Iran hits Pennsylvania water utility.
the cyberwire logoNov 28, 2023

Iranian hacktivists claim an attack on a Pennsylvania water utility.

Iran hits Pennsylvania water utility.

The Municipal Water Authority of Aliquippa, Pennsylvania, confirmed Saturday that the Iranian hacktivist group, the Cyber Av3ngers, had taken control of one of the local water utility's booster stations.

Programmable logic controller compromised.

The attack, which affected a station that monitors and regulates pressure for Raccoon and Potter Townships. KDKA (CBS News Pittsburgh) reported that the attack immediately tripped an alarm, and that neither the safety nor the availability of the townships' water were affected. The attackers displayed a message on the station's monitors expressing their political purpose: "You have been hacked Down with Israel Every equipment 'made in Israel' is Cyber Aveng3rs legal target" (sic). The utility uses a programmable logic controller (PLC) provided by Unitronics, an Israeli company. The BeaverCountian reports that operators responded to the alarm by reverting to manual control. Both Federal and Pennsylvania agencies are investigating the incident.

Iranian group has claimed other attacks against utilities.

The Cyber Aveng3rs have claimed attacks on utilities before, but those utilities have been in Israel. In October they claimed to have attacked closed circuit television systems at the national water company, MEKOROT. That attack they appear to have actually carried out. That same month they also claimed, falsely, to have compromised the Dorad power station, also in Israel. The Pennsylvania attack indicates an expansion of the group's activities. Control Global has an account of the attack and its broader implications.

Water utilities represent an exposed and valuable target.

Water utility infrastructure tends to be older and durable. It's sometimes presumed to be airgapped by default, but that's no longer the case. As Aliquippa operators said, their systems as a whole date back to the 1940s, but that's not true of the subsystems, many of which are much more recent and are specifically designed to take advantage of the efficiencies networking offers. Richard Caralli, Senior Cybersecurity Advisor at Axio, commented at length on water distribution as a target for cyberattack:

“Municipal water is an under-appreciated attack target. It has several challenges: limited cybersecurity budget and staff, significant third-party dependencies, and one of the most direct vectors for causing wide-spread effects on life, safety, and health. They are also effective targets to draw attention to causes, such as the Israel/Hamas conflict, as people tend to pay attention when their vital needs are under attack—and people don’t handle 'boil water' announcements very well.

"Life, safety, and health is a very strong motivator to capture attention, evident in how the local Pittsburgh news carried the story as breaking news, normally reserved for major incidents impacting lives. Smaller organizations face a challenge in preventing such attacks. To address this, they should:

  • "Conduct a cybersecurity assessment on their IT and OT operations, networks, and key assets to identify weaknesses and prioritize actions. Understanding where attackers might exploit weaknesses is paramount. 
  • "Understand potentially inherited third-party risks, particularly since smaller organizations are typically highly dependent on third-parties for systems and equipment updates, data storage, etc.
  • "Have well-developed and exercised incident response plans, including recovery and restoration plans for key operations."

The operators of an old, familiar, and generally reliable system were able to fall back quickly to manual backups. As Caralli wrote,"The engineers saved the day in this hack because they had older equipment and knew exactly how to prevent operational and collateral damage to the water system. This demonstrates that operational resilience is a combination of what you can prevent (through understanding your weaknesses and improving controls) and what you can sustain (limiting the damage through recovery and restoration plans that have been tested). For a small organization, both sides of this equation have to be operating effectively.”

(Added, 12:45 PM ET, November 29th, 2023.) The attack against Aliquippa's water system had a nominally political purpose--in this case probably a real political purpose. Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks, finds this a striking development in risk to infrastructure: the connection between the target and the attacker's real enemy can be tenuous indeed. “Observing how a cyber-attack on critical infrastructure, motivated by nation-state, hacktivist, or terrorist agendas, is triggered merely by the presence of equipment from a specific country, marks a new frontier of risk for skeptics," Grove wrote. "This incident should be a wake-up call, emphasizing that no entity is immune to cyber-attacks, regardless of their operation’s nature, scale, or location. Today’s digital landscape, especially in critical infrastructure sectors, is akin to a modern battlefield. Whether we acknowledge our involvement or not, our mere presence in this arena entails significant risks.”

