicated. And because these groups share techniques and amplify each other’s intrusions online, the problem is accelerating.
For executives, the question is no longer whether these exposures exist; it’s whether anybody in your organization can see them, measure them, and fix them at scale.
Where Phosphorus Helps You Get Ahead
CISA provides clear mitigation steps, but executing them across thousands of heterogeneous xIoT and OT assets is not something traditional IT tools or manual processes can handle. Phosphorus was built specifically for this challenge.
1. Identify Exposed and At-Risk Devices
Phosphorus Intelligent Active Discovery identifies every IoT, OT, IIoT, and IoMT device, without requiring agents or disruptive scanning, and reveals which devices expose remote access services such as VNC, RDP, Telnet, SSH, or vendor-specific protocols.
We provide high-fidelity details, including open ports, authentication posture, firmware version, service exposure, and configuration risks.
2. Eliminate Default and Weak Credentials
CISA’s advisory makes clear that default, weak, and missing passwords are central to these intrusions.
Phosphorus automates password rotation, credential hardening, and secure credential storage across entire xIoT and ICS fleets.
3. Harden Configurations and Reduce Attack Surface
Phosphorus automatically disables unnecessary or high-risk services, enforces secure configurations, and applies uniform baselines across HMIs, PLCs, cameras, building automation systems, and other OT/xIoT devices.
This significantly reduces the number of entry points available to attackers.
4. Prioritize Firmware Vulnerabilities With KEV and EPSS
While the advisory focuses on VNC exposure, CISA continues to warn that outdated firmware across xIoT devices creates major risk.
Phosphorus enriches device firmware findings with CISA Known Exploited Vulnerabilities (KEV) and FIRST Exploit Prediction Scoring System (EPSS) intelligence to help organizations prioritize the vulnerabilities attackers are most likely to exploit. We automate safe upgrades or downgrades and validate firmware integrity at scale.
5. Monitor for Drift and Suspicious Changes
The actions described in the advisory: changing parameters, disabling alarms, and renaming devices are exactly the kinds of device-level deviations Phosphorus is built to detect.
We continuously identify:
- unauthorized configuration changes
- unexpected password resets
- service enable/disable events
- firmware or certificate modifications
and escalate them immediately.
Closing the Gap Between Advisory and Action
CISA has said the quiet part aloud: your xIoT and ICS devices are the easiest way in, and attackers know it.
These intrusions are not sophisticated. They are preventable. But only if organizations can actually see the devices they rely on, understand their risk, and remediate issues at scale.
Phosphorus gives organizations the ability to do exactly that, delivering unified discovery, assessment, KEV/EPSS-informed prioritization, automated hardening, and continuous monitoring across the entire xIoT and ICS footprint.
If you want clarity on where your most exposed devices sit and how to close those gaps before someone else clicks your industrial controls, Phosphorus can help.
Related Posts
You discovered a lot of xIoT devices! 6.8 Billion IP addresses scanned on behalf...
Amazon Threat Intelligence has released new findings that should concern every organization operating connected...