SUMMARY. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, and the Israel National Cyber Directorate-hereafter referred to as "The authoring agencies"-are disseminating this joint Cybersecurity Advisory to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps-affiliated Advanced Persistent Threat cyber actors.
IRGC-affiliated cyber actors using the persona "CyberAv3ngers" are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers.
These PLCs are commonly used in the Water and Wastewater Systems Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare.
The PLCs may be rebranded and appear as different manufacturers and companies.
In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise and tactics, techniques, and procedures associated with IRGC cyber operations.
Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices.
The IRGC-affiliated cyber actors left a defacement image stating, "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." The victims span multiple U.S. states.
The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK's Best Practices for MITRE ATT&CK Mapping and CISA's Decider Tool.
CyberAv3ngers is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.
Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs. The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces.
It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved.
The authoring agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel.
Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics' default password.
CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors.
Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords.
The targeted PLCs displayed the defacement message, "You have been hacked, down with Israel. Every equipment 'made in Israel' is Cyberav3ngers legal target." INDICATORS OF COMPROMISE. See Table 1 for observed IOCs related to CyberAv3nger operations.
Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access.
MITIGATIONS. The authoring agencies recommend critical infrastructure organizations, including WWS sector facilities, implement the following mitigations to improve your organization's cybersecurity posture to defend against CyberAv3ngers activity.
The cyber threat actors likely accessed the affected devices-Unitronics Vision Series PLCs with HMI-by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.
This Cyber News was published on www.cisa.gov. Publication date: Sat, 02 Dec 2023 03:05:16 +0000