December 4, 2023 at 06:36PM
Iran-linked cyber group CyberAv3ngers, tied to the IRGC, exploited default passwords to attack US water systems using Israeli PLCs, as warned by multiple US agencies. No operational impact on water safety was reported. Agencies advise against exposing PLCs online and using default passwords.
Meeting Takeaways:
1. Iranian cybercriminals, associated with CyberAv3ngers and linked to the Islamic Revolutionary Guard Corps (IRGC), have exploited Israeli-made programmable logic controllers (PLCs) in the U.S.
2. Affected facilities include multiple water systems and other operational technology environments.
3. The FBI, NSA, CISA, EPA, and INCD issued a joint security advisory as a warning about the ongoing cyber threats.
4. The IRGC was designated a foreign terrorist organization by the U.S. in 2019.
5. The attacks were carried out by exploiting default passwords and internet-connected PLCs.
6. CISA reported a cyberattack on a Pennsylvania water authority, which resulted in operators having to manually control a pumping station.
7. The Municipal Water Authority of Aliquippa, among others, was targeted, demonstrating a warning against Israeli-made equipment.
8. CISA’s Eric Goldstein confirmed a small number of water utilities were impacted but emphasized that operational systems and the provision of safe water were not affected.
9. PLCs are also used in other critical sectors like energy, food and beverage, healthcare, etc., and may be rebranded, which obscures the full extent of the threats.
10. Organizations are advised to secure their operational technology by not exposing PLCs to the open internet and changing default passwords, among other steps outlined in the joint advisory.
11. A search showed 211 Unitronics devices online in the U.S. and over 1,800 globally.
12. CyberAv3ngers is the only group currently known to target Israeli-made equipment in U.S. critical infrastructure.
13. CheckPoint is monitoring three other pro-Iran groups (Haghjoyan, CyberToufan Group, and YareGomnam Team) that claim to target U.S. organizations in response to the Israel-Gaza conflict.
14. The veracity of each group’s claims has not been independently validated by researchers.
Action Items:
– Review and follow the mitigation strategies provided in the joint advisory.
– Check and secure PLCs to ensure they are not exposed to the internet and default passwords are changed.
– Monitor systems for indicators of compromise as outlined in the advisory.
– Stay updated on the potential for broader targeting of Israeli technology in U.S. infrastructure.