At a glance.
- Iranian hacktivists claim an attack on a Pennsylvania water utility.
- PLC exploitation indicates "significant escalation."
- CISA and the WaterISAC respond to the Aliquippa cyberattack.
- Attacks on PLCs formally attributed to Iran.
- GPS interference is attributed to Iran.
- Chinese operators intrude into infrastructure.
- Kyivstar sustains disruptive cyberattack.
- Attacks against infrastructure operators hit business systems.
- Sandworm activity puts European power utilities on alert.
- Threats to manufacturing.
- HM Government denies reports of cyber incident at Sellafield nuclear site.
- Cyber phases of hybrid wars spread beyond the theaters of operation.
Iranian hacktivists claim an attack on a Pennsylvania water utility.
The Municipal Water Authority of Aliquippa, Pennsylvania, confirmed that the Iranian hacktivist group, the Cyber Av3ngers, had taken control of one of the local water utility's booster stations. The attack, which affected a station that monitors and regulates pressure for Raccoon and Potter Townships. KDKA (CBS News Pittsburgh) reported that the attack immediately tripped an alarm, and that neither the safety nor the availability of the townships' water were affected. The attackers displayed a message on the station's monitors expressing their political purpose: "You have been hacked Down with Israel Every equipment 'made in Israel' is Cyber Aveng3rs legal target" (sic). The utility uses a control system provided by Unitronics, an Israeli company. The BeaverCountian reports that operators responded to the alarm by reverting to manual control.
The Cyber Aveng3rs have claimed attacks on utilities before, but those utilities have been in Israel. In October they claimed to have attacked closed circuit television systems at the national water company, MEKOROT. That month they also claimed, falsely, to have compromised the Dorad power station, also in Israel. The Pennsylvania attack indicates an expansion of the group's activities.
PLC exploitation indicates "significant escalation."
The US FBI has characterized the exploitation of widely used PLCs, most notoriously at the Aliquippa Municipal Water Authority in Pennsylvania, as a "significant escalation" in cyberattacks linked to Iran, the Pittsburgh Post-Gazette reports. The attack on the water systems was apparently a simple defacement attack delivered in support of Hamas (the PLCs exploited were made in Israel), but “It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved."
Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, framed the attack as part of a larger problem with cyber threat actors. “Some pretty basic practices would have made a big difference there,” she said Friday, C4ISRNet reports. “We need to be locking our digital doors. There are significant criminal threats, as well as capable countries — but particularly criminal threats — that are costing our economy a lot.” She declined to say whether the attack by the CyberAv3ngers presaged more destructive cyberattacks from Iran.
CISA and the WaterISAC respond to the Aliquippa cyberattack.
The US Cybersecurity and Infrastructure Security Agency (CISA) confirms that the systems exploited in the weekend attack on the Municipal Water Authority of Aliquippa were Unitronics programmable logic controllers (PLCs). In general, CISA explains, PLCs are used in the water and wastewater sector to "control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations." CISA urges water utilities using Unitronics PLCs to take the following protective measures:
- "Change the Unitronics PLC default password—validate that the default password “1111” is not in use.
- "Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
- "Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
- "Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
- "If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
- "Update PLC/HMI to the latest version provided by Unitronics."
The WaterISAC's public discussion of the incident is based on open-source news reports, which they summarize with due concern and without much elaboration. The ISAC does express one animadversion: "Of note, the news site has posted an image stating it was submitted by the water authority. The image suggests the attacker’s message is displayed on the system that was compromised with the Unitronics device and model (V570). While there’s generally nothing wrong with providing attackers messages to the media, perhaps better operational security should be maintained by cropping the image to omit the device and model or other key data."
Attacks on PLCs formally attributed to Iran.
The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) released a joint Cybersecurity Advisory (CSA): IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors. The Joint Advisory amplifies guidance issued earlier this month in response to disclosures of the exploitation of a Unitronics programmable logic controller at certain water treatment facilities in the United States. The renewed warning is noteworthy on at least four counts:
- It unambiguously attributes the attacks to Iran's Islamic Revolutionary Guard Corps (IRGC).
