The recent cyberattack on a small water authority in western Pennsylvania has shed light on a larger campaign by Iran-affiliated hackers targeting organizations in the United States. According to U.S. and Israeli authorities, the hackers specifically targeted an industrial control device that is Israeli-made. The FBI, the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and Israel’s National Cyber Directorate issued an advisory confirming the breach and stating that the victims span multiple U.S. states.
The Municipal Water Authority of Aliquippa, which discovered the breach on November 25, revealed that federal officials informed them that the same group also breached four other utilities and an aquarium. This series of attacks highlights the growing concern among cybersecurity experts that state-backed Iranian hackers and pro-Palestinian hacktivists would escalate cyberattacks on Israeli and its allies following the October 7 attack into Israel by Hamas, which triggered the war in Gaza.
The advisory provided by the multiagency group confirmed the Pennsylvania hack and revealed that other industries outside of water and water-treatment facilities also use the same vulnerable equipment. The Vision Series programmable logic controllers made by Unitronics are used in industries such as energy, food and beverage manufacturing, and healthcare. These devices regulate critical processes, including pressure, temperature, and fluid flow.
During the Aliquippa hack, workers were forced to temporarily halt pumping in a remote station that regulates water pressure for two nearby towns, requiring manual operation. The hackers left a digital calling card on the compromised device, stating that all Israeli-made equipment is “a legal target.” While it is unclear if the hackers attempted to penetrate deeper into breached networks, the advisory warned that the access they gained could enable more significant cyber physical effects on processes and equipment.
The hackers, self-identified as “Cyber Av3ngers,” are affiliated with Iran’s Islamic Revolutionary Guards Corps, a group designated as a foreign terrorist organization by the U.S. in 2019. The advisory revealed that the group had been targeting Unitronics devices since at least November 22. A search using the Shodan service identified over 200 internet-connected devices in the U.S. and more than 1,700 globally.
The advisory also highlighted the cybersecurity weaknesses that allowed the hackers to access the affected devices. Unitronics devices ship with a default password, which cybersecurity experts discourage as it increases vulnerability to hacking. Best practices dictate that devices should require a unique password to be created upon setup. It is believed that the hackers exploited poor password security and exposure to the internet to gain access to the devices.
Experts have noted that many water utilities have not given sufficient attention to cybersecurity, raising concerns about the safety of drinking water and other basic infrastructure. In response to the Aliquippa hack, three Pennsylvania congressmen have requested an investigation by the U.S. Justice Department. They emphasized the importance of protecting Americans from threats by “nation-state adversaries and terrorist organizations.”
The Cyber Av3ngers claimed to have hacked ten water treatment stations in Israel in an October 30 social media post, although it is unclear if they caused any equipment shutdowns. Since the Israel-Hamas war began, the group has intensified its targeting of Israeli critical infrastructure, according to cybersecurity experts.
The attack on the water authority occurred less than a month after the EPA rescinded a rule that would have mandated cybersecurity testing in regular federally mandated audits for U.S. public water systems. This rollback was prompted by a federal appeals court decision in a case brought by Missouri, Arkansas, and Iowa, with support from a water utility trade group.
The Biden administration has been working to strengthen the cybersecurity of critical infrastructure, particularly since more than 80% of it is privately owned. Regulations have been imposed on sectors such as electric utilities, gas pipelines, and nuclear facilities. However, experts argue that many vital industries are still allowed to self-regulate, highlighting the need for further action to protect critical infrastructure from cyber threats.