The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed Iran’s Islamic Revolutionary Guard Corps (IRGC) is behind a series of recent strikes against water plants.
The IRGC’s “CyberAv3ngers” persona was blamed for the attacks against Unitronics programmable logic controllers (PLCs), in a joint advisory from CISA, the FBI, the NSA, the Environmental Protection Agency (EPA) and the Israel National Cyber Directorate (INCD).
The PLCs are commonly used by organizations operating in the Water and Wastewater Systems (WWS) Sector, as well as energy, food and beverage manufacturing and healthcare firms, it added.
The IRGC appears to have targeted the devices because Unitronics is an Israeli manufacturer.
“Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices,” the advisory noted.
“The IRGC-affiliated cyber actors left a defacement image stating, ‘You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.’ The victims span multiple US states.”
An update from the UK’s National Cyber Security Centre (NCSC) on Friday indicated that critical infrastructure in that country may also be at risk from such attacks, although it claimed the risk was minimal, confined to small providers and unlikely to cause any disruption to water supply.
The devices which were compromised in the US “were publicly exposed to the internet with default passwords and by default are on TCP port 20256,” CISA confirmed.
Critical infrastructure providers were urged to change all default passwords on Unitronics devices and disconnect the PLCs from the public internet. CISA said they should also add multi-factor authentication (MFA), create regular backups, keep PLCs on the latest firmware version and install a firewall in front of the PLC to control access.