- It says that "several" water systems in the US have come under attack.
- It notes that the risk is not confined to the water and wastewater sector. ("These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies.")
- It calls out the manufacturer of the PLCs for the poor practice of shipping devices with default passwords and failing to require that these be reset upon installation.
The Joint Advisory notes, as others have, that the IRGC "persona" claiming responsibility for the attacks, the CyberAv3ngers, has a record of exaggerated claims, but it reviews some of the group's activity, both bad and bogus, over the past three months:
- "Between September 13 and October 30, 2023, the CyberAv3ngers Telegram channel displayed both legitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors.
- "On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false. The group claimed to use a ransomware named “Crucio” against servers where the webcams camera software operated on port 7001.
- "Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, 'You have been hacked, down with Israel. Every equipment "made in Israel" is Cyberav3ngers legal target.'”
The UK's National Cyber Security Center (NCSC) has endorsed the US Cybersecurity and Infrastructure Security Agency's (CISA's) warning on Iranian exploitation of Unitronics PLCs, adding a note of reassurance: "The exploitation is of limited sophistication, and is highly unlikely to cause any disruption to the routine supply of water. There is a very low potential risk, if the threat is unmitigated, to some small suppliers. As such, the NCSC is encouraging organisations using Unitronics PLCs to follow the steps outlined in CISA's cyber security advisory."
That said, the activity represents a significant threat to the industrial control system supply chain. Unitronics PLCs are widely used in a range of sectors that extend far beyond water treatment and distribution systems. The company lists these categories of applications for their PLCs: "Pumps, Water/Waste Waters, Packaging, Manufacturing, Medical, Food & Beverage, Material Processing, Oil & Gas, Power & Energy, Automotive, Building Automation, Miscellaneous, Education, Refrigeration, Printing, [and] Textiles."
We might add breweries to the list. Another attack has surfaced, also in Pennsylvania, in which a Unitronics PLC was hacked to display the same message that appeared on the Aliquippa water system's controller. SentinelOne observes, "The Full Pint Beer brewery in Pittsburgh shared images on social media on 28th November showing similar defacement of a Unitronics PLCs in use as part of their control system." If taken at face value, as the messages probably should be, the target is Israel. Why that targeting should have manifested itself so specifically in Western Pennsylvania is unclear. CyberScoop says that there are signs of other attacks on US water systems, but that so far those remain in the "single digits."
Reports of more Iranian cyberattacks against US infrastructure.
Other groups have also hit users of Israeli equipment. According to the Register at least three other Iranian-affiliated groups have claimed similar attacks: Haghjoyan, CyberToufan Group, and YareGomnam Team.
The Record reports that Florida's St. Johns River Water Management District said that it has come under an unspecified cyberattack (apparently ransomware, from an unknown or at least undisclosed threat actor), but that the District has been able to work through its difficulties. It explained that it had “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”
Security-by-design, and the reduction of risk associated with default passwords.
Inspired at least in part by the CyberAv3ngers' attacks against Unitronics PLCs, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging technology manufacturers to eliminate default passwords in their products. The agency recommends the following alternatives to default passwords:
- “Provide instance-unique setup passwords with the product;
- “Provide time-limited setup passwords that disable themselves when a setup process is complete and require activation of more secure authentication approaches, such as phishing-resistant MFA;
- “Require physical access for initial setup and the specification of instance-unique credentials.”
GPS interference is attributed to Iran.
Commercial aircraft have reported disruption of GPS signals, interference that had the effect of meaconing, during flights in the Middle East. WIRED reports that the incidents appear to be centered on Baghdad, Cairo, and Tel Aviv. It was long unclear who might have been responsible, but attribution has now been offered. According to AvWeb, the jamming seems centered on the outskirts of Tehran, a researcher at the University of Texas Radionavigation Laboratory has concluded. The goal of the spoofing seems to be jamming, and not aircraft diversion. Industry experts quoted by Location Business News aren't surprised. Dana Goward, Resilient Navigation & Timing Foundation president, said, “Tehran has a long history of interfering with GPS signals. Also, they seem to have established a version of Loran to reduce their own reliance on navigation and timing signals from space. And in some ways it is not surprising they don't seem to be intentionally drawing aircraft off course, merely trying to deny GPS service. This is a good reminder to everyone that receivers will react to interference in different ways.”
