On December 1, 2023, the Federal Bureau of Investigation (“FBI”), Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), Environmental Protection Agency (“EPA”), and the Israel National Cyber Directorate (“INCD”)—hereafter referred to as “the authoring agencies”— issued a joint Cybersecurity Advisory (“CSA”) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (“IRGC”)-affiliated Advanced Persistent Threat (“APT”) cyber actors.
Summary Background
The U.S. designated the IRGC as a foreign terrorist organization in 2019. Cyber actors affiliated with the IRGC, using the persona “CyberAv3ngers”, are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs, although they may be rebranded and appear as different manufacturers and companies, are commonly used in the water and wastewater systems sector and are additional used in other industries including energy, food and beverage manufacturing, and healthcare.
The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the water and wastewater systems sector, and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. These PLCs may be rebranded and appear as different manufacturers and companies.
CISA released a similar alert regarding Unitronics PLCs on November 28, 2023, but this most recent joint CSA shares indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations. Since at least November 22, 2023, the IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices, leaving an image indicating that the victim has been hacked, and that the cyber actors are targeting all equipment made in Israel. The victims span multiple U.S. states.
Mitigation Recommendations
The cybersecurity advisory urges all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the mitigation section of the CSA to mitigate the risk of compromise. These includes steps including, but not limited to:
- changing all default passwords to strong, unique passwords,
- disconnecting the PLC form the public-facing internet,
- implementing multi-factor authentication for access to the operational technology (OT) network,
- implementing firewalls and VPNs in front of the PLC to control network access,
- keeping PLC device updated with manufacturer updates; and
- confirming third-party vendors are applying the same or similar countermeasures.
Reporting Instructions
All organizations should report suspicious or criminal activity related to information in this CSA to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Additionally, the WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form. State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
To read the full CSA, click here.
(This CSA page linked above also contains links to downloadable copies (i.e., XML, JSON) of the indicators of compromise (IOCs).)