CISA and the WaterISAC respond to the Aliquippa cyberattack.

(Update, 2:00 PM ET, November 29th, 2023.) The US Cybersecurity and Infrastructure Security Agency (CISA) confirms that the systems exploited in the weekend attack on the Municipal Water Authority of Aliquippa were Unitronics programmable logic controllers (PLCs). In general, CISA explains, PLCs are used in the water and wastewater sector to "control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations." CISA urges water utilities using Unitronics PLCs to take the following protective measures:

  • "Change the Unitronics PLC default password—validate that the default password “1111” is not in use.
  • "Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
  • "Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
  • "Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
  • "If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
  • "Update PLC/HMI to the latest version provided by Unitronics."

The WaterISAC's public discussion of the incident is based on open-source news reports, which they summarize with due concern and without much elaboration. The ISAC does express one animadversion: "Of note, the news site has posted an image stating it was submitted by the water authority. The image suggests the attacker’s message is displayed on the system that was compromised with the Unitronics device and model (V570). While there’s generally nothing wrong with providing attackers messages to the media, perhaps better operational security should be maintained by cropping the image to omit the device and model or other key data."

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, expressed strong approval of CISA's attempt to help water utilities secure themselves. "Kudos to CISA for taking a proactive stance on trying to combat abuse of water control facilities. These facilities should already be tightly controlled and not needing CISA to warn them, but unfortunately, a high percentage of them are both Internet accessible and contain critical vulnerabilities which allow attackers to exploit them. CISA's recent announcement is just another, 'Hey, get secure!' warning, trying to reduce the risk to our nation from foreign cyber threats."

Notes on the challenges of securing control systems.

(Added, 2:00 PM ET, November 29th, 2023.) Mark Toussaint, Senior Product Manager and operational technology (OT) expert at OPSWAT, sent observations about the distinct challenges of mitigating risks to industrial control systems. “Mitigating cybersecurity risks in ICS systems can present a challenge for some organizations, and particularly in Water and Wastewater Systems since they are often smaller municipalities with limited resources," he wrote. There are regulatory gaps as well. "This industry is also not regulated by enforceable cybersecurity requirements, making it more vulnerable. However, alignment with other industry best practices for OT environments is a great first step, along with a foundational approach. Identifying threat vectors and implementing solutions to reduce the likelihood of impactful attacks, such as controlling removable media in secured environments, are essential components of this strategy."

He closed with suggestions for risk management:

"Organizations can enhance their security tech stack by incorporating unidirectional security gateways. While traditionally used in government agencies, these gateways and data diodes are increasingly adopted in industries like oil and gas and manufacturing. They ensure one-way communication and data sharing, not only preventing potential insider threats and minimizing data leakage but also ensuring no routable information passes between networks with varying security levels. This preventative measure hinders threats from spreading to critical network segments, allowing operations to continue without compromise. 

"Given that critical infrastructure sectors like Water and Wastewater are increasingly targeted by nation- state threat actors seeking to cause disruption, it is crucial for organizations to stay ahead of the curve. We know the White House has initiated executive orders and national plans to bolster cybersecurity, and industry-specific regulators are publishing cybersecurity guidelines, but in the face of evolving cyber threats, it is imperative for organizations to take a proactive and comprehensive perimeter defense strategy.”

(Added, 8:15 PM ET, November 29th, 2023.)

