Iranian hackers breached a Pennsylvanian water utility in an apparent politically motivated attack. Municipal Water Authority of Aliquippa (MWAA) said it resorted to manual controls after hackers breached pressure monitoring equipment at one of their booster stations over Thanksgiving weekend.
The impacted device monitors and regulates pressure for Raccoon and Potter townships in Beaver County. The attack did not affect water quality or availability.
MWAA detected the breach after losing communication with the compromised device. When technicians arrived on site to resolve the technical issue, they discovered a message reading, “You have been hacked.”
MWAA chairman of the board of directors, Matthew Mottes, noted that the attack was immediately detected and averted. He noted that the device responded appropriately, allowing the operators to manually take control of the station and avert further damage.
Similarly, the threat actors did not compromise other systems since the device had a separate network isolated from the corporate network.
Iranian hackers consider Israeli-made systems “legitimate targets”
MWAA chairperson attributed the attack to a hacktivist group known as Cyber Av3ngers, which is tied to the Iranian government.
Several water utility stations in the United States and other countries commonly use the targeted device, suggesting that more attacks were imminent.
The Iranian hackers claimed the industrial control system, likely Unitronics Vision, has “components that are Israeli-owned.” They warned that any equipment made in Israel “Is Cyber Av3ngers Legal Target!”
By October 30, 2023, the Iranian hackers claimed to have attacked at least 10 drinking water treatment stations in Israel.
“Once we obtained access to their network, established to manipulate, wipe and destruct all industrial equipment such as SCADA systems, PLCs, sensors and HMIs,” tweeted Cyber Av3ngers.
US legislators warn attacking water utility stations is “unacceptable”
Describing any attack on critical infrastructure as unacceptable, three U.S. legislators wrote to the Department of Justice (DoJ) demanding an investigation into the cyber attack.
Warning that US water utility stations were at risk of similar attacks, U.S. Sens. John Fetterman and Bob Casey and U.S. Rep. Chris Deluzio demanded assurance that America’s drinking water was safe from terrorism.
“If a hack like this can happen here in western Pennsylvania, it can happen anywhere else in the United States,” the letter stated.
“We’ve been told that we are not the only authority that’s been affected in the country, but we are believed to be the first,” the MWAA chairperson said.
Meanwhile, the Federal Bureau of Investigation collected the compromised for analysis device while the Pennsylvania State Police launched an investigation.
The affected system is standard across industries, including water and sewerage, gas and oil, and electricity. It regulates fluid flow, temperature, and pressure, allowing critical processes to run safely and efficiently.
To date, the attack vector the Iranian hackers exploited is unknown. However, the Cybersecurity and Infrastructure Security Agency (CISA) suggested the Iranian hackers exploited “cybersecurity weaknesses, including poor password security and exposure to the internet.”
Previously, researchers had discovered a critical (CVSS v3 9.8) embedded malicious code vulnerability CVE-2023-2003 in Unitronics Vision1210. When exploited, it allows a threat actor to store and execute malicious code on the target device.
Industrial control systems have limited security features and should not be accessible over the Internet to protect them from cyber-attacks. Thus, the incident raises serious questions about the water utility’s cybersecurity practices.
However, MWAA general manager Robert J Bible said the cyber attack was unexpected for a small regional water utility.
“We only serve 15,000 people. You wouldn’t put two and two together,” Bible told CNN.
According to Richard Caralli, Senior Cybersecurity Advisor at Axio, the water utility was a perfect target for Iranian hackers.
“Municipal water is an under-appreciated attack target,” said Caralli. “It has several challenges: limited cybersecurity budget and staff, significant third-party dependencies, and one of the most direct vectors for causing wide-spread effects on life, safety, and health,” said Caralli.
According to Mark Toussaint, Sr. Product Manager and operational technology (OT) expert at OPSWAT, a combination of ICS cybersecurity challenges and lack of investment was a recipe for disaster.
“Mitigating cybersecurity risks in ICS systems can present a challenge for some organizations, and particularly in Water and Wastewater Systems since they are often smaller municipalities with limited resources” said Toussaint.
However, despite their limited resources, drinking water and wastewater utilities can benefit from CISA’s free vulnerability scanning.
According to Caralli, Iranian hackers also targeted the water utility to create fear and amplify the political message they intended to pass across.
“They are also effective targets to draw attention to causes, such as the Israel/Hamas conflict, as people tend to pay attention when their vital needs are under attack—and people don’t handle “boil water” announcements very well,” noted Caralli. “Life, safety, and health is a very strong motivator to capture attention, evident in how the local Pittsburgh news carried the story as breaking news, normally reserved for major incidents impacting lives.”