After hackers compromised an industrial control system (ICS) at a water utility in the United States, the cybersecurity agency CISA issued an alert over the exploitation of the targeted device.
The target of the attack was the Municipal Water Authority of Aliquippa in Pennsylvania, which confirmed that hackers took control of a system associated with a station where water pressure is monitored and regulated, but said there was no risk to the water supply or drinking water.
Based on publicly available information, the hackers targeted an Unitronics Vision system, which is a programmable logic controller (PLC) with an integrated human-machine interface (HMI).
A hacktivist group called Cyber Av3ngers, known to be anti-Israel and possibly linked to Iran, has taken credit for the attack, apparently targeting the Israel-made Unitronics PLC.
Unitronics Vision products have been known to be affected by critical vulnerabilities that could expose devices to attacks. However, HMIs are often accessible from the internet without authentication, making them an easy target even for low-skilled threat actors.
In the case of the Municipal Water Authority of Aliquippa, CISA noted that the attackers likely accessed the ICS device “by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet”.
This statement suggests that the attackers likely leveraged the fact that the device was insecurely configured, rather than exploiting an actual vulnerability. This would not be surprising for a hacktivist group as these types of threat actors mostly target low-hanging fruit and do not waste time and energy creating sophisticated exploits.
In order to protect their Unitronics PLCs against potential attacks, organizations have been urged by CISA to change the default ‘1111’ password, require multi-factor authentication for remote access to OT systems, ensure that the controller is not directly exposed to the internet, create backups for the PLC’s logic and configuration in case it gets compromised, change the default port, and update the device to the latest version.
Such PLCs are used by organizations in the water and wastewater sector to control and monitor processes. An attack on these systems could threaten the ability of facilities to provide clean water and effectively manage wastewater, CISA warned.
Cyberattacks aimed at the water sector are increasingly common and there have been some confirmed reports of attacks impacting ICS at water facilities. In an effort to help organizations in this sector protect their systems, CISA has been offering a free vulnerability scanning service.