U.S. federal agencies have confirmed the Iranian threat group that breached a Pennsylvanian water authority pump station controller also compromised similar systems at facilities in other states.
The Municipal Water Authority of Aliquippa (MWAA) was forced to temporarily shut down one of its remote pump stations, supplying two towns, following an Oct. 25 attack on a programmable logic controller (PLC) used to regulate water pressure.
The PLC, manufactured by Israeli company Unitronics, is commonly used in water and wastewater facilities, and in industrial plants across a range of other industries.
The attack was carried out by Cyber Av3ngers, an advanced persistent threat (APT) group linked to the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The towns’ water supply was unaffected by the attack, but the APT group left a message on the PLC console which read: “Every equipment ‘made in Israel’ is Cyber Av3ngers legal target”.
An identical message was left on a Unitronics PLC at Pittsburgh’s Full Pint Beer brewery which was also hacked over Thanksgiving weekend. MWAA chairman Matthew Mottes was reported saying authorities told him four other utilities and a public aquarium were also hacked.
Feds confirm gang hit ‘multiple’ facilities
The occurrence of multiple attacks was confirmed in a Dec. 1 joint cybersecurity advisory released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD).
“The victims span multiple U.S. states,” the advisory said, although it did not name any, other than the MWAA, or confirm how many there were.
The agencies said Unitronics PLCs and related controllers were often exposed to the internet because they were commonly used in situations where remote control and monitoring was required.
The Cyber Av3ngers attacks were centered around defacing the controller’s user interface and possibly rendering the PLC inoperative, but it was conceivable further network access could have been gained, they said.
“It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.”
Hackers take advantage of default passwords
The breached devices were using the default Unitronics PLC password (“1111”) and the default port (20256), the advisory said.
The agencies said organizations should change all default passwords on PLCs and human machine interfaces (HMIs) use strong passwords and implement multifactor authentication for access to operational technology networks.
“If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.”
They said organizations should create strong backups of the logic and configurations of PLCs to enable fast recovery.
“Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity.”
Lawmakers call for inquiry
In a Nov. 28 letter to U.S. Attorney General Merrick Garland, Pennsylvania Congressman Chris Deluzio and the state’s Senators, Bob Casey and John Fetterman, called for the Department of Justice to investigate the MWAA attack.
“Any attack on our nation’s critical infrastructure is unacceptable. If a hack like this can happen here in Western Pennsylvania, it can happen elsewhere in the United States,” the letter said.
“Folks in Pennsylvania and across the country deserve peace of mind that basic infrastructure such as their drinking water is safe from nation-state adversaries and terrorist organizations.”
In October the EPA withdraw its guidance requiring cybersecurity audits for water utilities across the country following a lawsuit filed by Arkansas, Iowa, and Missouri, and supported by trade groups.
“EPA continues to believe that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water,” the agency said in a memo confirming the withdrawal of its guidance. “Cybersecurity attacks on water and wastewater systems occur frequently and are a significant threat to their operations.”
