(TLP:CLEAR) Joint Cybersecurity Advisory Update – Nation-State Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities

Author: Chase Snow

Created: Thursday, December 19, 2024 - 14:40

Categories: Cybersecurity, General Security and Resilience, OT-ICS Security

Yesterday, CISA and other federal and international partners released notable updates to the Joint Cybersecurity Advisory (CSA) “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities” originally published December 1, 2023. See WaterISACs original analysis of this joint CSA.

Due to the risk IRGC-affiliated actors pose to the water sector, members are urged to review the updated advisory and the newly observed TTPs employed by IRGC-affiliated actors. In November last year, the Municipal Water Authority of Aliquippa was attacked by the Iranian-backed cyber group known as CyberAv3ngers who exploited vulnerabilities in Israeli-made Unitronics PLCs and were reportedly able to gain control of a remote booster station serving two townships. Numerous other water and wastewater utilities were attacked as well, which WaterISAC tracked in its Quarterly Water Sector Incident Summary reports.

The joint agencies are releasing this updated joint advisory to warn network defenders of continued malicious cyber activity by IRGC-affiliated APT cyber actors. This joint advisory provides TTPs obtained from extensive FBI investigation on this activity.

Notable updates to the advisory include:

New information on the extent of the activity, including newly observed TTPs employed by IRGC-affiliated APT cyber actors targeting U.S. and global critical infrastructure.
Mapping of these newly observed TTPs to additional MITRE ATT&CK® Tactics and Techniques.
New recommended mitigations that organizations should take to protect their infrastructure, based on the new TTPs.

Access the full joint advisory at CISA.

Additional Resources: