CISA, FBI warn on Iran-backed infrastructure hacks

Federal cyber authorities are warning critical infrastructure companies that a hacker group linked to the Iranian military is targeting products of an Israeli-owned tech vendor that are used in water and wastewater industrial control systems.

The group, called CyberAv3ngers, is backed by the Iranian Government Islamic Revolutionary Guard Corp., according to a joint alert issued Dec. 1 by the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Environmental Protection Agency, the FBI and Israel's National Cyber Directorate. 

According to the alert and multiple press reports, the CyberAv3ngers group has compromised programmable logic controllers from Israeli firm Unitronics as part of the threat-group's response to the war between Israel and Hamas in the wake of the Oct. 7 attacks against Israel.

So far, it does not appear that the campaign has compromised any operations at the targeted systems, but CyberAv3ngers has succeeded in defacing target web interfaces in systems in multiple U.S. states, including the Municipal Water Authority of Aliquippa in the Pittsburgh area.

An image allegedly posted by the hackers reads: "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target."

A profile of the group's recent activities by cybersecurity firm SentinelOne characterized the CyberAv3ngers as "an IRGC-aligned threat actor whose primary mission is to sow discord and create a sense of heightened risk from technically unsophisticated hacks."

The joint alert cautions users of Unitronics Vision Series programmable logic controllers to take some very elementary security steps to thwart potential attacks, including changing default passwords, disconnecting the programmable logic controllers from the public internet, updating firmware and implementing multifactor authentication.

"The compromise is centered around defacing the controller’s user interface and may render the [programmable logic controller] inoperative," the alert states. "With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved."

The Unitronics Vision devices are frequently used in water and wastewater systems as well as in beverage manufacturing and healthcare, according to the alert.

In addition to defacement campaigns in the U.S., the CyberAv3engers group has also claimed responsibility for attacks on programmable logic controllers in Israel as well as other attacks on security cameras and smart-city management systems. Some of these, however, were later proven false.