Dragos details hacktivist cyber operations targeting critical infrastructure on the rise

Industrial cybersecurity company Dragos released a comprehensive research analysis on the activities of hacktivist cyber operations since the start of the conflicts between Ukraine-Russia and Israel-Hamas. Several hacktivist groups have come out of the woodwork during the Israel-Hamas conflict, and the Cyber Av3ngers is one such group. The data recognizes that overlaps between cyber threats and regional kinetic events have never been more evident than throughout 2023, as cyber adversaries work towards conducting targeted and opportunistic operations against critical infrastructure. 

“Less sophisticated hacktivists, motivated by notoriety and drawing global attention to social and geopolitical events, have used both conflicts to spread misinformation, fear, uncertainty, and doubt (FUD) about industrial organizations’ resilience to cyber attacks and their ability to maintain critical services people rely on,” Dragos identified in its Thursday blog post.

Addressing the Cyber Av3ngers group, Dragos said that they were first observed in early September 2023 to claim the successful disruption of Israel Railway’s network systems – a claim Dragos Threat Intelligence later assessed as false. “A few weeks later, in early October 2023, the Cyber Av3ngers made additional claims of successful disruptive cyber attacks against an Israeli power grid and a small Israeli city (Yavne).”

Dragos pointed to the claims of the hacktivist group about the Israel Railway disruption, where Dragos Threat Intelligence assessed the October 2023 claims as ‘false or grossly exaggerated.’ Also, during this time, “the Cyber Av3ngers posted on their Telegram channel they would be targeting Israeli technology companies,” the company added.

“When a municipal water authority in the United States disclosed that the Cyber Av3ngers hacktivist group had compromised OT assets within their environment on or around November 25, 2023, it goes without saying that Dragos Threat Intelligence was a bit skeptical,” the post detailed. “However, after investigating the incident further, it was clear that Cyber Av3ngers had indeed successfully accessed one of the water authority’s Unitronics programmable logic controller (PLC) devices and altered the device’s menu page with anti-Israel commentary.”

Dragos added that the attacks against Unitronics devices are rooted in the conflict in Israel, and there is no indication that Cyber Av3ngers were targeting one specific region or industry sector. 

The Hanover, Maryland-headquartered company said that the initial infection vector is not fully understood, though the Dragos Threat Intelligence suspects the Cyber Av3ngers ‘utilized basic techniques to scan the internet, identify accessible Unitronics devices, and then tried to log in using default credentials, which can be found in online Unitronics operating manuals.’ 

“The downstream impacts to organizations by this intrusion will vary depending on the type of organization and what dependencies exist for the Unitronics devices, but at this time, Dragos Threat Intelligence is unaware of any significant downstream impacts,” the blog added. However, “we have identified multiple global industry sectors that have Unitronics devices deployed within OT environments. It stands to reason that the Cyber Av3ngers could opportunistically try to gain access to as many Unitronics devices as possible.”

Last week, the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) published a cybersecurity advisory. The document drew attention to ongoing malicious cyber activity targeting operational technology (OT) devices. Specifically, the advisory focuses on the actions of Advanced Persistent Threat (APT) cyber hackers affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).

Ahead of this advisory, the CISA said that it is responding to the active exploitation of Unitronics PLCs used in the water and wastewater systems (WWS) sector. The agency also provided a couple of mitigation measures that critical infrastructure asset owners and operators can deploy to reduce the impact on their infrastructure. 

Dragos further recommends implementing the 5 Critical Controls for World-Class OT Cybersecurity to defend against these types of attacks. These include ensuring that the company has an OT incident response plan in place that is tested frequently, and making sure all ICS (industrial control system) assets are hardened and appropriately segregated from other non-ICS/OT networks. A successful OT security posture is dependent on visibility and monitoring of critical ICS assets, including vulnerability maps, and mitigation plans for each component. 

Additionally, remote access should be secured with multi-factor authentication (MFA) and only made available to those who need it based on the actions they need to take. Organizations that have ICS assets within their environment need to know which technologies are vulnerable and have a plan to manage those vulnerabilities.

Last month, Dragos assessed with high confidence that in the fourth quarter of this year, ransomware will continue to opportunistically attack industrial organizations, which will have varying operational disruptions. While there has been a slight decrease in reported ransomware incidents compared to the previous quarter, the impact remains significant. These incidents are known to harm the affected industrial entities as well as to have ripple effects on related sectors and affiliated companies.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.