U.S. officials are investigating an incident at a Pennsylvania water utility after hackers linked to Iran’s Islamic Revolutionary Guard Corps — who have a history of making exaggerated and false claims about their hacking exploits — breached a device at a remote water station.
The hackers, who call themselves the “Cyber Av3ngers,” were able to gain control of at least one device at the Municipal Water Authority of Aliquippa, Pa. The hackers breached a remote water station that regulates pressure for two townships with a population of just over 7,000 people.
Robert Bible, the general manager of the water authority, told local publications that first reported the news that there was never any threat to the availability of water, and that once they realized the hack occurred, the utility switched to manual operations.
Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in an emailed statement that the agency is “aware” of the intrusion and that they are “closely engaged with sector and interagency partners to understand this evolving situation and provide any necessary support or guidance.”
Matthew Mottes, the chairman of the board of directors for the Municipal Water Authority of Aliquippa, told the Beaver Countian that the hackers did not get access to “anything in our actual water treatment plant — or other parts of our system — other than a pump that regulates pressure to elevated areas of our system.” The booster station sent an alarm to operators who then took manual control of the station, Mottes said.
While the incident does not appear to have impacted operations or services, the fact that Iranian-linked hackers could force a U.S. water utility to go into manual operations due to an intrusion highlights the challenges of securing critical infrastructure entities against digital breaches.
Nonetheless, experts caution against overstating the significance of the incident, as the group believed to be responsible is not known for its sophistication and has a history of making false claims about the impacts of its operations.
In July, the group claimed to be behind an attack on Israel’s largest oil refinery, but the targeted company told Bleeping Computer that the claims were false. In September, the group claimed additional attacks on Israeli rail infrastructure. Last month, the group claimed to have hacked the Israeli Dorad power facility, but the claims recycled a breach of the facility announced in June 2022 by Moses Staff, a hacktivist persona linked by Microsoft to the IRGC.
The group also has a verified account on X, the platform formerly known as Twitter, that appears to have been created in May 2011. The oldest post on the account is dated Sept. 14. of 2023. Iranian-linked campaigns have been known to use hijacked Twitter accounts as part of their operations.
A cyber threat analyst familiar with the group told CyberScoop that the Cyber Aveng3rs persona is “without a doubt IRGC.” The analyst, granted anonymity to speak freely about the group’s connections to the IRGC, said the group shows links to another IRGC-linked persona active in the wake of Hamas’ Oct. 7 attack, Soldiers of Solomon.
The operation fits a pattern of Iranian government-linked personas claiming major hacking successes, despite evidence to the contrary, as part of a messaging effort to attack Israel.
“Lots of big claims with not a lot of real impact in any of their attacks,” the analyst said.
By diminishing Israel’s perceived strength, Iran aims to create a perception among foreign states that aligning with Israel is fraught with risk, the analyst argued. “This involves the persistent execution of trivial network intrusions on critical infrastructure organizations that neglect to implement basic security measures,” the analyst added.
Gil Messing, chief of staff for the Israeli cybersecurity firm Check Point, said in an email Tuesday that the group “is linked to the Iranian cyber campaign against Israel,” and has carried out several attacks, including on an Israeli company called Unitronics, which supplies software used in water systems.
“As a result of this attack, one of its customers — The Municipal Water Authority of Aliquippa in Pennsylvania — reportedly suffered a cyberattack that resulted in the defacement of computer screens by this attack group,” Messing said.
The hackers appear to have accessed a Unitronics programmable logic controller and displayed an image that read: “You have been hacked. Down with Israel. Every equipment ‘made in Israel’ is a Cyber Av3ngers legal target.” Unitronics is an Israel-based publicly traded company.
Late Wednesday, CISA said in an alert that the agency is responding to “active exploitation” of Unitronics PLCs used in the water sector, implying that there may be more than one incident. The agency said that the hackers exploited poor security practices in the Pennsylvania water facility, in this case the operators had the Unitronics device exposed to the internet and poor password.
According to Messing, Cyber Av3ngers launched a private, separate Telegram channel called “Mr. Soul” on Oct. 23 to recruit others to help in its attacks, providing volunteers with the names of victims it wants them to target, Messing said. “As part of their modus operandi, the group seems to focus their hackers on exploiting known Microsoft Exchange vulnerabilities which they hope are not patched by their targets.”
The FBI declined to comment on the matter. The water authority and Pennsylvania’s chief information security officer did not respond to requests for comment.
Rep. Chris Deluzio, D-Pa., said in an emailed statement to CyberScoop that while he is “relieved” that there is no impact to service, “attacks on our critical infrastructure are unacceptable.” Deluzio said that federal officials are investigating the incident and that he hopes to see “an aggressive federal prosecution against the attackers.”
Jennifer Lyn Walker, director of infrastructure cyber defense at the Water Information Sharing and Analysis Center, said that the “incident once again demonstrates that we are all potential targets of cyber attacks.”
The incident comes on the heels of the Environmental Protection Agency’s shelving of an effort to require cybersecurity audits for water utilities using sanitary surveys. While the proposed regulations were panned by some experts, the initiative represented a rare example of the government trying to force water utilities to devote greater resources to security after decades of underinvestment in defending digital systems.
Following the EPA’s move, CISA recently released free vulnerability scanning for water utilities.
Correction, Nov. 29, 2023: An earlier version of this article misspelled the name of Jennifer Lyn Walker.
Update, Nov. 29, 2023: This article has been updated to include information about an alert issued by the Cybersecurity and Infrastructure Security Agency.