US warns Iranian terrorist crew broke into 'multiple' US water facilities

There's a war on and critical infrastructure operators are still using default passwords

Iran-linked cyber thugs have exploited Israeli-made programmable logic controllers (PLCs) used in "multiple" water systems and other operational technology environments at facilities across the US, according to multiple law enforcement agencies .

In a take-out-the-trash-time release on Friday night security advisory, the FBI, National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency (EPA), plus the Israel National Cyber Directorate (INCD) warned that CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC)-affiliated group, has been "actively targeting and compromising" Unitronics Vision Series PLCs, since at least November 22.

The US designated the IRGC as a foreign terrorist organization in 2019.

But the gang did not need sophisticated tactics to run this attack: the joint advisory suggests Cyberav3ngers likely broke into US-based water facilities by using default passwords for internet-accessible PLCs.

The alert was issued just days after CISA said it was investigating a cyberattack against a Pennsylvania water authority by the IRGC-backed crew, which forced operators to switch a pumping station to manual control.

The compromised system at the Municipal Water Authority of Aliquippa displayed a warning that the intruders would be targeting Israeli-made gear because of the ongoing Israel-Hamas war. And it turns out that Aliquippa wasn’t the only entity under attack.

"We are tracking, at this time, a small number of impacted water utilities," Eric Goldstein, CISA executive assistant director for cybersecurity, told reporters on Monday.

However, there is some good news. Despite exploiting PLCs to gain access to the water and wastewater facilities, "we have seen no access to operational systems at these water facilities, nor have we seen any impact to the provision of safe drinking water," Goldstein added.

These PLCs, which are also used in other industries such as energy, food and beverage manufacturing, and health care, may be rebranded — so the number of exploits and the scope of the threat remains unclear.

During the Monday press briefing, Goldstein urged organizations across all sectors to take a couple basic steps to secure their operational technology environments: don't expose PLCs to the open internet, and don't use default passwords.

"And from there, begin to implement the other mitigations in our joint advisory and detect the indicators of compromise outlined therein," he said.

A Shodan search on Monday indicates 211 Unitronics devices are connected to the internet in the US, and more than 1,800 globally.

At this time, it appears that Cyberav3ngers is the only gang targeting Israel-made gear in US critical infrastructure facilities, according to the Feds. "We remain concerned about the prospect of broader targeting of Israeli technology like the activities today," Goldstein said.

Also on Monday, CheckPoint said it's tracking three other pro-Iran groups in addition to Cyberav3ngers that also claim to targeting US organizations in response to the conflict in Gaza.

These include Haghjoyan, a group that emerged when the war began and initially targeted Israel before moving on to hack-and-leak operations and website defacements in the US.

Another Iran-linked gang, CyberToufan Group, also said it targeted wholesaler Berkshire eSupply for using Israeli gear, and YareGomnam Team has claimed attacks on US pipeline, electrical systems and CCTV systems at American airports.

The security shop noted that its researchers haven't verified the accuracy of each group's claims. ®

More about


Send us news

Other stories you might like