CyberAv3ngers hit Unitronics PLCs at multiple US-based water facilities

Iran-affiliated attackers CyberAv3ngers continue to exploit vulnerable Unitronics programmable logic controllers (PLCs), US and Israeli authorities have said in a joint cybersecurity advisory.

CyberAv3ngers Unitronics PLCs

CyberAv3ngers targeting Unitronics PLCs

CISA has recently confirmed that Iran-affiliated attackers took over a Unitronics Vision Series PLC at a water system facility in Pennsylvania, and urged other water authorities to promptly secure their Unitronics PLCs.

The agency has advised them to change the default password and port used by the PLC, disconnect it from the open internet or secure remote access by using firewall, VPN and multi-factor authentication (MFA), create configuration backups, and update the PLC/HMI to the latest available version.

CyberAv3ngers has previously claimed responsibility for numerous attacks against critical infrastructure organizations in Israel working in the water, energy, shipping, and distribution sectors, and only recently targeted Unitronics PLCs deployed by multiple US-based water and wastewater facilities.

In the latest advisory, the agencies shared additional information about the APT group’s activites and indicators of compromise (IoCs) associated with their most recent attacks.

“These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment,” the advisory explains.

“It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.”

The UK National Cyber Security Centre (NCSC) says that the compromise of the PLCs is “highly unlikely” to disrupt routine operations of affected organizations. “There is a very low potential risk, if the threat is unmitigated, to some small suppliers,” they noted.

The agencies repeated CISA’s initial risk mitigation advice and urged organizations to apply it to all internet-facing PLCs, not just those manufactured by Unitronics (which, it has been pointed out, may also be rebranded and appear as made by different manufacturers).

Finally, they called on device manufacturers to do their part in securing OT devices by:

  • Not shipping products with default passwords
  • Avoiding the exposure of administrative interfaces to the internet
  • Not imposing additional fees for security features
  • Making sure the devices support MFA

Other Iran-affiliated threat groups to look out for

CyberAv3ngers are not the only Iranian cyber threat actors targeting Israeli and US entities, Check Point researchers pointed out.

There’s CyberToufan, which initially targeted Israeli organizations but later claimed attacks against US companies.

“As part of the attacks, the group also claimed to attack the Berkshire eSupply US company, also with the alleged excuse that they use products from Israeli companies as part of their IT infrastructure,” the researchers said.

Several other groups engaged in website defacements and leaks of data ostensibly stolen from US companies, as well as the hacking of CCTV systems at several US airports and targeting pipeline and electrical systems in the US.

“As tensions in the Middle East continue, the likelihood of ongoing cyberattacks by these groups, particularly against US targets, remains high. This trend represents a significant evolution in the nature of cyber warfare, transcending traditional geopolitical boundaries,” the researchers concluded.

Don't miss