Michael Bimonte, CTO, SLED at Armis, commented that cyberwar has become widespread, and with it attacks against infrastructure. “Unfortunately, cyberwarfare attacks targeting critical infrastructure and state and local government entities are now a common occurrence; cybercriminals fight dirty, and they target smaller municipalities that have a large impact on society with hopes that their recovery and response capabilities are lacking. And it’s true there are critical, exploitable security gaps, with 40% of organizational assets being left unmonitored." Ability to take systems offline quickly helped at Aliquippa. "Thankfully in this case, the water authority was able to take their system offline swiftly. CISA’s alert issued this week is an essential step in helping avoid further exploitation of the device in question; however there is more that can be done on a wider scale to prepare for future incidents from both foreign adversaries and domestic bad actors."

He argues for a general, collaborative approach to securing infrastructure. "Security and IT professionals must continue to find ways to optimize defense of critical infrastructure our country is so deeply dependent on. From small local communities to the nation at-large, this requires an all-hands approach across the public sector. Whole-of-state is one framework we’ll see increasingly emphasized to address the problem. This approach aims to improve cyber defenses at every level of state and local government by breaking down governmental silos and encouraging entities to share cybersecurity resources and information to enhance their collective cybersecurity posture. Since it is impossible to have a whole-of-state approach with a narrow view of what exactly lives in a network, it is imperative to prioritize the ability to see, protect and manage the entire attack surface to continuously safeguard critical assets from cyber threats. By adopting a whole-of-state system with full asset intelligence, every segment of local government is in a much stronger position to defend against acts of cyberwarfare.”

(Added, 9:15 PM ET, November 29th, 2023.) Howard Goodman, Technical Director at Skybox Security, also offered advice to utilities executives and managers. "In light of the recent cyberattacks on U.S. water facilities, it's become increasingly evident that business leaders must proactively anticipate cyber threats. The merging of operational and information technology in utilities heightens vulnerabilities, widening the attack surface. Thus, achieving visibility into cybersecurity is critical for protecting infrastructure," he wrote. "As the federal government investigates these attacks, attributed to an Iranian government-linked group, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued recommendations for water utilities. These include updating passwords, enabling multi-factor authentication, and disconnecting critical control systems from the internet. Additionally, the White House has introduced a plan to fortify cybersecurity across the water sector, pushing for early threat detection and improved incident response."

Utilities work in a complex economic and regulatory environment, he observed. "Leaders in the utilities sector must navigate the complexities of volatility, decarbonization, digitalization, and regulatory changes. Understanding these dynamics is key to strengthening security measures. To effectively bridge the gap between operational technology and information technology, utility leaders should:

  • "Enhance security posture management by adopting new technologies for early detection of cyber threats.
  • "Implement automation for sustained compliance with cybersecurity best practices.
  • "Foster a unified view across security and OT/IT with a comprehensive network model.
  • "Break down silos to eliminate security blind spots within the organization.
  • "Minimize downtime by optimizing remediation strategies, extending beyond traditional patching."

(Update, 3:45 PM ET, December 1st, 2023.)

Unitronics exploitation poses a supply chain threat.

Concerns about Iranian attacks against programmable logic controllers (PLCs) used in infrastructure continue. The UK's National Cyber Security Center (NCSC) has endorsed the US Cybersecurity and Infrastructure Security Agency's (CISA's) warning on Iranian exploitation of Unitronics PLCs, adding a note of reassurance: "The exploitation is of limited sophistication, and is highly unlikely to cause any disruption to the routine supply of water. There is a very low potential risk, if the threat is unmitigated, to some small suppliers. As such, the NCSC is encouraging organisations using Unitronics PLCs to follow the steps outlined in CISA's cyber security advisory."

That said, the activity represents a significant threat to the industrial control system supply chain. Unitronics PLCs are widely used in a range of sectors that extend far beyond water treatment and distribution systems. The company lists these categories of applications for their PLCs: "Pumps, Water/Waste Waters, Packaging, Manufacturing, Medical, Food & Beverage, Material Processing, Oil & Gas, Power & Energy, Automotive, Building Automation, Miscellaneous, Education, Refrigeration, Printing, [and] Textiles."

