Irrigation systems working in newly planted field showing cyber attack

Irrigation Systems in Israel Hit With Cyber Attack That Temporarily Disabled Farm Equipment

A cyber attack that targeted irrigation systems in Israel is thought to be part of an annual “hacktivist” campaign that takes place every April, and this year’s attempt at least managed to cause a nuisance for some farms in the Jordan Valley.

The hackers targeted both farms and wastewater treatment plants. They seemingly had little success with the latter, but about a dozen farms failed to heed a National Cyber Directorate warning to disable certain remote connections ahead of the hacking campaign and temporarily had automated irrigation systems disabled.

Irrigation systems targeted by pro-Palestinian campaign

The cyber attack is part of an annual campaign called “OpIsrael,” which strikes in April with DDoS attacks and breach attempts on targets in the country. The campaign began in 2013 and was organized by hackers associating under the banner of Anonymous. It has not been tied to any particular group or country, but has expressed pro-Palestinian sentiment from the beginning and has been praised by spokespersons from Hamas. The hackers seem to have chosen April as the first series of attacks was launched on Yom HaShoah, the day of remembrance of those that died in the Holocaust, but they also tend to coincide with the month of Ramadan.

Each year of the cyber attack campaign seems to bring new targets of opportunity. This year the threat actors put a special focus on irrigation systems. The Galil Sewage Corporation was one of the targeted wastewater processors that was breached, and the company reports that the cyber attack blocked several controllers for about a day and disrupted some treatment processes.

The attackers had more luck with farms in the Jordan Valley, despite a seeming heads-up from Israel’s National Cyber Directorate. Farms in the area that did not heed the call to temporarily disable remote connections had their automated irrigation systems disabled for a time, forcing them to switch to manual irrigation. Some security researchers believe that the farms that were hit were using default passwords, making it trivial for the attackers to walk in.

This fits the general pattern of OpIsrael attackers going for the lowest-hanging fruit each year, searching for human-machine interfaces (HMIs) or PLC web interfaces that are not adequately protected. This is also often paired with DDoS campaigns and random website defacements. Though this year’s campaign ultimately amounted to a short-term nuisance, it represents more substantial real-world damage than has been seen in years past.

Security researchers based in Israel have indicated that the cyber attack campaign was also large this year, making attempts on thousands of water monitors. The hackers also reportedly made attempts on government, university and media websites, though these appear to have escaped from harm for the most part.

While the current assumption is that weak passwords were the main culprit, Itay Glick (VP of Products at OPSWAT) notes that there was a known vulnerability in the irrigation systems that were targeted that may not have been remediated: “While some experts suggested the hack on the ICS systems was attributed to the use of default passwords, it’s possible that other methods were employed. For example, there was a critical vulnerability in a specific device dated back to 2015 (CVE-2015-7905), which could have been exploited by any average hacker.  If this was the case, this underscores the importance of scanning and validating that OT devices are updated. There’s also a small chance that this vulnerability could have been remediated. If so, a different unknown vulnerability was exploited. To protect from such unknown vulnerabilities, a preventative approach is most effective, and the best way to achieve this is with segregation and monitoring of the OT traffic.”

Cyber attacks increasingly cross real world lines

Attempts on critical infrastructure have become a hallmark of ransomware gangs in the past two years, after the Colonial Pipeline and JBS attacks crossed a line that these groups had been afraid to cross in the past. But the attack on irrigation systems illustrates that activists, and even outright terrorists, are also interested in these targets for purely political purposes.

Part of the appeal of irrigation systems is a perception of lax cybersecurity in proportion to the damage that they could potentially do. While some aspects of critical infrastructure are highly secure, others are largely run by private companies who may or may not be subject to special government regulations. When they are not, major gaps for hackers to exploit often appear.

Attacks on Israel’s critical infrastructure are not new, nor are they limited to the annual OpIsrael campaign. In 2020 the country experienced a sustained attack on all sorts of irrigation systems and pumping stations, to the point that CISA issued an alert to partners and allies.

In addition to fielding incursion attempts from pro-Palestine forces, the country is regularly targeted by Iran’s state-backed hacking teams. Israeli cybersecurity officials blamed Iranians for “dozens” of cyber attack attempts taking place throughout 2022 and into 2023, culminating in a breach of the Israel Institute of Technology that shut down IT systems and forced scheduled exams to be postponed. Though state-backed hackers and activists very rarely make use of ransomware, they seem to be more than willing to deploy it against targets in Israel purely for destructive purposes whenever the opportunity presents itself.

The geopolitical situation in the region virtually guarantees that these sorts of cyber attacks will occur, as real-word terrorist incidents have become a regular occurence and have claimed over 1,000 lives since the Oslo Accords were signed in 1993. While government-controlled systems appear to be much more locked down, the breach of the irrigation systems demonstrates that private industry has some improvements to make to avoid becoming the launch point for a potentially damaging digital attack.