IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities

SUMMARY. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, and the Israel National Cyber Directorate-hereafter referred to as "The authoring agencies"-are disseminating this joint Cybersecurity Advisory to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps-affiliated Advanced Persistent Threat cyber actors.
IRGC-affiliated cyber actors using the persona "CyberAv3ngers" are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers.
These PLCs are commonly used in the Water and Wastewater Systems Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare.
The PLCs may be rebranded and appear as different manufacturers and companies.
In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise and tactics, techniques, and procedures associated with IRGC cyber operations.
Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices.
The IRGC-affiliated cyber actors left a defacement image stating, "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." The victims span multiple U.S. states.
The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK's Best Practices for MITRE ATT&CK Mapping and CISA's Decider Tool.
CyberAv3ngers is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.
Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs. The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces.
It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved.
The authoring agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel.
Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics' default password.
CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors.
Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords.
The targeted PLCs displayed the defacement message, "You have been hacked, down with Israel. Every equipment 'made in Israel' is Cyberav3ngers legal target." INDICATORS OF COMPROMISE. See Table 1 for observed IOCs related to CyberAv3nger operations.
Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access.
MITIGATIONS. The authoring agencies recommend critical infrastructure organizations, including WWS sector facilities, implement the following mitigations to improve your organization's cybersecurity posture to defend against CyberAv3ngers activity.
The cyber threat actors likely accessed the affected devices-Unitronics Vision Series PLCs with HMI-by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.


This Cyber News was published on www.cisa.gov. Publication date: Sat, 02 Dec 2023 03:05:16 +0000


Cyber News related to IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities

IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities - SUMMARY. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, and the Israel National Cyber Directorate-hereafter referred to as "The authoring agencies"-are ...
10 months ago Cisa.gov
Water services giant Veolia North America hit by ransomware attack - Veolia North America, a subsidiary of transnational conglomerate Veolia, disclosed a ransomware attack that impacted systems part of its Municipal Water division and disrupted its bill payment systems. After detecting the attack, Veolia has ...
8 months ago Bleepingcomputer.com
US Authorities Identify Iranian Connection in Recent Cybersecurity Breaches - It has been announced that six Iranian officials have been sanctioned by the U.S. Department of Treasury's Office of Foreign Assets Control, the Iranian government organization responsible for the series of malicious cyber activities directed against ...
8 months ago Cysecurity.news
ICS at Multiple US Water Facilities Targeted by Hackers Affiliated With Iranian Government - The hackers behind recent cyberattacks targeting industrial control systems at water facilities in the US are affiliated with the Iranian government, according to security agencies in the United States and Israel. The FBI, CISA, the NSA, the EPA and ...
10 months ago Securityweek.com
States and Congress Wrestle With Cybersecurity After Iran Attacks Small Town Water Utilities - The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international cyberattack. Then it - along with several other water utilities - was struck by what federal authorities say are Iranian-backed ...
9 months ago Securityweek.com
Hackers breach US water facility via exposed Unitronics PLCs - CISA is warning that threat actors breached a U.S. water facility by hacking into Unitronics programmable logic controllers exposed online. PLCs are crucial control and management devices in industrial settings, and hackers compromising them could ...
10 months ago Bleepingcomputer.com
Florida water agency latest to confirm cyber incident as feds warn of nation-state attacks - A regulatory agency in Florida that oversees the long-term supply of drinking water confirmed that it responded to a cyberattack over the last week as the top cybersecurity agencies in the U.S. warned of foreign attacks on water utilities. The agency ...
10 months ago Therecord.media
CyberAv3ngers hit Unitronics PLCs at multiple US-based water facilities - Iran-affiliated attackers CyberAv3ngers continue to exploit vulnerable Unitronics programmable logic controllers, US and Israeli authorities have said in a joint cybersecurity advisory. CyberAv3ngers targeting Unitronics PLCs. CISA has recently ...
10 months ago Helpnetsecurity.com
Cyberattack on Irish Utility Cuts Off Water Supply for Two Days - An attack launched by hackers last week against the systems of a small water utility in Ireland interrupted the water supply for two days. The cyberattack was reported by a local newspaper, Western People, and technical details are murky. The attack ...
10 months ago Packetstormsecurity.com
Congressmen Ask DOJ to Investigate Water Utility Hack, Warning It Could Happen Anywhere - Three members of Congress have asked the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting the nation's top cyberdefense agency to warn other water and sewage-treatment utilities that ...
10 months ago Securityweek.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
1 week ago Cyberdefensemagazine.com
Cybersecurity agency warns that water utilities are vulnerable to hackers after Pennsylvania attack - HARRISBURG, Pa. - Hackers are targeting industrial control systems widely used by water and sewage-treatment utilities, potentially threatening water supplies, the top U.S. cyberdefense agency said after a Pennsylvania water authority was hacked. The ...
10 months ago Abcnews.go.com
DOE Puts Up $70 Million to Secure US Energy Infrastructure - The federal government will spend as much as $70 million for technologies that will create a more resilient energy delivery infrastructure that is better protected against a range of threats, including from cybercriminals. The U.S. Department of ...
9 months ago Securityboulevard.com
Cyber Av3ngers gang hacks industrial controllers across multiple US states - U.S. federal agencies have confirmed the Iranian threat group that breached a Pennsylvanian water authority pump station controller also compromised similar systems at facilities in other states. The Municipal Water Authority of Aliquippa was forced ...
10 months ago Packetstormsecurity.com
UK water company that serves millions confirms system attack The Register - Scans of identity documents such as passports and driving licenses. Documents that appear to be HR-related, displaying the personal data of what could be customers, including home address, office address, dates of birth, nationalities, and email ...
8 months ago Theregister.com
Breaches by Iran-Affiliated Hackers Spanned Multiple U.S. States, Federal Agencies Say - A small western Pennsylvania water authority was just one of multiple organizations breached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it is Israeli-made, U.S. and Israeli authorities ...
10 months ago Securityweek.com
Greater Paris wastewater agency dealing with cyberattack - The organization that manages wastewater for nine million people in and around Paris was hit with a cyberattack on Friday. Service public de l'assainissement francilien - known by its acronym SIAAP - manages nearly 275 miles of pipes throughout four ...
10 months ago Therecord.media
Cyberattack Defaces Israeli-Made Equipment at US Water Agency, Brewing Firm - The targets included the Equipment used by the Municipal Water Authority of Aliquippa, Pennsylvania and Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment. U.S. officials have attributed a cyberattack on the ...
10 months ago Hackread.com
Iran terrorist crew broke into 'multiple' US water systems The Register - The US designated the IRGC as a foreign terrorist organization in 2019. The gang did not need sophisticated tactics to run this attack: the joint advisory suggests Cyberav3ngers likely broke into US-based water facilities by using default passwords ...
10 months ago Go.theregister.com
Cyber Insights 2023: The Geopolitical Effect - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. The Russia/Ukraine war that started in early 2022 has been mirrored by a ...
1 year ago Securityweek.com
Pro-Iran Attackers Access Multiple Water Facility Controllers - Critical infrastructure in multiple US states may have been compromised by Iran-affiliated attackers targeting programmable logic controllers. A warning from the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, the ...
10 months ago Darkreading.com
Two-day water outage in remote Irish region caused by pro-Iran hackers - Residents of a remote area on Ireland's west coast were left without water last week due to a cyberattack perpetrated by a pro-Iran hacking group targeting a piece of equipment the hackers complained was made in Israel. The incident affected a ...
10 months ago Therecord.media
Ransomware gang targets nonprofit providing clean water to world's poorest - Water for People, a nonprofit that aims to improve access to clean water for people whose health is threatened by a lack of it for drinking and sanitation, is the latest organization to have been hit by ransomware criminals. The ...
8 months ago Therecord.media
Cyberattack on Pennsylvania Water Authority Disrupts OT Gear - This past weekend, the Aliquippa Municipal Water Authority, located in Pittsburgh, experienced a cyberattack after one of its booster stations was hacked by an Iranian-backed cyber group. The threat group, known as Cyber Av3ngers, hacked a system ...
10 months ago Darkreading.com
Cyber Insurance for Businesses: Navigating Coverage - To mitigate these risks, many businesses opt for cyber insurance. With the wide range of policies available, navigating the world of cyber insurance can be overwhelming. In this article, we will delve into the complexities of cyber insurance and ...
8 months ago Securityzap.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)