Chinese operators intrude into infrastructure.
Iran is not the only government displaying an interest in infrastructure. In what appears to be a staging and battlespace preparation effort, China's People's Liberation Army cyber operators have intruded into infrastructure in several countries, with, the Washington Post reports, special attention to the United states. The incursions, US officials say, are "part of a broader effort to develop ways to sow panic and chaos or snarl logistics in the event of a U.S.-China conflict in the Pacific." The staging forms part of the ongoing Volt Typhoon campaign; the latest US disclosures build on February's annual assessment by the Office of the Director of National Intelligence. The Post quotes CISA Executive Director Brandon Wales, as saying, “It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis. That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage.”
The UK removes components supplied by a China-backed vendor from its national grid.
Acting in accordance with NCSC recommendations, Britain's National Grid has begun pulling components supplied by Chinese-controlled Nari Technology from its electrical power transmission network, the Financial Times reports. The removal of Nari products is motivated by concerns over the cybersecurity risk Chinese-manufactured components carry.
Kyivstar sustains disruptive cyberattack.
Ukraine's largest mobile service provider, Kyivstar, sustained a cyberattack that disrupted telephone service and Internet access across much of its network. Ukrainian authorities are investigating, and, the Kyiv Post reports, quoting the SBU: "The Security Service of Ukraine (SBU) has opened criminal proceedings into a cyber attack on one of the national mobile operators, Kyivstar. One of the versions currently being investigated is that the special services of the Russian Federation may be behind this hacker attack.” According to Reuters, Kyivstar was unambiguous in attributing the incident to Russia.
Approximately 24 million customers' mobile service was affected, as were more than a million customers' home Internet connectivity. Although Kyivstar says their data weren't compromised, the company did say that two customer databases had been "damaged," and were now "locked." One noteworthy effect of the attack was a minor but telling impact on infrastructure: streetlights in Lviv had to be turned off manually. Their remote controls ride on Kyivstar's network.
Attacks against infrastructure operators hit business systems.
Ransomware attacks have continued to hit infrastructure operators. The most recent incidents, unlike the attack on the Municipal Water Authority of Aliquippa, which affected control systems, have been directed against utility business systems. So far their core operations remain unaffected.
The North Texas Municipal Water District (NTMWD) was hit by a cyberattack that affected its business systems, the Record reports. Alex Johnson, director of communications for NTMWD, told Recorded Future News, “Most of our business network has been restored. Our core water, wastewater, and solid waste services to our Member Cities and Customers have not been impacted by this incident, and we continue to provide those services as usual. Our phone system was also affected by this incident, and we hope to have it back online this week. NTMWD has engaged third-party forensic specialists who are actively investigating the extent of any unauthorized activity. The investigation is ongoing at this time and includes a review of any potentially impacted District data.”
Security Affairs reports that the Daixin Team cybercriminal group has added NTMWD to the list of victims on its leak site, claiming to have stolen “board meeting minutes, internal project documentation, personnel details, audit reports, and more.”
State-owned Slovenian power generation company Holding Slovenske Elektrarne (HSE) was hit by a ransomware attack that affected the company’s communication and information infrastructure, Help Net Security reports. HSE General Director Dr. Tomaž Štokelj stated, “We would like to emphasize that the HSE had control over the power plants of the HSE group at all times, safety was also properly taken care of, and the high water alarm system also worked smoothly. Electricity trading has not been interrupted and is being carried out, but out of caution we have somewhat limited the execution of individual transactions.”
Sandworm activity puts European power utilities on alert.
