Multiple federal agencies are warning that Iran-linked hackers have been targeting U.S. water systems and other industries that use programmable-logic controllers (PLC) made by Israeli firm Unitronics, as the Israel–Hamas war simmers in the background.
The agencies that issued the warning include the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), with the Israel National Cyber Directorate (INCD) joining in the advisory.
This IRGC-linked cyberattack group (known variously as CyberAv3ngers, CyberAveng3rs, or Cyber Avengers) has been compromising default credentials in Unitronics devices since at least Nov. 22, the agencies said.
After hacking the PLC devices in multiple states, CyberAv3ngers left the following defacement message: “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”
The cyber group has claimed responsibility for numerous attacks against critical infrastructure in Israel starting in 2020; it has recently turned its attention to targets in the United States, a key ally of Israel as it battles the Hamas terror group in response to the Oct. 7 attacks against Israel.
One high-profile attack by CyberAv3ngers targeted a water authority near Pittsburgh on Nov. 25, prompting congressional lawmakers to demand an investigation by the Department of Justice (DOJ) and triggering the latest multi-agency warning that other water and sewage-treatment utilities, and other industries, may be vulnerable.
Pennsylvania Water Utility AttackedA cyberattack by the Iran-linked group on Nov. 25 targeted the Municipal Water Authority of Aliquippa, Pennsylvania, forcing the utility to switch to manual operations; officials said water quality wasn’t compromised.
While water quality wasn’t affected this time, the agency said that such cyberattacks do have the potential to threaten the ability of water and wastewater systems to provide clean drinking water to residents and to effectively manage wastewater.
The hackers accomplished their attack by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet, according to the CISA. The agency urged water and wastewater facilities to take preventive measures including changing passwords and disconnecting the PLCs from the open internet.
Several Pittsburgh-based cybersecurity firms said that utility companies are more vulnerable to cyberattacks targeting operational technology because many of these systems are dated and monitored infrequently.
“I think you’re gonna see a big rise in that because there’s just so few protections on it,” he said, adding that an attack on the operational technology side is “very alarming.”
Lawmakers Demand ProbeThe cyberattack prompted several congressional lawmakers from Pennsylvania to demand that the Department of Justice (DOJ) launch an investigation into how the foreign hacking group managed to breach a U.S.-based water facility.
Mr. Deluzio, along with U.S. Sens. John Fetterman (D-Pa.) and Bob Casey Jr. (D-Pa.) wrote a letter to U.S. Attorney General Merrick Garland on Nov. 28, saying that Americans need to be confident that their drinking water and other basic infrastructure is safe.
“If a hack like this can happen here in western Pennsylvania, it can happen anywhere else in the United States,” the lawmakers wrote.
The attack came less than a month after a federal appeals court decision prompted the Environmental Protection Agency (EPA) to rescind a rule that would have obliged U.S. public water systems to include cybersecurity testing in their regular federally mandated audits.
The rollback was triggered by a federal appeals court decision in a case brought by Missouri, Arkansas, and Iowa, and joined by a water utility trade group.
Unitronics didn’t respond by press time to queries as to whether other facilities with its equipment may have been hacked or could be vulnerable.