Net tightens around Iranian water hackers


The digital location from where an Iran-backed group launched a cyberattack on a US water facility in Pennsylvania may have been uncovered by SecurityScorecard.

The cybersecurity analyst’s investigative team said it was reasonably confident it had pinned down the internet protocol (IP), or digital location, of the websites used to launch the November cyberattack on the Municipal Water Authority of Aliquippa.

ADVERTISEMENT

The attack has already been attributed to Iran-backed group CyberAv3ngers, who left a digital calling card claiming responsibility for the attack, and SecurityScorecard’s findings appear to confirm that this was no bluff but is indeed the case.

The research highlighted ten IP addresses that SecurityScorecard believes may have exhibited “suspicious activity” in the month leading up to the attack. Four of these were responsible for nearly two-thirds of the traffic (180 out of 303 data flows) communicated to the water authority’s single IP during that timeframe.

“Bearing in mind that previous analysis has assessed that CyberAv3ngers likely acts in the interest of the Islamic Republic of Iran, researchers next collected additional samples of traffic involving these four IP addresses to identify possible links to Iran,” said SecurityScorecard.

Further research found that the four suspect addresses were communicating with 368 other IPs located in Iran, strongly suggesting that they themselves originated from the Middle Eastern state.

SecurityScorecard added: “Given that it would be unlikely for all 368 of the resulting Iranian IP addresses to have been involved in malicious activity – there are, after all, legitimate uses for VPNs – researchers next sought to narrow the results further and focus on those most likely to have been involved in activity targeting the water authority.”

Researchers accordingly filtered out the batch to leave them with just six addresses, which, together with the four primary ones, make up the total ten suspect IPs reported by SecurityScorecard.

The analyst believes that thorough scrutiny of IP communications in the future could help to avert more attacks like the one on Aliquippa.

“Monitoring networks for evidence of communication with the IP addresses identified above may help organizations defend against activity like the recent water authority attack,” said SecurityScorecard.

ADVERTISEMENT

It added: “Local and municipal governments and utilities are often less equipped to defend against sophisticated cyber threats, making them attractive targets for state-sponsored actors.”