The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed its response to a cyberattack involving the exploitation of Unitronics programmable logic controllers (PLCs) aimed at the Municipal Water Authority of Aliquippa, located in western Pennsylvania. This incident has been attributed to a hacktivist group known as Cyber Av3ngers, which is allegedly supported by Iranian interests.
CISA reported that threat actors are particularly targeting PLCs associated with water and wastewater systems, which are critical components in the management of such facilities. In light of the attack, the Municipal Water Authority promptly took the affected systems offline, transitioning to manual operations. Fortunately, the agency asserts that there is no current threat to the drinking water supply.
Reports from the Water Information Sharing and Analysis Center (WaterISAC) indicate that Cyber Av3ngers may have gained unauthorized access to a crucial booster station responsible for monitoring and regulating water pressure for both Raccoon and Potter Townships. Investigations suggest that the attackers exploited weak password protocols on the Unitronics Vision Series PLC, which was publicly accessible over the internet.
PLCs play a vital role in the water and wastewater (WWS) sector, overseeing various processes in water treatment and management. Disruptive actions that compromise these systems can have significant consequences, hindering the delivery of safe and clean drinking water to communities. In light of this, CISA has issued recommendations for organizations to bolster their cybersecurity practices. These include changing default passwords on Unitronics PLCs, implementing multi-factor authentication, disconnecting PLCs from the internet, maintaining backup configurations, and ensuring that systems are updated with the latest security patches.
Cyber Av3ngers has demonstrated a history of targeting critical infrastructure. The group has publicly claimed responsibility for multiple cyber intrusions, particularly within the water treatment sector, including recent actions that allegedly breached around 10 water treatment facilities in Israel. Last month, they also took credit for a significant cyber assault against Orpak Systems, a major provider of fuel station solutions in Israel.
In a subsequent advisory, cybersecurity agencies from both the U.S. and Israel reiterated that the current attacks have been conducted by Iranian threat actors exploiting publicly exposed Unitronics Vision Series PLCs with default passwords. They highlighted the remote access requirements of these systems, which are often connected to the internet for control and monitoring purposes, making them susceptible to exploitation.
The compromise primarily centers on altering the PLC’s user interface, which could disrupt its operations entirely. Such access not only affects the immediate functionality of the PLC but could also grant broader network access, resulting in potentially severe cyber-physical impacts on critical processes and equipment.
As the landscape of cybersecurity threats evolves, these incidents underscore the need for heightened vigilance and improved security practices within critical infrastructure sectors. Business leaders are reminded of the importance of understanding and mitigating risks associated with connected devices, particularly those involved in essential services such as water treatment and management.
In summary, the attack against the Municipal Water Authority exemplifies the persistent threats facing infrastructural security and highlights the ongoing need for proactive and strategic cybersecurity measures in an increasingly interconnected digital environment.
