The CyberAv3ngers group, linked to the Iranian government's Islamic Revolutionary Guard Corps (IRGC), has been actively targeting water utilities.
The recent cyberattacks on water facilities in the U.S., including the St. Johns River Water Management District in Florida, are part of a larger campaign. The attackers, associated with the IRGC, have compromised Unitronics programmable logic controllers (PLCs) used in water treatment and distribution.
The St. Johns River Water Management District confirmed a cyberattack and took corrective measures, while other water utilities, including one serving 2 million people in North Texas, reported cybersecurity incidents.
The attackers, known as CyberAv3ngers, have targeted Unitronics PLCs since at least November 22. They have expressed their motivation to target entities related to Israel and have claimed responsibility for both real and deceptive attacks on Israeli PLCs in various sectors, including water, energy, shipping, and distribution.
In response to these threats, the Cybersecurity and Infrastructure Security Agency (CISA), along with other U.S. agencies and Israel's National Cyber Directorate, issued a warning about the ongoing cyberattacks associated with the IRGC. The compromised Unitronics PLCs, when targeted, can disrupt controllers' user interfaces and potentially render the PLCs inoperable, posing risks to critical infrastructure.
It's essential for organizations using Unitronics PLCs, especially in critical infrastructure sectors, to enhance their cybersecurity measures and monitor for any suspicious activity to prevent potential disruptions.
Recommendations:
Change Default Passwords:
Change all default passwords on PLCs and Human Machine Interfaces (HMIs) and use strong passwords.
Ensure that the default password "1111" on Unitronics PLCs is not in use.
Implement Multifactor Authentication:
Require multifactor authentication for all remote access to the Operational Technology (OT) network.
Secure Network Access:
Disconnect the PLC from the open internet.
If remote access is necessary, control network access to the PLC using a Firewall/VPN.
Use an allowlist of IPs for access.
Backup Logic and Configurations:
Back up the logic and configurations on Unitronics PLCs for fast recovery.
Learn the process for factory resetting and deploying configurations in case of a ransomware attack.
Use Different TCP Ports:
If possible, use a TCP port different from the default port TCP 20256, as cyber actors are actively targeting this port.
Update PLC/HMI:
Update Unitronics PLCs and HMIs to the latest version provided by Unitronics.
Additional Resources:
CISA and WWS Sector partners have developed numerous tools and resources that water utilities can use to increase their cybersecurity. Please visit:
WaterISAC: Resource Center
American Water Works Association: Cybersecurity and Guidance
Reporting Suspicious Activity:
Organizations are encouraged to report suspicious or criminal activity related to the alert to CISA's 24/7 Operations Center at: report@cisa.gov or (888) 282-0870, or their local FBI field office. It's crucial for organizations in the water sector to take immediate action to secure their systems and follow the provided recommendations to mitigate the risks associated with this cyber threat.
Cyber Security is not a Joke.... Don't Let Anyone Hurt You!
Source: cisa.gov | Alert