Treasury sanctions Iranian cyber officials tied to 2023 water system hacks

BirgitKorber/Getty Images

The hackers targeted a batch of Israeli-made programmable logic controllers used in water treatment plants around the U.S.

The Treasury Department on Friday sanctioned the Iranian Islamic Revolutionary Guard Corps’s Cyber-Electronic Command leader and five other officials for their alleged role in a series of hacks that targeted U.S. water infrastructure late last year, the agency’s Office of Foreign Assets Control announced.

IRGC-CEC head Hamid Reza Lashgarian and others were targeted in sweeping financial sanctions in connection to the Iran-linked Cyber Av3ngers hacking collective that claimed responsibility for breaching industrial water treatment equipment across multiple states.

The programmable logic controllers, or PLCs, were manufactured by Israeli company Unitronics, and the hacking group deliberately targeted them in retaliation for Israel’s ongoing war against Hamas.

“Every equipment ‘Made in Israel’ is Cyber Av3ngers legal target,” the group’s message said in a display readout of a water system that it had taken over at the Municipal Water Authority of Aliquippa in Pennsylvania.

Any money or property owned by those hacker-affiliated Iranian individuals in the U.S. or controlled by U.S. citizens must be frozen, and must be reported, OFAC declared. Additionally, financial institutions and others who do business with them — including transferring money or services — could face sanctions or legal actions.

“Although this particular operation did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devastating humanitarian consequences,” Treasury noted.

The Cybersecurity and Infrastructure Security Agency issued an alert about the hackers in late November, warning that about 11 facilities containing the Unitronics equipment were targeted. 

The Biden administration has been pushing to shore up protections for water treatment facilities against cyber threats, which researchers say are highly exposed to hacking attempts. But the Environmental Protection Agency in March rescinded a memorandum that would have directed providers to evaluate cyber defenses of their water systems when conducting sanitation surveys, after facing legal pushback from GOP-led states and trade groups. The agency had justified the measure under the 1974 Safe Drinking Water Act. 

A group of water trade group representatives testified before a House panel this week, urging Congress to take up measures that would give water facilities more federal funding for training and other resources they say are needed to defend their infrastructure.