Executive Summary

The Canadian Centre for Cyber Security has confirmed that multiple critical infrastructure facilities in Canada, including a water treatment plant, an oil and gas company, and an agricultural operation, were targeted by hacktivists who successfully tampered with Industrial Control Systems (ICS). These incidents resulted in operational disruptions such as degraded water service, false alarms in oil storage systems, and unsafe environmental conditions in agricultural silos. The attacks were opportunistic rather than highly sophisticated, exploiting internet-exposed and poorly secured ICS and Operational Technology (OT) devices. No catastrophic consequences or data exfiltration were reported, but the events highlight significant vulnerabilities in the security posture of Canadian critical infrastructure. The authorities have not attributed the attacks to a specific group but have classified the threat actors as hacktivists motivated by disruption and publicity. The incidents underscore the urgent need for improved ICS/OT security practices, including the removal of direct internet exposure, implementation of strong authentication, and adherence to established cybersecurity guidelines. All information in this summary is based on verified primary sources, including the Canadian Centre for Cyber Security, BleepingComputer, and The Record by Recorded Future News (https://www.bleepingcomputer.com/news/security/canada-says-hacktivists-breached-water-and-energy-facilities/, https://therecord.media/canada-ics-hacktivists-tampering-cyber-centre-alert, https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-threat-operational-technology).

Technical Information

The incidents involved unauthorized access to internet-exposed ICS and OT components at three separate Canadian facilities: a municipal water treatment plant, an oil and gas company, and an agricultural grain drying operation. In each case, attackers manipulated process parameters, resulting in operational disruptions. At the water facility, hackers altered water pressure values, leading to degraded service for the local community. At the oil and gas company, an Automated Tank Gauge (ATG) was manipulated, triggering false alarms. At the agricultural facility, attackers changed temperature and humidity levels in a grain drying silo, creating potentially unsafe conditions that were mitigated by timely intervention.

The technical root cause in all cases was the direct exposure of ICS/OT devices to the public internet, lacking adequate network segmentation, access controls, or strong authentication. The Canadian Centre for Cyber Security specifically highlighted the risks associated with internet-exposed PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Acquisition) systems, HMIs (Human-Machine Interfaces), and industrial IoT devices. The attacks did not involve the use of sophisticated malware or advanced persistent threat (APT) techniques. Instead, the threat actors exploited misconfigurations and weak security practices, such as default or weak credentials and lack of multi-factor authentication.

No specific malware, custom tools, or exploit frameworks were identified in these incidents. The Canadian Centre for Cyber Security noted that ICS malware is not typically associated with hacktivist threats in these cases, and there was no evidence of known malware families such as TRITON, Industroyer, or BlackEnergy being used. The primary attack vector was exploitation of misconfigured or poorly secured ICS/OT devices accessible from the internet.

The threat actors were classified as hacktivists, defined as individuals or groups who conduct cyberattacks for publicity, disruption, or to undermine trust in authorities, rather than for financial or geopolitical gain. The Canadian authorities did not attribute the incidents to a specific group. However, the context of the advisory references similar global activity by groups such as the Cyber Army of Russia Reborn (CARR) and CyberAv3ngers, which have targeted critical infrastructure in other countries. In the Canadian cases, the attacks were opportunistic, targeting small to mid-sized organizations with internet-exposed ICS/OT, and were not highly planned or technically advanced.

The attacks can be mapped to the MITRE ATT&CK for ICS framework as follows: Initial Access was achieved via exploitation of public-facing applications ([T0886]) and potentially valid accounts ([T0812]) if default or weak credentials were used. Execution may have involved command-line interfaces ([T0803]) or web-based management interfaces. The attackers impaired process control by manipulating control parameters ([T0831]), resulting in loss of availability ([T0882]) and loss of control ([T0883]) over critical processes.

The evidence supporting these findings is based on explicit statements from the Canadian Centre for Cyber Security and corroborated by independent reporting from BleepingComputer and The Record by Recorded Future News. No technical artifacts such as malware samples, forensic images, or network captures were reported or analyzed. Attribution to hacktivists is based on observed behavior, sector targeting, and intent, rather than technical indicators.

