Per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every piece of equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate the risk of compromise from these IRGC-affiliated cyber actors.” (CISA, 12/01/2023)
The penetrations were aimed at critical utilities, in the extant case of U.S. water and water waste treatment infrastructure. Per CISA, “Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.” The Water and Wastewater Systems Sector (Water Sector) underpins the health, safety, economy, and security of the nation. It is vulnerable to both cyber and physical threats.” The warning is instructive. The fallout from a successful compromise of public water systems can be severe. Andrew Farr warns, “The imagination can run wild with worst-case scenarios about what a threat actor could do to a water system, but Arceneaux explains that sophisticated actors could hack a system and manipulate pumps or chemical feeds without the utility even knowing they were in the system. They could also create a water hammer that could lead to cracked pipes or release untreated wastewater back into a source water body. What if that happens [to a water system] in a medium or a big city? Maybe it’s only for a few hours, but it could go on for a few days or weeks, depending on how extensive the damage is.” (Farr, WF&M, 04/11/2022) Darktrace reports the very real consequence of a successful water system compromise. “Earlier this month, cyber-criminals broke into the systems of a water treatment facility in Florida and altered the chemical levels of the water supply.” (Matthew Wainwright, Darktrace) If potable water delivered to consumers contains dangerous contaminants or improper balances of the “good” chemicals blended to the product (fluoride, chlorine, chloramine, etc.), it can cause negative health effects. Gastrointestinal illness, nervous system damage, reproductive system damage, and chronic diseases such as cancer are very real risks associated with the same.
CISA cyber defense model of the “brute force” methodology deployed by IRGC operatives may be viewed at MITRE.