Pennsylvania water facility hit by Iranian hackers


CISA warns an Iranian hacktivist group targeting water and energy facilities in Israel has now attacked the water authority of two townships in Pennsylvania over the weekend by compromising industrial control devices that are made in Israel.

The US Cybersecurity Infrastructure and Security Agency (CISA) advisory, released Tuesday, says the hackers are actively exploiting the Israel-manufactured Unitronics programmable logic controller (PLCs) commonly used in water and waste water systems (WWS).

The cyberattack took place on Saturday, November 25th at the Municipal Water Authority of Aliquippa (MWAA) in Western Pennsylvania.

ADVERTISEMENT

The attackers were able to gain control of a remote booster station that regulates and monitors pressure for two local municipalities, Raccoon and Potter Townships, with a combined population of just over 3000. Parts of Hopewell Township and the City of Aliquippa are also served by the water authority.

Matthew Mottes, board chairman at the MWAA, said an alarm went off, and the system was immediately disabled, stressing there was no known risk to the drinking water or water supply.

Apparently, the threat actors who carried out the attack – the Iranian-backed group known as the CyberAv3ngers – posted a message on the system claiming responsibility.

“You’ve been Hacked. Down with Israel. Every Equipment "Made In Israel " Is CyberAv3ngers Legal Target!” the gang's message read.

Mottes had told the local CBS station in Pittsburgh (KDKA) that the Unitronics PCL model V570 series exploited in the attack has software components that are Israeli-owned.

Iranian hacktivists are evolving

“Open Source Intelligence (OSINT) suggests that this group is likely Iranian state-affiliated, operating under the guise of hacktivism, a pattern consistent with previous campaigns linked to Iran,” said Alex Heid, VP of Threat Intelligence at SecurityScorecard.

ADVERTISEMENT

The CyberAv3ngers have claimed attacks on at least ten water treatment stations in Israel as of October 30th, 2023, according to their X profile.

CISA said the Iranian threat group was most likely able to exploit the Unitronics device – which has a Human Machine Interface (HMI) through poor password security and exposure to the internet.

Iranian-linked hacker groups, such as the CyberAv3ngers, have been known for "defacements, distributed denial of service (DDoS) attacks, and targeting specific critical infrastructures" for over a decade," said Heid.

Heid says these groups historically increase activities during periods of geopolitical conflict, such as the current tensions between Israel and Palestine, blurring the lines between state actors, hacktivists, and private entities.

One notable example Reid points out, was the 2013 breach of New York's Bowman Dam where Iranian hackers gained unauthorized access to the dam's flood controls, reportedly through a cellular modem.

"The technical sophistication for these group are evolving, particularly in exploiting PLC/SCADA systems, often targeting Israeli-designed systems," Heid said.

Local critical infrastructure remains vulnerable

“Attacks on our critical infrastructure like water are unacceptable. I intend to push for a full investigation here and accountability for the attackers… to shore up America's defenses,” stated Pennsylvania Congressman Chris Deluzio, who said he is monitoring the situation.

The MWAA hacked system is now offline and being operated manually while the Department of Homeland Security investigates, officials stated.

ADVERTISEMENT

Reid said the breach also shines a spotlight on cybersecurity challenges in the US, especially at the local level.

Municipal Water Authority of Aliquippa
Image by Municipal Water Authority of Aliquippa

"Local and municipal governments are often less equipped to defend against sophisticated cyber threats, making them attractive targets for state-sponsored actors, Reid said.

As these threats continue to evolve, the need for continuous monitoring of the threat landscape, increased vigilance at the perimeter, and preparedness for the eventuality of an incident," he added.

CISA recommends all WWS facilities change the Unitronics PLC default password, incorporate multi-factor authentication, and either disconnect the PLC from the open internet or make sure not to use the default TCP port.

A compromised water and waste water system could effect the ability to “provide clean, potable water to, and effectively manage the wastewater of a community," CISA said.