Finger on laptop keyboard showing Iranian hackers target water utilities

Iranian Hackers Strike US Water Utilities in Retaliation for Israel Support

A group calling itself “Cyber Av3ngers,” believed to be supported by Iran’s government, has declared war against Western organizations making use of Israeli technology. One of the opening salvos in this campaign appears to be against US water utilities, with at least one confirmed strike by the Iranian hackers in Pennsylvania.

Anonymous government sources say the Iranian hackers have attacked a “single digit” number of water utilities around the country, but have yet to cause “significant” disruption. None of the incidents save the Pennsylvania attack (on the Municipal Water Authority of Aliquippa) have been officially made public as of yet.

Iranian hackers target Israel-made equipment

Aliquippa is the only one of the water utilities to publicly confirm an attack as of yet, sharing a photo of a monitoring display that had been overtaken by the Iranian hackers. The screen declares that “every equipment made in Israel” is the target of the Cyber Av3ngers group. Two insiders speaking to the media on condition of anonymity have said that there are at least several other water utilities around the country that may be impacted by these attacks.

The Aliquippa incident reportedly involved the hack of a single booster station, or a collection of pumps used to regulate pressure in a particular area (in this case two outlying townships). Authorities there said that there was no risk to the public or the drinking water supply from the Iranian hackers and that an immediate alarm when the breach occurred allowed for the situation to be addressed quickly.

The Iranian hackers appear to be attacking water utilities that use components made by Unitronics, a company based in Tel Aviv. The group has already been on a spree of hacking water utilities in Israel the last few months, claiming to have hit 10 in the country so far. There is no profit-seeking activity connected with the attacks, with the Iranian hackers seemingly attempting to spook other organizations into discontinuing use of Israeli products.

According to Robert Bible, general manager of Aliquippa’s water utilities, taking control of a booster station would not give an attacker the ability to introduce harmful agents or alter chemicals in the water supply. The Iranian hackers seem to have been limited to disabling the pumps entirely, which caused service disruptions for about 1,200 people (out of about 15,000 in the area). The FBI, CISA and the Department of Homeland Security are all now investigating the incident.

Water utilities have common vulnerabilities

Cyber Av3ngers is a known threat actor that has been in action for some time now, with at least several cybersecurity firms linking it to Iran’s Islamic Revolutionary Guard Corps. In addition to the recent spree involving water utilities, the Iranian hackers have a broad history of focusing on industrial control systems and usually use their breaches to make a political statement.

Alex Heid, VP of Threat Intelligence at SecurityScorecard, elaborates on the group’s track record and MO: “Iranian state-affiliated hacking groups have been known for their involvement in defacements, distributed denial of service (DDoS) attacks, and targeting specific critical infrastructures for over a decade. One notable early example of such activity was the 2013 breach of the Bowman Dam in New York. These groups have historically increased their activities during periods of international conflict, such as the current tensions between Israel and Palestine. The technical sophistication of their attacks has been evolving, particularly in exploiting PLC/SCADA systems, often targeting Israeli-designed systems. The recent incident in Pennsylvania is part of a larger pattern of attacks claimed by Cyber Av3ngers. The group’s communications on their Telegram channel suggest an intention to continue, and possibly escalate, their operations. The broader reality is that geopolitical conflicts will always extend into the cyber domain, where the lines between state actors, hacktivists, and private entities are often blurred.”

The group has at least appeared to rack up a victory in Aliquippa, with Bible telling reporters that the county intends to swap out all Unitronics components as a precaution. It will likely pop up at more water utilities, given there are many connected to the internet and some Unitronics systems ship with a default password of “1111.” CISA issued a public alert about the threat earlier in the week, and is offering water utilities free vulnerability scanning.

CISA’s notification also indicated that the Iranian hackers likely took advantage of weak passwords to get in. The situation puts a spotlight on the cybersecurity challenges that water utilities throughout the country face, as the smaller among them sometimes barely have enough money to function properly let alone to adequately staff up an IT team. An unknown attacker also recently hit a water district in north Texas, though that breach did not involve Unitronics products and is not connected to the Iranian hackers at this time.

US officials have projected that attacks from Iran against critical infrastructure are likely to surge as the conflict between Israel and Hamas goes on. However, the Environmental Protection Agency recently dropped plans to subject water utilities to new cybersecurity audits as part of existing sanitary surveys. The agency had been facing pressure from industry groups in addition to lawsuits from the governors of Arkansas, Iowa and Missouri claiming that it had no legal right to establish this requirement. The EPA said that it will continue to provide cybersecurity risk assessments, training and subject matter expert consultations to utility companies.

For its part, CISA is cautioning all water and waste facilities to ensure that default passwords on equipment have been changed, that multi-factor authentication has been enabled and that Unitronics PLCs are either disconnected from the internet or at least switched from their default TCP port.

Howard Goodman, Technical Director at Skybox Security, adds the following recommendations: “Leaders in the utilities sector must navigate the complexities of volatility, decarbonization, digitalization, and regulatory changes. Understanding these dynamics is key to strengthening security measures. To effectively bridge the gap between operational technology and information technology, utility leaders should:

  1. Enhance security posture management by adopting new technologies for early detection of cyber threats.
  2. Implement automation for sustained compliance with cybersecurity best practices.
  3. Foster a unified view across security and OT/IT with a comprehensive network model.
  4. Break down silos to eliminate security blind spots within the organization.
  5. Minimize downtime by optimizing remediation strategies, extending beyond traditional patching.

“These steps are not just precautionary but necessary in fostering resilience against the backdrop of international cyber warfare and its implications for critical infrastructure sectors.”