The United States is experiencing an increase in cyberattacks targeting industrial control systems (ICS). Critical infrastructure like water treatment systems rely on ICS to ensure the safety of drinking water.
A joint security advisory was released on December 1 in response to ongoing cyberthreats against U.S. water systems and other sectors. The advisory was co-authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD).
On November 25, the Municipal Water Authority of Aliquippa (MWAA) in Pennsylvania discovered they had been targeted in a cyberattack by hackers linked to Iran. Matthew Mottes, the chairman of MWAA, told local news outlet Beaver Countian that the hackers did not access “anything in our actual water treatment plant—or other parts of our system—other than a pump that regulates pressure to elevated areas of our system.” Mottes told the news outlet that the hacked pump was on a separate network from the primary network.
The joint security advisory states the hackers breached a programmable logic controller (PLC) made by an Israeli company named Unitronics. The hackers seized control of the digital display screen, which can be used to adjust water pressure. They manipulated the screen to show the message: “You have been hacked. Down with Israel. Every equipment ‘Made in Israel’ is Cyber Av3ngers legal target.” The advisory notes the MWAA responded to the attack by disconnecting their systems and then switching to manual operations.
According to CISA, Cyber Av3ngers is affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC). Since 2019, the United States National Counterterrorism Center has listed the entire IRGC as a foreign terrorist organization (FTO). Prior to that, the U.S. designated a subdivision of the IRGC as an FTO in 2007, and two IRGC commanders have been listed as Specially Designated Global Terrorists. Cyber Av3ngers’ social media accounts indicate retaliation against Israel and its supporters in the Israel-Hamas War is the primary motivation for their attacks.
The joint security advisory mentions the hackers used brute force techniques, meaning they broke into the system using log-in credentials. Notably, Unitronics PLCs are shipped with default passwords. Federal authorities highlighted that the hackers likely exploited this in addition to the fact that Unitronics PLCs are internet-accessible.
The exact number of affected U.S. organizations was not disclosed by federal agencies. However, CISA notes that Unitronics PLCs are used in various sectors, including food, energy, healthcare, among others. Moreover, Shodan, a tool used for identifying internet-connected devices, shows approximately 200 Unitronics devices in use across the United States plus in over 50 countries worldwide.
Just one day after the MWAA attack, the North Texas Municipal Water District (NTMWD) was also targeted in a cyberattack. Alex Johnson, the director of communications for NTMWD, confirmed the attack to news outlet The Record from Recorded Future News. According to NTMWD’s website, they provide drinking water to approximately 2.2 million people in the Dallas region.
While NTMWD did not confirm the use of Unitronics devices or the involvement of ransomware, a ransomware group named Daixin Team claimed responsibility for the attack on their Dark Web page. The FBI, CISA, and the Department of Health and Human Services (HHS) released a joint security advisory in 2022 regarding Daixin Team’s ransomware attacks, particularly those targeting the healthcare industry.