Dive Brief:
- Hackers affiliated with Iran’s Islamic Revolutionary Guard Corps are behind a series of attacks targeting devices used in U.S. water and wastewater facilities, the FBI and Cybersecurity and Infrastructure Security Agency warned in a joint advisory with Israel and other U.S. agencies on Friday.
- The threat group, operating under the name Cyber Av3ngers, is targeting Israeli-made Unitronics Vision Series programmable logic controllers, which are used in water and wastewater plants alongside other sectors, including energy, healthcare and food and beverage manufacturing.
- Authorities said the hackers have compromised devices that use default credentials since at least Nov. 22 with defacing messages and could possibly render them inoperable. At least a half dozen facilities across the U.S. have been impacted, according to a source familiar with the attacks.
Dive Insight:
The attacks arrive against a backdrop of heightened concerns about water and wastewater security in the U.S. The security of public drinking water and other water facilities has been a major focus of CISA and the Environmental Protection Agency, which attempted to implement mandatory water system audits in March but later had to withdraw the plan after a legal challenge.
Cyber Av3ngners has been linked to the late November attack against the Municipal Water Authority of Aliquippa in Pennsylvania. The hackers have targeted Israel since 2020 and have a history of making exaggerated and false claims about attacks against critical infrastructure, according to authorities.
“Even if they shut down water at these sites, their goal would be the same,” John Hultquist, chief analyst at Mandiant Intelligence, a Google Cloud unit, said via email. “They are trying to undermine our sense of security. It doesn’t really matter whether they do that through expertise or exaggeration.”
There are more than 1,800 Unitronics PLC devices exposed to the internet worldwide, according to research released by Forescout Wednesday. Dozens of them are exposed in several U.S. locations, including Chicago, Dallas and Chesterfield, S.C.
Researchers at Shadowserver reported 539 Unitronics instances still exposed as of Saturday.
Organizations using these devices should immediately change any default passwords, disconnect the PLC from the public facing internet and implement multifactor authentication to protect access to the OT network.
Between Sept. 13 and Oct. 30, Cyber Av3ngers claimed on a Telegram channel numerous attacks against critical infrastructure in Israel, however many of the claims were false, according to the advisory. Others, however, were legitimate.
The water and wastewater sector has already documented multiple attacks in recent weeks. A separate suspected ransomware attack, linked to the the Daixan Team threat group, was reported in North Texas last month
An October ransomware attack against Atlanta-based Mueller Water Products, disrupted the company’s operations and delayed its earnings report for the fiscal year ending Sept. 30. The company said Wednesday it had finally contained the incident and would report its fiscal 2023 earnings no later than Dec. 14, according to a filing with the Securities and Exchange Commission.
Camden, N.J.-based American Water, the nation’s largest regulated water and wastewater utility, said it was not impacted by the attacks, but “has taken several steps to help maintain the security of our systems,” and has worked with local, state and federal officials to prepare against potential threats.
“We recognize cyber threats' sophistication and focus on understanding and minimizing impact if a breach occurs by constantly testing our cyber response protocols,” a company spokesperson said via email.
