Two stories define this episode: the US sanctioned Russian hacktivists who breached water facility SCADA systems in Texas, and threat actors wasted no time exploiting the CrowdStrike outage chaos — using fake hotfix emails to drop Remcos RAT and a data wiper against Israeli companies while businesses scrambled to recover from the mass blue screen event.
Stories Covered
US Sanctions Russian Hacktivists Who Breached Texas Water Facility SCADA Systems
The US government sanctioned two members of the Cyber Army of Russia Reborn (CARR) following the group’s January 2024 claims of compromising SCADA (Supervisory Control and Data Acquisition) systems at a US energy firm and manipulating a water storage unit in Texas — with video proof posted publicly. SCADA systems are the industrial control infrastructure behind water treatment, power generation, and manufacturing — they manage sensors, motors, and actuators that control physical processes. Successful manipulation of water treatment SCADA could allow an attacker to alter chemical levels (fluoride, chlorine) or disable safety shutoffs. CARR did not cause major damage in these incidents, but demonstrated access sufficient to warrant Treasury action. Sanctions block US-based property and assets of the designated individuals and prohibit US persons from transacting with them — meaningful pressure even without extradition agreements, as they isolate sanctioned hackers from the US financial system and create legal risk for any international entities that work with them.
CrowdStrike Chaos: Threat Actors Drop Remcos RAT and Data Wiper Using Fake Fix Emails
When CrowdStrike’s July 19, 2024 sensor update triggered a logic error that caused blue screens across millions of Windows hosts worldwide — grounding flights, disrupting hospitals, and taking down banking systems — threat actors immediately launched phishing campaigns masquerading as official remediation. Two distinct campaigns were identified. The first impersonated BBVA bank’s intranet portal, distributing a fake CrowdStrike hotfix that delivered the HijackLoader, which then dropped the Remcos Remote Access Trojan onto affected systems. The second campaign was attributed to the pro-Iranian hacktivist group Handala: emails sent from crowdstrike.com.vc targeted Israeli companies with a PDF claiming to contain a recovery tool, which instead delivered a data wiper that destroyed files and reported activity over Telegram.
The pattern is consistent with how opportunistic threat actors operate during high-profile incidents — chaos reduces vigilance, urgency drives clicks, and the fake fix is exactly what affected users are desperately looking for. CrowdStrike and the UK National Cyber Security Centre both issued warnings during the incident urging victims to verify any communications through official channels only. The actual cause of the outage was a defective update to a CrowdStrike sensor file that modified a Windows host configuration and triggered a crash — a software bug, not a Microsoft vulnerability. The core lesson holds regardless: never run an executable obtained through an unsolicited email or unfamiliar download link, even when the situation feels urgent. Verified remediation instructions were available through CrowdStrike’s official channels throughout the event.
Leave a Reply