Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew
CISA calls for stronger IT defenses as Texas district also hit by ransomware crew
CISA is investigating a cyberattack against a Pennsylvania water authority by suspected Iranian miscreants. The intrusion forced operators to switch a pumping station to manual control.
The US Homeland Security agency also warned it is expecting more attempts to subvert programmable logic controllers in America's critical infrastructure.
Over the weekend, the Municipal Water Authority of Aliquippa, which serves about 15,000 customers in the Pittsburgh area, said an anti-Israel cybercrime gang called Cyber Av3ngers infiltrated one of its booster pumping stations the Friday after Thanksgiving. This same crew claimed to have compromised 10 water systems in Israel, and boasted about its exploits on its Twitter feed.
The compromised Aliquippa system, a Unitronics Vision Series PLC, displayed a warning that the intruders would be targeting Israeli-made gear because of the ongoing Israel-Hamas war.
The water authority immediately took the system offline, switching to manual operations after the intrusion, which didn't affect the region's drinking water or water supply.
"It's a pain," Robert J. Bible, the water authority's general manager, told CNN
"Somebody's got to wake up at three in the morning and go turn on or turn off those pump stations. It's just a big inconvenience until we can get the (automated) system back up and running."
The US Cybersecurity and Infrastructure Security Agency (CISA) said it's probing the cyberattack, and urged utilities to harden the security around their PLCs. In the context of water supply infrastructure, these devices are used to control and monitor water and wastewater treatment processes, including controlling the pumps to fill tanks and reservoirs, the distribution of flow pacing chemicals, and sounding of alarms about operational threats.
"Attempts to compromise WWS [water and wastewater systems] integrity via unauthorized access threaten the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities," CISA warned.
Specific to the Aliquippa intrusion, Cyber Av3ngers likely breached the device "by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet," the agency noted.
How to secure PLCs
The Unitronics PLC default password is "1111," and if this hasn't already been changed at your site, it's a good idea to do so immediately. Making the equipment reachable from the public internet is also not a great approach. Additionally, water utilities should require multi-factor authentication (MFA) for all remote access to the operational technology network, including from the IT and any other external networks, the CISA recommends.
It's a good idea to disconnect the PLC from the open internet or internet-connected PCs, and put it behind layers of access control on site. If remote internet access is a must, then require a secure VPN to reach the equipment, or place some other gateway in front of the PLC, as that should provide strong authentication including MFA, and other security controls. That should protect the PLC, CISA said. Also, if possible, consider changing the default access port, TCP port 20256, to something else.
- Someone tried to poison a Florida city by hijacking its water treatment plant via TeamViewer, says sheriff
- EPA orders US states to check cyber security of public water supplies
- Alert: This ransomware preys on healthcare orgs via weak-ass VPN servers
- British Library begins contacting customers as Rhysida leaks data dump
"Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC," according to CISA. "Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection."
It sounds to us like miscreants are scanning the internet for open TCP 20256 ports, and trying to log in using weak, default, or brute-forced passwords, or perhaps some other weakness; blocking that connectivity off and requiring a secure tunnel to access the machinery is a good move as well as changing the device passcode. And, as always, back up the logic and configurations to enable fast recovery — especially in the case of a ransomware infection.
Ransomware crew hits Texas water district
Speaking of which: another water authority — this one in Texas — is in the process of fixing its IT systems after ransomware crew Daixin Team claimed to have broken into its network and stolen sensitive information.
Daixin listed the water district on its website as a victim, and claimed to have stolen more than 33,000 files potentially containing names, dates of birth, Social Security numbers, and other personal information. The gang said a "full leak" of the information may happen "soon."
The North Texas Municipal Water District, which provides services to more than two million customers, "recently detected a cybersecurity incident affecting our business computer network," spokesperson Alex Johnson told The Register.
The district's core water, wastewater, and solid waste management services were not affected by the intrusion, Johnson added.
While most of the business network has been restored, the phone system remains down. "We hope to have it back online this week," Johnson said.
The water district has also notified law enforcement, and hired security specialists to investigate the digital break-in. "The investigation is ongoing at this time and includes a review of any potentially impacted District data," Johnson said.
Daixin is the same group of criminals that, in October, shut down IT systems across five Ontario, Canada hospitals and claimed to have stolen more than 5.6 million patient records.
On Monday, Daixin listed the purloined papers as "sold" on its leak site. ®