An essay the Polish Institute of International Affairs contributed to Defence Industry Europe warns of an increased operational tempo Russian cyberattacks against NATO now exhibit. "Russia mainly attempted to steal data, paralyse systems critical to the functioning of the state, or impersonate state institutions, among other things, in order to sow disinformation or gain access to data." The essay argues for greater cooperation in cyberspace by the members of the Atlantic Alliance.
Recent activity by the GRU's Sandworm threat group has been a matter of particular concern. European electrical utility executives and government ministers have also called for increased vigilance and security against the prospect of Russian cyberattacks against the continent's power grid. POLITICO quotes Polish Deputy Energy Minister Ireneusz Zyska: “I was … observing thousands of attacks on our energy grid taking place live. It is clear that these attacks come from the East: the Russian Federation and non-democratic countries." Those hostile governments, he added, “have created special teams of people working on attacking the democratic states of the European Union cybernetically to cause havoc. We’re extremely concerned about the cyber threats and cyberattacks in the energy sector in the European Union."
Threats to manufacturing.
Trustwave SpiderLabs has released a report looking at threats to manufacturing companies, finding that the LockBit 3.0 ransomware was the most commonly used malware in the sector, deployed in nearly 30% of attacks. The researchers add that “Clop, BlackCat/ALPHV, and Royal are also favored ransomware strains that have substantially affected the manufacturing threat landscape.”
The report also notes that “companies specializing in industrial equipment, robotics, automation, heavy construction, automotive, electronics, and chemical manufacturing have been more prominently listed as victims on ransomware extortion websites.”
HM Government denies reports of cyber incident at Sellafield nuclear site.
The Guardian reported that the British nuclear facility at Sellafield had sustained a cyberattack by foreign threat actors "closely linked to China and Russia" who've succeeded in compromising the facility with "sleeper malware," possibly as long ago as 2015. The Guardian cites a report by the Office for Nuclear Regulation (ONR) that found security shortfalls at the site. Sellafield's principal activities are nuclear waste storage and processing.
HM Government released a statement from the facility's operator, Sellafield Ltd., which categorically denies any such incidents as the Guardian describes. "We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian," the statement reads in part. "We have asked the Guardian to provide evidence related to this alleged attack so we can investigate. They have failed to provide this." The ONR seconded the denial. "As a regulator, we have seen no evidence that Sellafield’s systems have been hacked by state actors in the way described in the report." The ONR did say that it was conducting an ongoing investigation into security at Sellafield, and that "in relation to cyber security, Sellafield Ltd is currently not meeting certain high standards that we require, which is why we have placed them under significantly enhanced attention."
The Guardian reported this morning that the Labour opposition has asked the Government's responsible ministers for a response to the paper's allegations.
Cyber phases of hybrid wars spread beyond the theaters of operation.
Russia's war in Ukraine, like the war between Hamas and Israel initiated by Hamas's October 7th terror attacks, have both been hybrid wars, with significant action in cyberspace. CSO has an essay describing this "spillover" and how security teams should prepare for it. The essay argues that public and private sector organizations are both likely to become targets of cyberattacks mounted as contributions to such wars, and that security teams should recognize this risk, understand that the risk is unlikely to be catastrophic, and apply sound risk management practices to deal with it. "[C]ybersecurity teams must persistently simulate and collaborate with information sharing geared toward an adaptive defense posture that consistently tailors and re-tailors internal practices toward shifting geopolitical conditions."
One of the lessons of the war in Gaza is the large role states not directly involved in a conflict can play in cyber operations. Iran's recent exploitation of vulnerable PLCs in US utilities and other facilities affords an example of this. And one of the lessons of Russia's hybrid war is not only the active participation of security and intelligence services in cyberattacks (as seen most recently in Fancy Bear's email credential harvesting operations) but also the use of hacktivist auxiliaries and criminal groups acting effectively as privateers. A lesson from both wars is the importance of public-private cooperation for better security. A recent example of such cooperation is afforded by this morning's announcement, by Dragos, of the expansion of its Community Defense Program, initially piloted last year in response to Russian action in Ukraine. That program provides training, technical support, and information-sharing to small and under-resourced utilities, especially those that deliver local water and electrical power services.