A joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) has revealed ongoing malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.
The IRGC’s Cyber Campaign
The IRGC, designated as a foreign terrorist organization by the United States in 2019, has been actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are widely used in the Water and Wastewater Systems (WWS) Sector and are also prevalent in industries such as energy, food and beverage manufacturing, and healthcare. The compromised PLCs may be rebranded and appear under different manufacturers and companies.
Scope of the Cyber Attacks
Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to exploit default credentials in Unitronics devices. The actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims of these cyber attacks span multiple U.S. states. The authoring agencies are urging all organizations, especially those in critical infrastructure, to apply recommended mitigations to reduce the risk of compromise.
Tactics, Techniques, and Procedures (TTPs)
The advisory provides detailed information on the indicators of compromise (IOCs) and TTPs associated with these IRGC-affiliated cyber operations. This includes the exploitation of a recently discovered vulnerability in Unitronics devices, where the actors compromised default credentials. The compromised PLCs displayed a defacement message, indicating a successful breach.
Mitigation Recommendations
The authoring agencies recommend several immediate and follow-on steps to strengthen security postures against these threats. These include changing all default passwords on PLCs and Human Machine Interfaces (HMIs), disconnecting PLCs from the public-facing internet, implementing multifactor authentication, and creating strong backups of PLC logic and configurations for fast recovery.
Device Manufacturers’ Responsibilities
The advisory also highlights the role of device manufacturers in ensuring the security of their products. It urges manufacturers to build products that are secure by design and default, not to ship products with default passwords, and to support multifactor authentication.
Conclusion: A Call for Heightened Security Measures
This advisory underscores the importance of heightened security measures in the face of sophisticated cyber threats, especially for critical infrastructure sectors. The IRGC-affiliated cyber actors’ campaign against U.S. water and wastewater systems facilities is a stark reminder of the evolving landscape of cyber threats and the need for robust cybersecurity practices. As the digital battleground continues to evolve, staying ahead of these threats requires vigilance, innovation, and a deep understanding of the tactics employed by such actors.