US, Israeli security agencies warn of Iranian IRGC executing malicious cyber activity using OT devices

The U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) jointly released a Cybersecurity Advisory (CSA). The advisory draws attention to ongoing malicious cyber activity targeting operational technology (OT) devices. Specifically, the advisory focuses on the actions of Advanced Persistent Threat (APT) cyber hackers affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).

The advisory published on Saturday urges critical infrastructure asset owners and operators to take specific measures to enhance security. These measures include implementing multi-factor authentication, using strong and unique passwords, and checking programmable logic controllers (PLCs) for default passwords to minimize the risk of malicious activity. 

It is important for all organizations, including U.S. water and wastewater systems (WWS) facilities, to carefully review this joint CSA and implement the recommended actions and mitigations. While the mitigations are primarily focused on threat actor activity against Unitronics PLCs, they apply to all internet-facing PLCs.

“The IRGC-affiliated cyber actors left a defacement image stating, ‘You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.’ The victims span multiple U.S. states,” the advisory revealed. “The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.”

The advisory said that the agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel. “Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics’ default password,” it added.

The agencies said that they observed activity between Sept. 13 and Oct. 30, 2023, the CyberAv3ngers Telegram channel displayed both legitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors. 

“On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false,” the advisory disclosed. “The group claimed to use a ransomware named ‘Crucio’ against servers where the webcams camera software operated on port 7001.” 

The advisory added that “beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.”

CyberAv3ngers has claimed responsibility for numerous attacks against critical infrastructure organizations, the advisory identified. “The group claimed responsibility for cyberattacks in Israel beginning in 2020. CyberAv3ngers has falsely claimed they compromised several critical infrastructure organizations in Israel. CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon,” it added. 

The guidance disclosed that most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs. “The threat actors compromised Unitronics Vision Series PLCs with human-machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256. These PLCs and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative,” it added. 

Furthermore, with this type of access, deeper device and network level accesses are available and could render additional, more profound cyber-physical effects on processes and equipment, the advisory outlined. “It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.”

The agencies recommend that critical infrastructure organizations, including WWS sector facilities, improve the organization’s cybersecurity posture to defend against CyberAv3ngers activity. The mitigation actions align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) that provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. 

The hackers likely accessed the affected devices—Unitronics Vision Series PLCs with HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. 

To safeguard against this threat, the authoring agencies urge organizations to consider changing all default passwords on PLCs and HMIs and using strong passwords. They must also ensure that the Unitronics PLC default password is not in use, and disconnect the PLC from the public-facing internet.

Additionally, they must implement multi-factor authentication for access to the OT network whenever applicable. If remote access is required, then organizations must implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access and create strong backups of the logic and configurations of PLCs to enable fast recovery. They must also keep Unitronics and other PLC devices updated with the latest versions by the manufacturer, and confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment. 

Although critical infrastructure organizations using Unitronics (including rebranded Unitronics) PLC devices can take steps to mitigate the risks, it is the responsibility of the device manufacturer to build products that are secure by design and default. Device manufacturers should prioritize the security of their customers by implementing secure-by-design strategies. 

By doing so, software manufacturers can ensure that their products are secure from the start, eliminating the need for customers to invest extra resources in configuring settings, purchasing additional security software, monitoring logs, and performing routine updates.

Apart from these mitigation measures, the agencies recommend exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. The agencies also recommend testing existing security controls inventory to assess how they perform against the ATT&CK techniques.

Earlier this week, the CISA announced that it is responding to the active exploitation of Unitronics PLCs used in the water and wastewater systems (WWS) sector. The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with an HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.