Pro-Iran Attackers Access Multiple Water Facility Controllers

Critical infrastructure in multiple US states may have been compromised by Iran-affiliated attackers targeting programmable logic controllers (PLCs).

A warning from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate comes after an attack was detected on a Pennsylvania water authority last week, where the CyberAv3ngers threat group hacked Unitronics Vision Series PLCs.

Researchers believe that the CyberAv3ngers are affiliated with Iranian Government Islamic Revolutionary Guard Corps (IRGC), and are politically motivated to go after the Unitronics PLCs, which have components that are Israeli-owned.

The national intelligence and security agencies are now warning that the attacks extend beyond the Keystone State; beginning on Nov. 22, the cyber actors accessed multiple US-based facilities that utilize Unitronic PLCs with human machine interfaces (including water and wastewater installations), likely by compromising Internet-accessible devices with default passwords. Worse, the attackers may have had access for more than 10 days.

These compromised devices are often exposed to external Internet connectivity due to the remote nature of their control and monitoring functionalities, and by default are on TCP port 20256. Any compromise could render the PLC inoperative, which could lead to the shutdown of the operational technology (OT) responsible for the physical workings of utilities and other industrial control facilities.

The agencies say it is not known whether attackers dug deeper into these PLCs, but warned any organizations running these controllers to evaluate their systems.