Pro-Iran Attackers Access Multiple Water Facility Controllers

Pro-Iran Attackers Access Multiple Water Facility Controllers

December 4, 2023 at 01:05PM

Iran-linked CyberAv3ngers hacked US infrastructure, compromising logic controllers in multiple states. The FBI-led interagency alert followed a Pennsylvania water authority breach, indicating potential control disruptions in critical utilities. The attackers exploited weak security, with a 10-day undetected access, prompting urgent system evaluations.

Meeting Takeaways:

1. **Attack on U.S. Infrastructure by Iran-Affiliated Group**: There has been a breach in the critical infrastructure across several U.S. states due to an attack by a group with ties to Iran, specifically targeting programmable logic controllers (PLCs).

2. **Agencies Issuing the Warning**: The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate have all issued warnings regarding the security breach.

3. **Recent Hacking Incident**: An attack was reported on a Pennsylvania water authority, naming the CyberAv3ngers threat group as the perpetrator, who infiltrated Unitronics Vision Series PLCs.

4. **CyberAv3ngers’ Affiliation and Motivation**: It’s believed that the CyberAv3ngers are linked to the Islamic Revolutionary Guard Corps (IRGC) of the Iranian Government. Their attacks appear to be politically motivated, targeting Unitronics PLCs because they contain Israeli-owned components.

5. **Scope of the Attack**: The alert from the agencies indicates that the cyber-attacks have impacted more than just Pennsylvanian facilities. The cyber actors accessed multiple American facilities using Unitronic PLCs with human-machine interfaces from November 22, likely exploiting devices with default passwords.

6. **Duration and Risk of the Attack**: The attackers may have had access for over ten days. The compromise of these devices—often connected to the internet for remote operation—posed a significant risk of shutting down operational technology that controls utilities and other industrial facilities.

7. **Vulnerability Details**: The devices are typically exposed on TCP port 20256 and susceptible to being made inoperative by such cyber-attacks.

8. **Advisory to Organizations**: Despite uncertainty about how deeply the attackers infiltrated the PLCs, the agencies advise any organizations using these controllers to assess and secure their systems immediately.

Organizations running these PLCs should be alerted to examine their security measures, check for possible breaches, and update passwords from the default settings to prevent further possible exploits.

Full Article