CyberAv3ngers Compromise Unitronics PLCs

By Jamie Wright on April 4, 2024

Executive Summary

The water and wastewater sector plays a crucial role in health and public safety, as it is responsible for delivering clean drinking water and properly treating wastewater for communities worldwide.  Since at least November 2023, the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) has targeted a vulnerability in the Israeli-made Unitronics programmable logic controller (PLC).  These compromised devices were publicly exposed to the internet with default passwords.  On December 12, 2023, Unitronics released VisiLogic version 9.9.00 software to address this common vulnerability and exposure (CVE); the update requires users to change default passwords.

 

Background

The earth is 71% water.  The adult human body is 60% water.  The average person uses 101.5 gallons of water per day.  According to the Cybersecurity & Infrastructure Security Agency (CISA), “there are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States (US).  More than 80 percent of the US population receives their potable water from these drinking water systems, and about 75 percent of the US population has its sanitary sewerage treated by these wastewater systems”. [1]   

The federal government has identified 16 Critical Infrastructure Sectors, one of the most important being the water and wastewater sector.  The water and wastewater sector plays a crucial role in health and public safety, as it is responsible for delivering clean drinking water and properly treating wastewater for communities worldwide. [2]  Not enough attention or money has been spent to protect the US water and wastewater sector.  Water authority advocates say money and expertise are severely lacking for a sector of more than 50,000 water utilities, most of which are local authorities. [3]


Vulnerability

Since at least November 23, 2023, Iranian Government IRGC-affiliated Advanced Persistent Threat (APT) cyber actors using the persona “CyberAv3ngers” have continued to compromise default credentials in Israeli-made Unitronics PLCs.  These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256.  Victims of these attacks span multiple US states, one of which was the Municipal Water Authority of Aliquippa (MWAA) in Pennsylvania, about 30 miles outside Pittsburgh.  The CyberAv3ngers were able to hack into the MWAA and take control of a booster station.  The MWAA was able to retake control of its systems and resume operations with no interruptions to service.  But the attack on MWAA’s water system raised alarms in the highest levels of the federal government. [4]  

In December 2023, CISA, the Federal Bureau of Investigations (FBI), National Security Agency (NSA), and the Environmental Protection Agency (EPA) released a joint cybersecurity advisory on these incidents recommending that organizations upgrade their Unitronics PLCs to to 9.9.00 VisiLogic software, which requires users to change the default passwords on PLCs and Human Machine Interfaces (HMIs).  A strong password is highly recommended.  Additionally, to strengthen the organization’s security posture, multifactor authentication for access to the operational technology (OT) network and the implementation of a firewall or virtual private network in front of the PLC are strongly recommended.  [5] 

 

Significance

Cyber attacks on water and wastewater utilities can cause significant harm.  Cyber attacks can upset treatment and conveyance processes by opening and closing valves, overriding alarms or disabling pumps or other equipment.  Attackers can steal customer’s personal data or credit card information from the billing system and install malicious programs like ransomware.  These attacks can compromise the ability of water and wastewater utilities to provide clean and safe water to customers, erode customer confidence, and result in financial and legal liabilities. [6]  Implementing cybersecurity best practices is critical for water and wastewater utilities, as cyber attacks are a growing threat to critical infrastructure sectors.  Implementing even a basic cybersecurity program can ensure the integrity of process control systems, protect sensitive data, and reduce legal liabilities.  

References

1. Grant Geyer, Cybersecurity 101: Securing Water & Waste Water Facilities, June 26th, 2023: https://claroty.com/blog/cybersecurity-action-plan-built-for-water-wastewater-facilities

2. Grant Geyer, Cybersecurity 101: Securing Water & Waste Water Facilities, June 26th, 2023: https://claroty.com/blog/cybersecurity-action-plan-built-for-water-wastewater-facilities

3. Associated Press, States and Congress Wrestle With Cybersecurity After Iran Attacks Small Town Water Utilities, January 2, 2024: https://apnews.com/article/water-utilities-hackers-cybersecurity-1c475f5d2ef3b5d52410c93bdeab3aad

4. CISA, IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities,  Alert Code: AA23-335A, December 01, 2023: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

5. CISA, IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities, Alert Code: AA23-335A, December 01, 2023: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

6. EPA, Water Sector Cybersecurity Brief for States, Jul 31, 2023: https://www.epa.gov/sites/default/files/2018-06/documents/cybersecurity_guide_for_states_final_0.pdf

Related Posts