Iranian hackers were apparently behind recent attacks on U.S. water plants, according to findings by the government's Cybersecurity and Infrastructure Security Agency (CISA).
CISA, along with the FBI, the NSA, the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD), have published a joint advisory noting that a hacker (or group) going by the alias “CyberAv3ngers” focused on the programmable logic of Unitronics controllers (PLCs), endpoints commonly used by companies in the Water and Wastewater Systems (WWS) sector.
These devices are also sometimes used in the energy, food and beverage, and healthcare industries, the advisory said.
Measures advised
Apparently, CyberAv3ngers belong to Iran's Islamic Revolutionary Guard Corps (IRGC) and have decided to target the PLCs because they are manufactured by an Israeli company.
“Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials on Unitronics devices,” the joint advisory said. “The cyber actors affiliated with the IRGC left a defacement image saying: 'You have been hacked, down with Israel.' Any device 'made in Israel' is the legal target of CyberAv3ng.” The victims extend across several American states.”
So far these have only been defacement campaigns and there have been no reports of ransomware being installed.
CISA said all affected endpoints were “publicly on the Internet with default passwords and reside on TCP port 20256 by default.” Going forward, CISA advises all critical infrastructure companies to change all default passwords on Unitronics devices and ensure they are disconnected from the wider internet. Adding multi-factor authentication (MFA) is also useful, as is setting up and maintaining backups.
Other countries also use PLCs from the same manufacturer. Infosecurity says the UK's National Cyber Security Center (NCSC) recently issued an update warning of the potential risk, but added that the risk was most likely “minimal, limited to small providers” and likely to affect the country's water supply would not disturb the country.
Through Infosecurity magazine