Affected Versions & Timeline

The incidents affected three separate facilities in Canada: a municipal water treatment plant, an oil and gas company, and an agricultural grain drying operation. The specific products, vendors, or software versions involved were not disclosed by authorities. The attacks occurred in the weeks leading up to the public advisories issued on October 29 and 30, 2025. The Canadian Centre for Cyber Security has been monitoring and updating its guidance on threats to OT and ICS since at least December 2021, with ongoing updates reflecting the evolving threat landscape.

The timeline of reported incidents is as follows: In the first incident, hackers tampered with water pressure values at a water facility, resulting in degraded service for the community. In the second incident, an ATG at an oil and gas company was manipulated, triggering false alarms. In the third incident, temperature and humidity levels in a grain drying silo were altered, creating potentially unsafe conditions. No catastrophic consequences or data exfiltration were reported in any of the incidents. The attacks were detected and mitigated before causing severe damage.

Threat Activity

The threat activity observed in these incidents is characterized by opportunistic exploitation of internet-exposed ICS and OT devices. The attackers did not demonstrate advanced technical capabilities or use custom malware. Instead, they relied on scanning for exposed systems, exploiting weak or default credentials, and manipulating process parameters through available interfaces. The primary motivation appears to be disruption, publicity, and undermining trust in authorities, consistent with hacktivist objectives.

The Canadian Centre for Cyber Security and The Record both emphasize that many smaller utilities, farms, and manufacturers continue to operate poorly secured internet-connected systems, making them attractive targets for opportunistic attackers. The attacks did not involve data theft or ransomware, and there is no evidence of state-sponsored activity in these specific cases. However, the broader context includes references to similar attacks by Russian and Iranian-linked groups targeting critical infrastructure in other countries.

The pattern of targeting—focusing on water utilities, oil and gas companies, and agricultural operations—reflects the attackers' intent to disrupt essential services and generate media attention. The lack of sophistication in the attack methods suggests that many other organizations with similar vulnerabilities could be at risk.

Mitigation & Workarounds

The Canadian Centre for Cyber Security and other authorities recommend several critical mitigation measures to reduce the risk of similar incidents. Organizations should inventory and assess all internet-accessible ICS devices and remove direct internet exposure wherever possible. Network segmentation should be implemented to isolate ICS/OT from corporate IT networks and the public internet. Strong authentication, including multi-factor authentication, should be enforced for all remote access to ICS/OT systems.

Additional recommended controls include the use of VPNs with two-factor authentication, deployment of intrusion prevention systems (IPS), regular vulnerability management, and periodic penetration testing to identify and remediate security gaps. Organizations should follow vendor and Cyber Centre guidance, including the Cyber Security Readiness Goals (CRGs), and ensure that all ICS component firmware and software are kept up to date to address known vulnerabilities.

Incident response plans should be reviewed and tested, and staff should be trained to recognize and report suspicious activity. All suspicious activity should be reported to the appropriate authorities, including the Canadian Centre for Cyber Security and local law enforcement, to support coordinated investigations and response efforts.

The most critical mitigation is the immediate removal of direct internet exposure for all ICS/OT devices, followed by the implementation of strong authentication and network segmentation. These measures address the primary attack vectors exploited in the reported incidents and are essential for reducing the risk of future attacks.

References

BleepingComputer: https://www.bleepingcomputer.com/news/security/canada-says-hacktivists-breached-water-and-energy-facilities/ (October 29, 2025)

The Record by Recorded Future News: https://therecord.media/canada-ics-hacktivists-tampering-cyber-centre-alert (October 30, 2025)

Canadian Centre for Cyber Security: https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-threat-operational-technology (December 16, 2021, with ongoing updates)

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their supply chain and operational environments. Our platform enables continuous visibility into the security posture of vendors and partners, supports compliance with industry standards, and facilitates rapid response to emerging threats. For questions about this report or to discuss how Rescana can support your organization's risk management efforts, please contact us at ops@rescana.com.