US Water Systems Targeted by Iran-Linked Cyberattacks in Multiple States
U.S. federal agencies have warned that an Iran-linked hacking group is targeting Israeli-made devices used in multiple U.S. industries, including water systems.
By Tom Ozimek
December 4, 2023
Multiple federal agencies are warning that Iran-linked hackers have been targeting U.S. water systems and other industries that use programmable-logic controllers (PLC) made by Israeli firm Unitronics, as the Israel–Hamas war simmers in the background.
Hackers affiliated with the Islamic Revolutionary Guard Corps (IRGC) have engaged in "malicious cyber activity" targeting PLC operational technology devices used in the U.S. water and wastewater systems sector, and in other industries including energy, food, and beverage manufacturing, since at least Nov. 22, the agencies said in a Dec. 1 alert.
The agencies that issued the warning include the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), with the Israel National Cyber Directorate (INCD) joining in the advisory.
This IRGC-linked cyberattack group (known variously as CyberAv3ngers, CyberAveng3rs, or Cyber Avengers) has been compromising default credentials in Unitronics devices since at least Nov. 22, the agencies said.
After hacking the PLC devices in multiple states, CyberAv3ngers left the following defacement message: “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”
The cyber group has claimed responsibility for numerous attacks against critical infrastructure in Israel starting in 2020; it has recently turned its attention to targets in the United States, a key ally of Israel as it battles the Hamas terror group in response to the Oct. 7 attacks against Israel.
CyberAv3ngers targeted a water authority near Pittsburgh on Nov. 25, prompting congressional lawmakers to demand an investigation by the Department of Justice (DOJ) and triggering the latest multi-agency warning that other water and sewage-treatment utilities, and other industries, may be vulnerable.
The PLC devices regulate processes including pressure, temperature, and fluid flow, according to Unitronics.
Pennsylvania Water Utility Attacked
A cyberattack by the Iran-linked group on Nov. 25 targeted the Municipal Water Authority of Aliquippa, Pennsylvania, forcing the utility to switch to manual operations; officials said water quality wasn't compromised.
"The affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply," the CISA said in a Nov. 28 notice.
FBI Dismantles Notorious Qakbot Hacking Network
While water quality wasn't affected this time, the agency said that such cyberattacks do have the potential to threaten the ability of water and wastewater systems to provide clean drinking water to residents and to effectively manage wastewater.
The hackers accomplished their attack by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet, according to the CISA. The agency urged water and wastewater facilities to take preventive measures including changing passwords and disconnecting the PLCs from the open internet.
While water quality wasn't affected this time, the agency said that such cyberattacks do have the potential to threaten the ability of water and wastewater systems to provide clean drinking water to residents and to effectively manage wastewater.
The hackers accomplished their attack by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet, according to the CISA. The agency urged water and wastewater facilities to take preventive measures including changing passwords and disconnecting the PLCs from the open internet.
Several Pittsburgh-based cybersecurity firms said that utility companies are more vulnerable to cyberattacks targeting operational technology because many of these systems are dated and monitored infrequently.
"Take a Fortune 500, or any type of large manufacturer or utility—instead of breaking in through their firewalls and trying to get to their data, [hackers have] the ability to try to go in and interfere with their systems," David Kane, CEO of Pittsburgh-based Ethical Intruder, told the Pittsburgh Post-Gazette.
"I think you're gonna see a big rise in that because there's just so few protections on it," he said, adding that an attack on the operational technology side is "very alarming."
In its latest warning, the CISA and the other agencies shared a number of indicators of compromise (IOC), as well as tactics, techniques, and procedures (TTP) associated with the Iran-linked cyber group's operations.
Lawmakers Demand Probe
The cyberattack prompted several congressional lawmakers from Pennsylvania to demand that the Department of Justice (DOJ) launch an investigation into how the foreign hacking group managed to breach a U.S.-based water facility.
"Any attack on our critical infrastructure is unacceptable," U.S. Rep. Chris Deluzio (D-Pa.) said in a post on X. "It poses a threat not only to Western PA, but also the nation."
Mr. Deluzio, along with U.S. Sens. John Fetterman (D-Pa.) and Bob Casey Jr. (D-Pa.) wrote a letter to U.S. Attorney General Merrick Garland on Nov. 28, saying that Americans need to be confident that their drinking water and other basic infrastructure is safe.
“If a hack like this can happen here in western Pennsylvania, it can happen anywhere else in the United States,” the lawmakers wrote.
The attack came less than a month after a federal appeals court decision prompted the Environmental Protection Agency (EPA) to rescind a rule that would have obliged U.S. public water systems to include cybersecurity testing in their regular federally mandated audits.
The rollback was triggered by a federal appeals court decision in a case brought by Missouri, Arkansas, and Iowa, and joined by a water utility trade group.
Unitronics didn't respond by press time to queries as to whether other facilities with its equipment may have been hacked or could be vulnerable.
The Associated Press contributed to this report.
🙏🏾🙏🏾🙏🏾