In a significant cybersecurity incident, multiple U.S. organizations, including a western Pennsylvania water authority, fell victim to breaches by Iran-affiliated hackers.
These attacks targeted industrial control devices manufactured by the Israeli company Unitronics.
This information was disclosed in an advisory from the FBI, the Environmental Protection Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and Israel’s National Cyber Directorate.
Matthew Mottes, chair of the Municipal Water Authority of Aliquippa, revealed that this group also compromised four other utilities and an aquarium.
The Aliquippa breach, detected on November 25, led to a temporary halt in pumping at a remote station, necessitating manual operation.
A digital message left by the hackers declared all Israeli-made equipment as “a legal target.”
Cybersecurity experts highlight an increase in cyberattacks on Israeli interests and its allies following the October 7 attack into Israel by Hamas.
This surge includes actions from state-backed Iranian hackers and pro-Palestinian hacktivists.
The multiagency advisory also raised concerns about the vulnerability of other sectors using the same Unitronics devices, including energy, food and beverage manufacturing, and healthcare.
These devices control essential processes like pressure, temperature, and fluid flow.
The advisory identified the attackers as “Cyber Av3ngers,” linked to Iran’s Islamic Revolutionary Guards Corps, a group designated as a foreign terrorist organization by the U.S. in 2019.
The hackers’ methods reportedly involved exploiting cybersecurity weaknesses, including poor password security and internet exposure.
RELATED: Biden Considers Sending Another $10 Billion to Iran
This incident has raised alarms about the cybersecurity preparedness of water utilities, with experts criticizing their lack of attention to cyber threats.
In response, Pennsylvania congressmen urged the U.S. Justice Department to investigate, emphasizing the need to safeguard basic infrastructure against nation-state adversaries and terrorist organizations.
The advisory noted the default password setting in Unitronics devices, a practice discouraged by cybersecurity experts.
The Biden administration has been working to enhance the cybersecurity of critical infrastructure, which is predominantly privately owned.
However, there is criticism over the extent of self-regulation allowed in vital industries.
This attack coincides with a federal appeals court decision prompting the EPA to withdraw a rule mandating cybersecurity testing in public water systems’ regular audits, a decision influenced by legal challenges from several states and a water utility trade group.
RELATED: Municipal Water Authority Confirms Water System Attacked by Iranian Cyber Group
