The US critical infrastructure industry and federal authorities have been coping with a series of threat actor attacks on organizations, particularly water utilities, by a shadowy Iranian threat actor exploiting security holes in internet-connected equipment deployed in industrial control system (ICS) environments.
The substantial worries surrounding these incidents, which were seemingly triggered by the Hamas-Israel war, suggest that these kinds of attacks will continue for the foreseeable future. However, some cybersecurity and industrial control system security experts have doubts that Iran as a nation-state was behind the attacks given their amateurish nature.
However, they all agree that cash-strapped water utilities are sitting ducks for this exploitation and that all organizations can best defend themselves by getting their unprotected devices off the open internet. Some experts hope this recent turn of events will spark renewed interest in water sector regulations that could give water utilities more significant funding to devote to cybersecurity.
Timeline of cyberattacks on water facilities
On November 25, the Municipal Water Authority of Aliquippa, Pennsylvania, disclosed a cyberattack during which it lost control of a booster station due to a compromised Unitronics PLC (programmable logic controller), model V570-57-T20 / V290-19-T20. The attackers exploited the default manufacturer’s password of “1111” on the device, although the exact compromise method still appears unclear.
The attackers, so-called Iranian “hacktivists” known as CyberAv3ngers, defaced the screen of the unit with the message “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The water authority took the system offline and switched to manual operations, and no risk was posed to the municipality’s drinking water or water supply.
On November 28, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that cyber threat actors were targeting water and wastewater systems (WWS) by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. CISA offered guidance on the best methods that other Unitronics customers could deploy to defend against the attacks.
On December 1, CISA, the US Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD), issued an even stronger alert to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated advanced persistent threat (APT) cyber actors, specifically CyberAv3ngers. Researchers at SentinelOne say that the CyberAV3ngers mission is to sow discord and create a sense of heightened risk from technically unsophisticated hacks.
The agencies warned that the group had targeted victims across multiple US states and other industries, including energy, food and beverage, manufacturing, and healthcare. The agencies also shared indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.
Five days after the attack, around 1,800 Unitronics PLCs were reachable globally over the internet, according to a Shodan search, with around 280 of those the type in use by the Municipal Water Authority of Aliquippa. As of December 8, the number of Unitronics PLCs reachable globally dropped to 1,619, and the number of PLCs of the type exploited in Pennsylvania dropped to 258, a Shodan search showed.
CyberAv3ngers’ checkered reputation
CyberAv3ngers has a history of touting its attacks on its Telegram channel and other social media, some of which have proven false. In early October, the hackers claimed to have hacked the Israeli Dorad private power station. Researchers at Kaspersky later found that the alleged attack used recycled images and data from a previous attack by a hacktivist group called Moses Staff from 2022.
In mid-October, the group took credit for an attack on Israeli fuel retail payment provider Orpak that purportedly disconnected 200 gas pumps from the system. Although Orpak did not confirm the attack, residents of Tel Aviv and Haifa reportedly took to social media to highlight the inability of gasoline pumps to provide services.
In late October, the group claimed it hacked into ten Israeli water facilities and offered images and videos as proof. The group offered a detailed video showing how the hack was achieved in a command line terminal, which includes some of the IP addresses associated with the systems that were attacked.
Water facility attacks were rudimentary
Although both CISA and SentinelOne say that CyberAv3ngers is an IRGC-affiliated group, some experts are skeptical about how close the ties really are between the Iranian government, well-known for its strong cyber threat capabilities, and the hacktivists. “It doesn’t sound to me like that’s a state-backed group,” Mike Hamilton, founder and CISO at Critical Insight and former CISO for the City of Seattle, tells CSO.
“The people that run the water utilities failed to change default passwords for stuff that was connected to the internet. So, all [that CyberAv3ngers] had to do was look up what’s the default password that ships with Unitronics stuff and log in,” Hamilton says. “We’re not talking about a sophisticated group here. This is not a state-sponsored group because Iranian state-sponsored groups are really good at what they do. They would’ve disrupted things probably permanently using wipers, malware, the stuff that just snuffs out your organization”
Ron Fabela, field CTO at Xona Systems, thinks it’s possible that the affiliation between the CyberAv3ngers and the IRGC is akin to the way Russia turns a blind eye to the financially motivated ransomware actors within its country’s borders. “If the Iranians don’t arrest these people, that doesn’t mean they’re funded or affiliated,” he tells CSO.