We might add breweries to the list. Another attack has surfaced, also in Pennsylvania, in which a Unitronics PLC was hacked to display the same message that appeared on the Aliquippa water system's controller. SentinelOne observes, "The Full Pint Beer brewery in Pittsburgh shared images on social media on 28th November showing similar defacement of a Unitronics PLCs in use as part of their control system." If taken at face value, as the messages probably should be, the target is Israel. Why that targeting should have manifested itself so specifically in Western Pennsylvania is unclear. CyberScoop says that there are signs of other attacks on US water systems, but that so far those remain in the "single digits."

(Added, 3:45 PM ET, December 1st, 2023.)

A threat actor with a record of exaggeration and modest technical chops, but a real threat nonetheless.

The Cyber Av3ngers have a record of crowing high, and they've tended to inflate their results. With this supply chain attack, however, they've illuminated a real risk. Mark Plemmons, Senior Director, Threat Intelligence at Dragos, puts this group and some of its peers into perspective. "Most ideological and geopolitically motivated hacktivist attacks in 2023 have featured exaggerated claims, and the victims and devices they targeted generally resided in a specific country," he wrote. "The late-November attack by the CyberAv3ngers group was different in that it was focused on devices made in Israel – regardless of where it was deployed or in use. As a result, there were successfully compromised Unitronics PLC devices to attack numerous global entities including in the US, Europe and Australia."

The Iranian group had threatened to attack Israeli tech companies, and here's how Plemmons thinks they proceeded. "Prior to the compromise of these devices, the CyberAv3ngers stated they were planning to attack Israeli technology companies. They likely scanned the open internet to identify publicly-accessible Unitronics devices and then attempted to log into the devices using the Unitronics default password setting, which can be easily found online. The silver lining is that the CyberAv3ngers hacktivist group does not possess specific OT capabilities, so the intrusion only resulted in the PLC devices’ main HTML menu page being altered with anti-Israel commentary. The access gained by these actors remains a concern, however, because other manipulation of the associated systems could be attempted – with unknown consequences that are specific to each environment which uses these devices. However, this incident highlights the importance of basic security fundamentals for any OT system, no matter how small, including the SANS Five Critical Controls for OT Cybersecurity."

2023 has been a year during which two major regional wars have brought hacktivist auxiliaries into prominence. Plemmons reviews their record. "These recent attacks cap a year in which cyber adversaries, both advanced and lesser skilled hacktivists, have used the Ukraine-Russia and Israel-Hamas conflicts to conduct targeted operations against critical infrastructure and spread misinformation, fear, uncertainty, and doubt (FUD). Throughout 2023, hacktivists and other unsophisticated, opportunistic threats have conducted widespread distributed denial of service (DDoS) attacks against various industrial organizations and critical infrastructure. Examples include pro-Russia groups like 'CyberArmyofRussia_Reborn' attacking industrial organizations in Europe in May 2023, 'NoName057(16)' attacking European and NATO-aligned country's manufacturing and transportation organizations, and "Anonymous Sudan" also attacking US and other NATO-aligned entities. The same hacktivist TTPs have been observed with pro-Hamas hacktivist groups such as the 'CyberAv3ngers' and 'Team Insane Pakistan' claiming disruptive attacks against Israeli Railways, an Israeli town's power grid system, and an Israeli hydroelectric plant."

To be sure, the results the hacktivist auxiliaries achieved have generally been at a nuisance level, and a far cry from the apocalyptic catastrophes the groups tend to promise. "These past claimed hacktivist DDoS attacks had minimal impacts and primarily disrupted organization's websites. In many cases, claims of disruptive attacks against critical infrastructure were wildly exaggerated or fabricated," Plemmons observes. But sometimes nuisance is your mission and your business. "However, they often met the goals typical for hacktivist groups: to gain notoriety; spread misinformation; cause fear, uncertainty and doubt; and draw international media attention to geopolitical and social causes. The CyberAv3ngers more targeted attack against easily discoverable and default configured PLC devices represents a successful OT attack, though with limited impact to the actual systems and associated processes controlled."