U.S. cybersecurity officials are warning utilities to increase basic cyber protections amid the active targeting of several water facilities by an Iranian-linked hacking group.
The targeting of the Israeli company Unitronics by Cyber Av3ngers, a hacking group with ties to Iran’s Islamic Revolutionary Guard Corps, has highlighted basic vulnerabilities in the water sector. The hackers are not known for sophisticated cyberattacks and often exaggerate the impact of their operations. The hacking spree targeting Unitronics appears to be aimed at influencing the perception of Israeli technologies and had little operational impact on the water facilities.
“We have seen no access to operational systems at these water facilities, nor have we seen any impact to the provision of safe drinking water to the targeted populations,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, told reporters Monday.
Goldstein did not provide exact figures on the impacted water facilities, but an alert from CISA, the FBI, the National Security Agency, the Environmental Protection Agency and the Israel National Cyber Directorate noted “continued malicious cyber activity.” A government official said last Thursday that the number of affected facilities was less than 10, and so far only a municipal water facility in Aliquippa, Pa., has been identified as a victim.
“This event is really a clarion call for every organization running operational technology to focus on some critically important but basic steps, like removing these assets from the internet and resetting default passwords, and also focus on implementing CISA’s cybersecurity performance goals,” Goldstein said.
Brett Leatherman, section chief of national security cyber operations at the FBI, said that the law enforcement office has “historically taken an aggressive stance on releasing information to the public on Iranian offensive cyber activity.”
Leatherman added that the FBI “will continue to work with our domestic and international partners to identify, disrupt and impose costs on Iranian affiliate actors for engaging in this activity.”
Goldstein noted that the agency is concerned about the potential for more targeted attacks or intrusions against the Israeli technology, but that they have not seen anything to that effect yet. Goldsten also said that CISA’s regional teams are “conducting notifications” for organizations that have Unitronics devices facing the internet. The Cyber Av3ngers are thought to have only used the default password to access the devices that were visible on the open internet.
Leatherman noted that the type of access gained by the Cyber Av3ngers can lead to deeper device and network access and “more profound cyber-physical effects.”
The opportunistic attacks on the Israeli manufacturer also highlights the lack of cybersecurity mandates for the water sector. While there is little evidence that the Cyber Av3ngers intentionally targeted the water sector — a Pittsburgh brewery was also one of its victims — the campaign highlights a recent move by the EPA to stop pursuing cybersecurity mandates through water sanitation surveys, a decision that followed a lawsuit over the regulations by several Republican-led states and water trade groups.
David Travers, director of the water infrastructure and cyber resilience division at the EPA, said that what “these incidents underscore for us is that without cybersecurity requirements and oversight, our nation’s water and wastewater system and the communities they serve will continue to be vulnerable.”
Travers noted that the EPA supports mandating additional cybersecurity requirements, but in the interim offers cybersecurity evaluation programs.
“The myths that the EPA and CISA has labored to dispel is that implementing such cybersecurity practices is both expensive and hopelessly complex,” he said. “When in fact, effective cyber hygiene usually can be inexpensive and straightforward.”
Correction, Dec. 5, 2023: An earlier version of this article misquoted Eric Goldstein when he discussed the need for “resetting” default passwords. The article also initially misspelled David Travers’ last name.