HARRISBURG, Pa. — Three members of Congress have asked the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting the nation's top cyber defense agency to warn other water and sewage treatment companies that they may be vulnerable.
In a letter released Thursday, U.S. Senators John Fetterman and Bob Casey and U.S. Rep. Chris Deluzio said Americans need to know their drinking water and other basic infrastructure is safe from “nation-state adversaries and terrorist organizations.”
“Any attack on our nation's critical infrastructure is unacceptable,” Fetterman, Casey and Deluzio wrote in their letter to Attorney General Merrick Garland. “If a hack like this can happen here in western Pennsylvania, it can happen anywhere else in the United States.”
The compromised industrial control system was made in Israel, and a photo from the Municipal Water Authority of Aliquippa, Pennsylvania, suggests that the “hackivists” deliberately targeted that facility because of the equipment's link to Israel. The image on the device's screen shows a message from the hackers saying, “Any equipment 'made in Israel' is a legal target of Cyber Av3ngs.”
A group using that name used identical language on X, formerly Twitter, and Telegram on Sunday. The group claimed in an October 30 social media post that they had hacked 10 water treatment plants in Israel, although it is not clear whether they disabled any equipment.
Casey's office said U.S. officials told them they believe Cyber Avengers is indeed behind the attack. Matthew Mottes, chairman of the Aliquippa Water Authority, said federal officials told him hackers had also breached four other utilities and an aquarium.
“We have been told that we are not the only authority in the country affected, but it is believed that we are the first,” Mottes said in an interview.
Leading cybersecurity firms Check Point Research and Google's Mandiant have identified Cyber Av3ngers as hacktivists linked to the Iranian government.
Since the start of the war between Israel and Hamas, the group has expanded and accelerated its targeting of Israel's critical infrastructure, Check Point's Sergey Shykevich said. Iran and Israel were engaged in a low-level cyber conflict ahead of the October 7 Hamas attack on Israel, and cybersecurity experts have said they expected an increase in hacktivism in response to the Israeli attacks in Gaza.
The device hacked in Pennsylvania was made by Israel-based Unitronics, according to the U.S. Cybersecurity and Infrastructure Security Agency. It is known as a programmable logic controller and is used in a broad spectrum of industries, including water and sewage treatment companies, electric utilities, and oil and gas producers. According to the manufacturer, it regulates processes such as pressure, temperature and fluid flow.
Unitronics did not respond to questions about what other facilities with its equipment may have been hacked or may be vulnerable.
Experts say many water utilities have not paid enough attention to cybersecurity.
In Pennsylvania, the hack prompted the water board to temporarily stop pumping Saturday at a remote station that regulates water pressure for customers in two nearby cities. Crews took the system offline and switched it to manual operation, officials said.
The attack came less than a month after a federal appeals court decision prompted the Environmental Protection Agency to rescind a rule that required U.S. public water systems to include cybersecurity testing in their regular federally mandated audits. The reversal was prompted by a federal appeals court decision in a case brought by Missouri, Arkansas and Iowa, and joined by a water utility trade group.
The Biden administration has sought to strengthen the cybersecurity of critical infrastructure – more than 80% of which is privately owned – and has imposed regulations on sectors such as electric utilities, gas pipelines and nuclear facilities. But many experts complain that too many vital industries are allowed to regulate themselves.
In its warning Tuesday, the U.S. cybersecurity agency said attackers likely breached the Unitronics device “by exploiting cybersecurity weaknesses, including poor password security and Internet exposure.”
Mottes said he does not know how the Aliquippa device was hacked, but that he trusted the federal agency's judgment.