The Cybersecurity and Infrastructure Security Agency (CISA) – along with the National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) – have released a new cybersecurity advisory warning of continued Iranian-backed cybersecurity attacks aimed towards American and Israeli water and wastewater systems (WWS).
The malicious attacks have been coming from a hostile hacking group – known as the CyberAv3ngers – which has been exploiting Unitronics Vision Series programmable logic controllers (PLCs), which are commonly used in the WWS sector.
“These [Iranian Government Islamic Revolutionary Guard Corps] IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices,” the cybersecurity and intelligence agencies said.
The cyber culprits have left images on the PLC’s screens stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”
Most recently, the attacks have been targeting facilities in multiple U.S. states, including the municipal water authority in Aliquippa, Pa., which reported it was compromised on Nov. 25.
The malicious actors have also claimed to have attacked 10 different water treatment facilities in Israel on Oct. 30.
“The authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics’ default password,” stated the agencies.
The advisory is warning that other potential targets must take urgent actions to mitigate malicious activity by implementing multifactor authentication, using strong passwords, and checking PLCs for default passwords.
According to the advisory, “These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).”
“The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment,” stated the agencies.
“It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities,” added the agencies.
The advisory concludes by encouraging water facilities to exercise and test their cybersecurity capabilities “to improve [their] organization’s cybersecurity posture to defend against CyberAv3ngers activities.”