(TLP:CLEAR) A Deep Dive into the Iranian-Backed CyberAv3ngers

Summary: Wired published a recent article featuring a deep dive into the Iranian state-backed hacktivist group known as the CyberAv3ngers, stating “The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government’s most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure.” The article provides an overview of the group’s history targeting critical infrastructure, giving an analysis of their tactics and capabilities.

Analyst Note: The CyberAv3ngers are best known in the water sector for compromising and defacing Unitronics PLCs across several U.S.-based water and wastewater utilities, like in the incident at the Municipal Water Authority of Aliquippa in November 2023. These attacks brought awareness to glaring gaps in the security of ICS devices  and demonstrated how geopolitical conflicts can have direct effects on the water and wastewater sector.

Wired’s analysis indicates that the CyberAv3ngers are recognized as a serious state-backed threat actor. While no recent attacks linked to the group have targeted the water sector, this last December saw the group employing sophisticated tactics, including the development of the IOControl malware used to infiltrate industrial control systems and internet-of-things (IOT) devices globally. Members are encouraged to remain vigilant by reviewing the group’s tactics and ensuring PLC devices are properly secured.

Original Source: https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-industrial-systems/

Additional Reading:

• Inside a New IoT/OT Cyberweapon: IOCONTROL

Mitigation Recommendations:

• WaterISAC Advisory: (TLP:CLEAR) CISA and Partners Confirm Additional Activity into Exploitation of Unitronics PLCs Across the U.S. Water and Wastewater Sector

Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 9, 10, 10.2, 12