IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities

IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities

December 1, 2023 at 09:58PM

The FBI, CISA, NSA, EPA, and INCD issued a joint advisory about Iranian IRGC-affiliated cyber actors targeting operational technology, specifically Israeli-made Unitronics PLCs used in critical sectors in the US. Since November 2023, these actors have exploited poor security, primarily default passwords, to deface and potentially disrupt systems. Mitigations include changing default passwords, disconnecting PLCs from the internet, and implementing multifactor authentication.

**Key Takeaways from the Joint Cybersecurity Advisory Meeting**

1. **Participating Agencies**:
– FBI, CISA, NSA, EPA, INCD jointly issued the Cybersecurity Advisory (CSA).

2. **Significance of the Threat**:
– IRGC-affiliated cyber actors are targeting operational technology, specifically Unitronics Vision Series PLCs, which are used across multiple industries.
– IRGC is designated as a foreign terrorist organization by the US.

3. **Targets and Impacts**:
– Primarily targeting Water and Wastewater Systems (WWS) Sector, with impacts also on energy, food and beverage manufacturing, and healthcare sectors.
– Compromise of default credentials to gain access to devices and deface interfaces with messages against Israel.

4. **Timeline and Actor Behavior**:
– Activity observed since at least October 2023.
– Malicious actions include access using default Unitronics PLC passwords and defacing user interfaces.

5. **Indicators of Compromise (IOCs)**:
– IOCs for CyberAv3ngers activity provided, focusing on Crucio Ransomware and associated IP addresses.

6. **Mitigation Strategies**:
– Changing default passwords, disconnecting devices from the public internet, implementing multi-factor authentication, and creating strong backups are among immediate recommendations.
– Manufacturers are encouraged to adopt ‘secure by design’ principles.
– Additional security protocols are advocated, including reducing exposure to common system and network discovery techniques.

7. **Resources and Reporting**:
– Various resources on cybersecurity are listed for further guidance.
– Instructions are provided for reporting suspicious or criminal activity associated with the advisory’s content.

8. **Technical Details and Frameworks**:
– Utilization of the MITRE ATT&CK® framework for mapping cyber actor tactics and techniques.
– Specific tactics like Brute Force Techniques (ID: T1110) have been identified.

9. **Validating Security Controls**:
– Encouraging routine tests of security programs against MITRE ATT&CK techniques.

10. **Communication Channels for Information Sharing**:
– Recommendations for sharing information with CISA, FBI, NSA, and WaterISAC among others.

**Immediate Actions for Organizations**:
– Assess current cybersecurity posture against the advisory.
– Implement recommended mitigations as applicable.
– Share information and coordinate with relevant authorities for the greater cybersecurity community’s benefit.

**Version History**:
– The CSA was initially released on December 1, 2023.

Full Article