WaterISAC would like to remind members that this activity is notable and action is urged as it highlights that we aren’t necessarily targets for who/where we are, but for what we have (data or components) and how accessible (vulnerable/exploitable) it is – regardless of the size of our organization or how many people we service.

Executive Summary

Late last night, the FBI, CISA, NSA, EPA, and INCD (Israel National Cyber Directorate) released a joint CSA, IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities (Alert Code AA23-335A).

The CSA confirms additional investigations into similar activity impacting WWS across multiple U.S. states as what occurred at the Municipal Water Authority of Aliquippa (reported by WaterISAC on Monday, November 27, 2023 and updated on November 30, 2023, suggesting this was not an isolated incident).

According to the CSA, since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

Additional information

The threat actors attributed to this activity are still considered low-skilled actors using unsophisticated tactics, whom thus far represent a low-impact risk. However, this recent activity has become extremely high-profile and is bringing enormous and much needed attention to the larger issue of unsecured internet-connected PLCs (using default passwords and ports) across all critical infrastructure sectors.

WWS utilities that outsource SCADA support are urged to consult with integrators/support vendors to confirm/insist that recommended practices are being followed. Internet exposed PLCs are exceedingly trivial to discover and default passwords are widely known by attackers, making them easy to gain access to.

While it is understandable that there are many cybersecurity recommendations that are challenging, impractical, or impossible to implement in ICS environments (such as patching), these are not. Please review the advisory and its mitigations and address accordingly.

Hopefully, with the “secure-by-design” efforts, the default password vulnerability will become a thing of the past. Until then, it’s up to asset owners and their advocates, integrators, and other support vendors to make sure default passwords (and ports) do not get deployed in production environments, or worse, directly connected to the internet.

What you need to know

• This activity is being attributed to the Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors using the persona “CyberAv3ngers” (also known as CyberAveng3rs, Cyber Avengers).
• CyberAv3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series PLCs that are publicly exposed to the internet, through the use of default passwords.
  • Note that the PLCs may be rebranded and appear as different manufacturers and company names.
• These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare.

What you need to do

Please do not dismiss or defer this advisory and its recommendations and mitigations. The importance of identifying ALL internet exposed PLCs (not just Unitronics) and addressing the recommendations accordingly – to include reverting to manual plant operations if you are unable to remotely access your PLCs securely – cannot be stressed enough.

• Assess all PLCs in your environment for the vulnerabilities (e.g., exposed to the internet and using default passwords and ports) previously provided and discussed in the current CSA Alert Code AA23-335A.
• Check for and change default passwords across all PLCs. Per the previously shared CISA Alert Tuesday evening, threat actors are leveraging default passwords that have not been changed after deployment to gain access to impacted devices. Again, as a generally recommended practice, default passwords should be changed on every device or component active in your networks (OT or IT).
• Refrain from connecting (all) PLCs to the internet. If remote access is not necessary, a PLC connected to the internet represents an unnecessary risk to safety, availability, and control of your SCADA environment.
  • However, if remote access is absolutely necessary, it is important that at a minimum, it securely sits behind a firewall and/or requires a VPN to access.
  • Additionally, MFA should be implemented, at the very least on the VPN (if the PLC doesn’t support MFA).
• Change the PLC default communications port. If possible, utilize an alternate TCP port for communications to the PLC. For the Unitronics PLCs, threat actors are probing the default port TCP 20256.
• Review the current joint CSA. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities (Alert Code AA23-335A) for additional resources, details, and salient recommendations and address accordingly.
• Register for the upcoming EPA webinar on December 6, 2023 at 2-3 pm ET: Unitronics Programmable Logic Controllers Hacked at US Water and Wastewater Systems - Understand the Threat and How to Protect Your Utility
  • Speakers from the US Environmental Protection Agency (EPA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) will provide important updates on the recent hacking of Unitronics Programmable Logic Controllers (PLCs) at US Water and Wastewater Systems, including recommended mitigations and cybersecurity best practices utilities can implement to protect against this threat. 
  • Register: https://events.gcc.teams.microsoft.com/event/a649608f-20b3-4906-a541-4e335bf3437b@88b378b3-6748-4867-acf9-76aacbeca6a7?utm_medium=email&utm_source=govdelivery
• Report suspicious, malicious, and criminal activity to someone!
  • All organizations should report activity related to information in this CSA to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).
  • The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
  • Additionally, the WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form.
  • State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).