However, Patrick Miller, CEO at Ampere Industrial Security, gives more credence to the IRGC affiliation and thinks the unsophisticated nature of the attack doesn’t mean the attackers themselves were amateurs. “Even sophisticated actors can do things like provide a red herring,” he says. The low-level nature of the attack “doesn’t exclude sophisticated actors from not doing things like diversionary methods.”
The bigger story: Water infrastructure is poorly protected
Although the water system exploitations generated the most attention, the attacks appeared scattershot and aimed at a wide variety of targets, including at least one brewery. “The threat actor did not target US-based wastewater and water systems,” Fabela said. “They targeted anything that was listening on this particular TCP port, and that’s it. These are targets of opportunity, and this is just the latest example where the bar is exceedingly low.”
“I don’t know that they were explicitly targeting water systems,” Kevin Morley, manager of federal relations at the American Water Works Association, tells CSO. “This was an opportunist attack on a fairly inexpensive device that is used across multiple sectors. If you’re in rail or transportation or something else, you’re like, ‘Oh, well, that’s a water thing. I don’t have to worry about it.’ No, no, no. This isn’t a water thing. This is a PLC control thing.”
Chronically underfunded water utilities, which lack the money or personnel to handle cybersecurity properly, are ripe for exploitation. The “bigger story is how poorly protected our water infrastructure is,” Hamilton says. “It says super bad things about our water sector and our ability to fend off this kind of stuff at a time when the population of threats is just getting out of control.”
“I feel bad for those mom-and-pop or small public utilities because they don’t have the money, they don’t have the resources,” Interim-President of InfraGard Houston Marco Ayala tells CSO. Miller agrees. “My biggest thought is water utilities are terribly underfunded for cybersecurity.”
Part of the problem is the sheer number of water utilities in the US, most of whom are small and barely break even. According to CISA, there are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States. According to the EPA, 92% of public water systems serve 10,000 or fewer customers.
“The water sector is a local ratepayer-funded operation,” Morley says. “There is no capital federal subsidy in the water sector. This isn’t like highways.”
“Just get your crap off the internet”
The most important thing that organizations can do to ward off these kinds of attacks, aside from exercising proper cybersecurity hygiene, such as changing default passwords, is to ensure that their devices are not sitting unprotected on the internet. “Changing default passwords, I get it,” Miller says. “A lot of utilities don’t because maybe they’ve got a high level of churn in their environment, and they don’t want to go out and change passwords all the time. There are a lot of operational reasons why they may not want to change those things.” But, the most crucial thing “to minimize the need to do that is just get your crap off the internet.”
“What this is really about is how we’ve normalized connecting systems to the internet,” Ayala says. He advises that organization should “ensure your system is not traversing the internet and is not public facing” by going through a defined remote access connection point such as a VPN that’s been hardened and has protection such as multifactor authentication. “There are people that grow on trees nowadays that could come implement this for you for a reasonable cost, and the technology isn’t that expensive to purchase or maintain.”
A clarion call for new security regulations for the water industry
If any good comes from these recent attacks, it might be a renewed call to regulate the water industry’s cybersecurity practices. Water utilities lag behind the other top critical infrastructure sectors in terms of regulatory rules that might boost their cybersecurity hardiness. In March, under the US Environmental Protection Agency (EPA), the Biden administration established a new requirement for states to inspect water utilities’ cyber defenses but was forced to abandon that effort in October following a lawsuit by the Republican state attorneys general of Arkansas, Iowa, and Missouri.
“We’ve got to get the EPA re-engaged,” Hamilton says. “There’s no reason that the EPA can’t do this. And that was kind of a [bad] move by those states. The other sector-specific agencies are doing what they’re supposed to do, but the EPA got shouted down, and here’s what happened. They’re getting hacked.”
“I mean, if I were a regulator trying to regulate, I would seize that opportunity.,” Miller said. “I would use it as a poster event for why regulation should be put in. And I’m not saying that I’m a big fan of regulation. But, as a former regulator, this is the type of catalytic event that will almost always be used as a springboard or shim in the door to get the regulatory discussion moving again.”
Moreover, new regulations might help the water sector devote more funds to cybersecurity. “They don’t have the money,” Miller says. “Then they complain, well, we don’t have the money to meet the regulation, but you don’t get the money without it. It’s a chicken and egg situation, and it does come with some initial pain, handwringing, and heartburn. Still, we need minimums for critical infrastructure operators to be ‘this tall to ride’ from a security perspective. And the only way they’re going to get the money is if we put some regulatory minimums in place. I mean, that’s just a reality. It’s terrible, but it’s a reality.”