A joint Cybersecurity Advisory (CSA) was released on December 1st by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD). See it below.
The advisory addresses ongoing malicious cyber activity targeting operational technology devices by cyber actors affiliated with the Iranian Government's Islamic Revolutionary Guard Corps (IRGC). The IRGC is an Iranian military organization that was designated as a foreign terrorist organization by the United States in 2019. In recent cyber operations, IRGC-affiliated actors operating under the alias "CyberAv3ngers" have been actively engaging in cyber attacks, primarily focusing on Israeli-made Unitronics Vision Series programmable logic controllers (PLCs).
These PLCs are commonly used in various sectors, including Water and Wastewater Systems (WWS), energy, food and beverage manufacturing, and healthcare. It's worth noting that the PLCs may appear under different manufacturers and companies, making detection more challenging. Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to exploit default credentials in Unitronics devices. They have left a defacement image with the message "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." These attacks have impacted multiple U.S. states.
What to do?
*Implement Multifactor Authentication (MFA): Multifactor authentication is a robust security measure that adds an extra layer of protection to user accounts and systems. It requires individuals to provide two or more types of authentication factors before gaining access. These factors typically include something you know (such as a password), something you have (such as a smartphone or token), and something you are (biometric data like fingerprint or facial recognition). By implementing MFA, organizations can significantly enhance the security of their systems, making it exponentially more challenging for unauthorized individuals to gain access, even if passwords are compromised.
*Use Strong, Unique Passwords: Strong, unique passwords are fundamental to cybersecurity. A strong password should be complex, incorporating a mix of upper and lower-case letters, numbers, and special characters. Passwords should also be long and avoid easily guessable information, such as common words or phrases. To ensure uniqueness, individuals should refrain from using the same password across multiple accounts or systems. Employing a password manager can assist in generating, storing, and managing strong, unique passwords for various accounts, enhancing overall security.
*Check PLCs for Default Passwords: Programmable logic controllers (PLCs) are often deployed in industrial environments, including critical infrastructure sectors like Water and Wastewater Systems (WWS). These devices are susceptible to compromise if default login credentials are not changed. It is crucial for organizations to regularly inspect and ensure that default usernames and passwords for PLCs are replaced with strong, unique, and non-default credentials. This action reduces the risk of unauthorized access by cyber adversaries who may exploit known default login information.
By comprehensively implementing multifactor authentication, maintaining strong, unique passwords, and diligently checking and updating PLC login credentials, organizations can substantially bolster their cybersecurity posture. These measures provide a layered defense approach, reducing the susceptibility to cyberattacks and helping to protect critical infrastructure systems from potential compromise by IRGC-affiliated cyber actors.
American and foreign water and wastewater facilities have been hit in recent years by various attackers:
1. Oldsmar, Florida Water Treatment Plant Attack (2021):** In February 2021, a hacker gained unauthorized access to the computer systems of the Oldsmar water treatment plant in Florida. The attacker attempted to manipulate the chemical levels in the water supply by remotely increasing the amount of sodium hydroxide (lye) to dangerous levels. Fortunately, a plant operator noticed the suspicious activity and intervened, preventing any harm. This incident underscored the potential risks to public safety posed by cyberattacks on water facilities.
2. Rye, New York Water Treatment Plant Attack (2021):** In April 2021, the water treatment plant in Rye, New York, experienced a cyberattack that disrupted its operations. The attack led to issues with chlorine and turbidity levels in the water supply. While the incident did not result in widespread harm, it raised concerns about the susceptibility of critical infrastructure to cyber threats.
3. Kane County, Illinois Water Utility Cyber Incident (2019):** In 2019, the Kane County Water Utility in Illinois fell victim to a cyber incident that resulted in unauthorized access to its computer systems. Although the attackers did not manipulate water quality, they did access and steal sensitive information from the utility's network, highlighting the broader risks associated with cyber intrusions in the water sector.
4. City of Atlanta Ransomware Attack (2018):** While not specific to water facilities, the ransomware attack that targeted the City of Atlanta in 2018 disrupted various city services, including the billing and payment systems for the water department. The attack demonstrated the potential for ransomware to impact critical infrastructure services, including those related to water.
5. Wastewater Treatment Plant in Maroochy Shire, Australia (2000):** Though not a U.S. incident, the Maroochy Shire cyberattack serves as an early example of a water facility cyber incident. In 2000, a disgruntled former employee of the Maroochy Shire Council in Australia gained unauthorized access to the computerized control system of a wastewater treatment plant. The attacker released millions of liters of sewage into nearby waterways, causing significant environmental damage.
These examples illustrate the diverse range of cyber threats and vulnerabilities facing water and wastewater facilities in the United States and around the world. While some incidents resulted in potential harm to water quality and infrastructure, others focused on disrupting operations or accessing sensitive information.
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
Release Date December 01, 2023 Alert CodeAA23-335A
ACTIONS TO TAKE TODAY TO MITIGATE MALICIOUS ACTIVITY:
SUMMARY The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.
The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.
Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
This advisory provides observed IOCs and TTPs the authoring agencies assess are likely associated with this IRGC-affiliated APT. For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.