National Cyber Warfare Foundation (NCWF)

Welcome back, cyberwarriors. This is the final part in our series on SCADA hacking. We continue diving into operations conducted by the Cyber Cossacks, a unit formed by OTW at the request of the Ukrainian government. These missions were carried out together with various Ukrainian hacker groups across the country. In unity we are strong! […]

The post SCADA Hacking: Inside Russian Facilities, Part 5 first appeared on Hackers Arise.

Welcome back, cyberwarriors.

This is the final part in our series on SCADA hacking. We continue diving into operations conducted by the Cyber Cossacks, a unit formed by OTW at the request of the Ukrainian government. These missions were carried out together with various Ukrainian hacker groups across the country. In unity we are strong!

Water Utility – Voronezh, Russia

Voronezh Water Utility is a major regional provider serving more than 1,050,000 residents in the city and nearby areas. The utility sources raw water from the Voronezh River and treats it at two large plants equipped with sand filtration, UV disinfection, and chemical dosing units. The final product is distributed through a network of over 1,200 kilometers of pipes. A separate system handles wastewater collection and purification using a mix of mechanical and biological treatment stages. Federal guidelines set strict standards, and the utility operates under regulatory oversight from Rosprirodnadzor and Rospotrebnadzor.

The utility’s infrastructure includes multiple SCADA workstations, PLC units at pump stations, telemetry relays at water towers, and a central monitoring hall. Around 300 employees manage operations, including remote inspections and data logging.

In late 2024, one of their employees clicked on a malicious email disguised as an equipment upgrade notice. This gave us access to the corporate network. From there, we moved laterally, bypassing internal firewalls and accessing the SCADA servers. For several weeks, the purification process had been deliberately altered during the night, with the aim of contaminating the water supply with chemicals. It took them weeks to notice the suspicious system’s behavior on several machines. When the engineers logged in to investigate, they found control applications locked and SCADA databases wiped clean.

Recovery required specialist teams from Moscow. They came to rebuild the infrastructure.

Ice Arena – St. Petersburg, Russia

The Ice Arena Sports Complex in St. Petersburg is a major hub for ice sports and public recreation. The building is often used for regional tournaments, youth training camps, and figure-skating events. The rinks are kept operational by an industrial-grade refrigeration system controlled by a SCADA platform that adjusts compressors, chillers, and air handlers.

In 2024, we launched a targeted spear-phishing campaign against front-desk staff, posing as event organizers. One employee took the bait, allowing us to infiltrate the internal network. From there, we accessed the SCADA subnet. At night we remotely shut down the compressors and chilled-water pumps. Within hours, ice temperatures rose, creating soft patches and melting zones.

We also managed to manipulate air circulation systems, flooding locker rooms with freezing air and locking operators out of the control systems. The attack happened just before a regional competition, throwing event schedules into chaos. Finally, technicians decided to isolate the SCADA servers physically. But we had already embedded a scheduled wiper, programmed to delete everything a few days later.

SCADA interface for a sports ice arena’s refrigeration system

Technical configuration panel for the cooling system

For deeper compromise, you can implant a hidden service that runs silently with SYSTEM privileges. Over time, this infects off-site backups, ensuring every recovery attempt carries the malware forward.

Business Center – Moscow, Russia

Located on Vasilisy Kozhinoy Street in western Moscow, this big business center houses tech startups, consulting firms, and shared office tenants. The building has a digital elevator system, climate controls, RFID access gates, and a surveillance network. The control systems are maintained remotely by a contracted service provider.

Once in, we accessed the SCADA controls for the elevator system. All the elevators were halted using an emergency-stop command. Simultaneously, we revoked credentials for the operator consoles.

It must be tough to get stuck between floors. The team had no access to real-time diagnostics, leading to delays and significant disruptions across the building.

Water Utility – Petrozavodsk, Russia

Petrozavodsk, the capital of the Republic of Karelia, depends on its central water utility to draw and process water from Lake Onega. The system covers thousands of households, several public institutions, and light industrial sites.

During our operation, we gained access through an insecure VPN channel used by contractors for remote troubleshooting. Then closed several critical vault valves and increased pressure across specific districts, overwhelming older pipes to cause bursts and leaks throughout the city.

With no access to real-time telemetry, emergency services had to rely on manual inspections. Water distribution was unstable for days, especially in industrial zones.

Boiler House – Pervouralsk, Russia

In the industrial town of Pervouralsk, one gas-fired boiler house supports a nearby residential complex. The system includes four small-capacity boilers, each with its own control loop managed via SCADA terminals. Operators can toggle between automatic and manual modes, monitor temperatures, and adjust draft fan speeds.

After breaching the control room through remote desktop access we forced all systems into emergency shutdown. Then, by simulating erratic ignition cycles, we forced feed-water temperatures to exceed safe thresholds. The system’s draft fans failed, and district supply temperatures dropped sharply.

Residents could notice no heating within hours. With the SCADA terminals unresponsive and all settings scrambled, technicians could not reboot the system properly. A full reset required factory assistance and downtime of several days.

Water Utility – Samara, Russia

Samara is a key city along the Volga River, home to over a million residents and a wide industrial base. The city’s water utility handles sourcing, purification, and distribution across residential, commercial, and public service zones. A large SCADA system tracks flow rates, water levels, and chlorine dosing at treatment sites.

Within hours, we deployed ransomware that encrypted all control software, telemetry dashboards, and server logs. Operators had no access to chemical dosing data or pump controls.

The utility switched to manual modes, which involved teams physically inspecting and operating equipment. While crews were working on reactivation, residents had water quality issues. Backup systems proved inadequate, as ransomware had infected shared network storage.

Gas Stations – Russia

In August 2024, we launched one of our most effective SCADA attacks against fuel distribution systems across Russia. A separate article covers the campaign in full, but here we’ll revisit the SCADA environment itself. The compromised SCADA software was developed by a regional contractor and deployed in dozens of fueling stations. One remote management port (TCP 50000) was left exposed. It used basic authentication and featured a command-line interface for basic status control via commands like ps. The interface had a hidden command injection feature that poorly sanitized input.

We used this to run commands and establish reverse shells. Having cracked the passwords, we found out that the default credentials are used across many stations. Ultimately, we compromised over 60 fueling stations, including some in annexed Crimea.

Some gas stations were completely bricked. Others remain under our control, proxying traffic for intelligence and routing during the ongoing cyberwarfare. Their infrastructure now works against them.

Conclusion

It’s been a wild ride, from freezing homes in St. Petersburg and cutting off water in small villages to shutting down elevators in Moscow and tampering with oil and gas controls. We hope you liked this series. If SCADA hacking is your thing, go check out OTW’s SCADA hacking course. Keep sharpening your skills, stay curious about how systems really work, and be safe out there. Until the next operation!