The US designated the IRGC as a foreign terrorist organization in 2019.
The gang did not need sophisticated tactics to run this attack: the joint advisory suggests Cyberav3ngers likely broke into US-based water facilities by using default passwords for internet-accessible PLCs. The alert was issued just days after CISA said it was investigating a cyberattack against a Pennsylvania water authority by the IRGC-backed crew, which forced operators to switch a pumping station to manual control.
The compromised system at the Municipal Water Authority of Aliquippa displayed a warning that the intruders would be targeting Israeli-made gear because of the ongoing Israel-Hamas war.
It turns out that Aliquippa wasn't the only entity under attack.
These PLCs, which are also used in other industries such as energy, food and beverage manufacturing, and health care, may be rebranded - so the number of exploits and the scope of the threat remains unclear.
During the Monday press briefing, Goldstein urged organizations across all sectors to take a couple basic steps to secure their operational technology environments: don't expose PLCs to the open internet, and don't use default passwords.
A Shodan search on Monday indicates 211 Unitronics devices are connected to the internet in the US, and more than 1,800 globally.
At this time, it appears that Cyberav3ngers is the only gang targeting Israel-made gear in US critical infrastructure facilities, according to the Feds.
CheckPoint said it's tracking three other pro-Iran groups in addition to Cyberav3ngers that also claim to targeting US organizations in response to the conflict in Gaza.
These include Haghjoyan, a group that emerged when the war began and initially targeted Israel before moving on to hack-and-leak operations and website defacements in the US. Another Iran-linked gang, CyberToufan Group, also said it targeted wholesaler Berkshire eSupply for using Israeli gear, and YareGomnam Team has claimed attacks on US pipeline, electrical systems and CCTV systems at American airports.
The security shop noted that its researchers haven't verified the accuracy of each group's claims.
This Cyber News was published on go.theregister.com. Publication date: Mon, 04 Dec 2023 23:43:05 +0000