US authorities are working to contain a campaign by Iranian hackers against multiple drinking water and sewage systems around the country.
“We are aware of active targeting by these actors and exploitation,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, told reporters in a call on Monday. A “small number” of water utilities have been compromised, he said, and he urged operators to bolster security.
There has been no known impact on safe drinking water or operational systems, Goldstein said.
The Municipal Water Authority of Aliquippa, in western Pennsylvania, is among the utilities that was hacked and had to switch to manual systems, according to WaterISAC, an industry information-sharing body.
A group called the CyberAv3ngers, who are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps, has been targeting technology that runs physical systems, called programmable logic controllers, that are made by Unitronics, an Israeli company, according to US and Israeli government agencies. The devices are commonly used in water and wastewater systems, in addition to other industries including energy, food and beverage manufacturing and health care.
The US designated the IRGC as a terrorist organisation in 2019.
In a joint cybersecurity advisory issued on Friday, US agencies including CISA, the FBI and the National Security Agency, warned that the controllers could be breached if they are connected to the Internet and because they often use default passwords issued by the manufacturer.
Unitronics didn’t immediately respond to a request for comment.
Paul Lukoskie, director of threat intelligence services at the cybersecurity firm Dragos, which is helping Unitronics customers shield themselves from the threat, told Bloomberg that ideally no products that run critical infrastructure systems would be on the public Internet at all, but would instead be protected behind a “monster firewall”.
The CyberAv3ngers group has claimed responsibility for numerous attacks against critical infrastructure organisations since 2020 but is known for fabricating or exaggerating their impact, according to John Hultquist, chief analyst at Mandiant Intelligence, a cybersecurity unit at Google.
“Obviously you don’t want a group like this to have control or have access to any part of critical infrastructure,” he told Bloomberg, saying the group is less focused on physical impact than making a splash. “The purpose is to undermine our sense of security.”
In November, the hacking group posted on X, “Every equipment ‘Made In Israel’ Is Cyber Av3ngers Legal Target!”
Michael Hamilton, founder and chief information security officer at Critical Insight, a network security company, said the attackers aren’t sophisticated hackers but succeed due to security oversights by their victims.
The problem is also compounded because of the fragmented nature of the US water industry, which has about 165,000 drinking water and wastewater systems in total. Many lack basic cybersecurity protections, according to Hamilton. – Bloomberg