Hackers Target U.S. Water/Wastewater Systems in Cyber Attacks

In a joint statement from the Federal Bureau of Investigation (FBI), the Cyber and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD), an Iranian military organization is behind recent cyber attacks across several industries in the United States.

According to the release, Iranian Government Islamic Revolutionary Guard Corps (IRGC) is actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). The United States designated IRGC as a foreign terrorist organization in 2019. 

The PLCs are commonly used in the water and wastewater industries and are additionally utilized across food, healthcare, and food and beverage industries. The CISA noted the PLCs may be rebranded and appear as different providers or manufacturers. 

PLCs are often used across in the water industry to control and monitor various stages of water and wastewater treatment. This often includes using the controllers to turn pumps on and off, control the flow of chemicals, gather and record data, and issue alerts to users. Attempts to compromise the technology can threaten a system's ability to safely and efficiently send water to and from its communities. 

IRGC actors are using the persona "CyberAv3ngers" and have been targeting the default PLCs since at least Nov. 22, 2023. According to the statement, "The IRGC-affiliated cyber actors left a defacement image stating, 'You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”

The victims span across multiple U.S. states. 

The CISA urges all organizations with these PLCs to implement the following mitigation tactics:

• Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password “1111” is not in use. 
• Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.

• Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC.   

  • Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services. 

  • Use an allowlist of IPs for access. 

• Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
• If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
• Update PLC/HMI to the latest version provided by Unitronics.

The CISA has additional resources to prevent or report potential attacks. Contact us today with any security questions you may have about your critical infrastructure and to learn more about upgrading to our award-winning IPC-based system.