Iranian-backed hackers have been going after several US water and sewage treatment plants for quite some time now. While authorities in the US are actively addressing the cyber attack campaign, they need to be doing better.
Their novel situation? Stop using automated systems and operate the vital plant systems manually.
Eric Goldstein, Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency, reported these hackers’ active targeting and exploitation. While a “small number” of water utilities have been compromised, Goldstein reassured that there has been no known impact on drinking water safety or operational systems.
Among the affected utilities is the Municipal Water Authority of Aliquippa in western Pennsylvania, which had to resort to manual systems, as reported by WaterISAC, an industry information-sharing body.
The CyberAv3ngers group, affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps, has been identified as the perpetrators. They explicitly target programmable logic controllers manufactured by Unitronics, an Israeli company. These controllers are widely used in water and wastewater systems and other industries such as energy, food and beverage manufacturing, and healthcare.
A joint cybersecurity advisory issued by US agencies, including CISA, the FBI, the National Security Agency, and the Israeli National Cyber Directorate, warned about the potential breach of these controllers, emphasizing the risks associated with internet connectivity and the use of default passwords.
The CyberAv3ngers group, known for claiming responsibility for various attacks on critical infrastructure since 2020, has faced skepticism regarding the actual impact of their actions. Experts, including John Hultquist from Mandiant Intelligence, noted that the group tends to fabricate or exaggerate its impact, focusing more on undermining a sense of security than causing physical harm.
Michael Hamilton, Founder and Chief Information Security Officer at Critical Insight, highlighted that the success of these less sophisticated hackers often results from security oversights by their victims. The fragmented nature of the US water industry, comprising approximately 165,000 drinking water and wastewater systems, adds to the challenge, with many needing more basic cybersecurity protections.