When hackers linked to Iran penetrated a programmable logic controller at a water pumping station in Pennsylvania last weekend, they had their pick of a huge number of such devices connected to the internet.
The operation by the so-called Cyber Av3ngers — a group linked to Iran’s Islamic Revolutionary Guard Corps that is known for overstating the impact of their attacks — targeted a device made by the Israeli firm Unitronics. Among the firm’s global customer base, there are some 1,800 Unitronics devices facing the internet, and experts caution that the incident involving the Municipal Water Authority of Aliquippa, Pa., highlights the huge risk of internet-connected devices in industrial facilities.
It remains unclear how many water utilities are affected by the Cyber Av3ngers campaign. As U.S. investigators continue to probe the incident, a government official familiar with the matter said that they believe the number of affected facilities are in the single digits, a figure first reported by Politico.
On Tuesday, Pennsylvania lawmakers wrote to Attorney General Merrick Garland, urging a federal investigation into the attack against the water facility.
“Any attack on our nation’s critical infrastructure is unacceptable. If a hack like this can happen here in Western Pennsylvania, it can happen elsewhere in the United States,” said Sens. Bob Casey, D-Pa. and John Fetterman, D-Pa., and Rep. Chris Deluzio, D-Pa. “Folks in Pennsylvania and across the country deserve peace of mind that basic infrastructure such as their drinking water is safe from nation-state adversaries and terrorist organizations.”
Amid fighting in Gaza in the aftermath of the Oct. 7 attack by Hamas, the Cyber Av3ngers have declared all Israeli targets to be fair game. That’s opened up clients of Unitronics to attack, even if the operations so far have had minimal impact. Among the reported victims are a brewery in Pittsburgh, an aquarium, and four water facilities, according to a local media report.
The Pennsylvania water facility switched to manual operations, and the Pittsburgh brewery called external support. Both continue to provide clean water and brews, respectively, to their customers.
On Wednesday, the Cybersecurity and Infrastructure Security Agency warned about the campaign targeting Unitronics and urged critical infrastructure owners and operators to take basic security precautions, such as removing devices from the open internet and changing default ports and passwords — “1111” in the case of Unitronics.
The alert noted that the Pennsylvania water facility had poor security practices that led to the breach.
CISA has long campaigned for operational technology to be taken offline if possible. A 2020 CISA alert highlighted a cyberattack on an Israeli water facility that was carried out by exploiting internet-connected industrial equipment.
A search on Shodan, a website that tracks devices online, shows that there are 285 devices of the type targeted by the Cyber Av3ngers in Pennsylvania that are connected to the internet globally. Of those, 30 are in the United States. All 285 devices use the default port exploited by the hacking group.
To be sure, Shodan searches are by their nature imprecise, with frequent changes in the number of internet-connected devices.
According to CISA, the group is targeting multiple types of Unitronics devices. Globally, there are approximately 1,800 Unitronics PLCs that face the internet, according to a SentinelOne report released Thursday. Of the Unitronics devices targeted at the Pittsburgh brewery, a Shodan search reveals 67 devices in the United States and 234 globally that are connected to the internet.