Security Experts:

Hackers Knew How to Target PLCs in Israel Water Facility Attacks: Sources

The actions of the hackers who recently targeted water facilities in Israel show their sophistication and prove that they knew exactly what they were doing, according to people with knowledge of the attacks.

The Israeli government revealed recently that several water and wastewater facilities across the country were targeted in a coordinated attack on April 24 and 25. Authorities said the threat actors targeted industrial control systems (ICS), but that they did not manage to cause any damage.

The attacks targeted wastewater treatment plants, pumping stations and sewage facilities, and organizations in the water sector have been instructed by Israeli authorities to immediately take measures to prevent attacks, including changing passwords to internet-exposed control systems, reducing internet exposure, and ensuring that all software is up to date.

Sources told SecurityWeek that the attackers targeted programmable logic controllers (PLCs) used to control valves. The changes made to the PLC logic were valid, which indicates that the attackers knew exactly what they were doing.

The attack may have been discovered after the compromised PLCs caused suspicious valve changes, but it’s unclear if the attackers were trying to cause damage by tampering with valves or if they made an error that led to their discovery.

It’s worth pointing out that the 2017 Triton/Trisis attack on a critical infrastructure organization in the Middle East came to light after hackers accidentally caused a process shutdown.

Radiflow, an Israel-based industrial cybersecurity firm, pointed out in a blog post that smaller local water facilities, such as the ones targeted in these attacks, often use cellular communications to remotely connect to their systems. The cellular routers are in many cases exposed to attacks and it’s possible that the hackers targeted these devices for the initial intrusion.

Radiflow believes that another possibility is that this was a supply chain attack where the threat actor targeted contractors that have access to the water facilities for legitimate purposes.

“Some of these firms don’t have appropriate cyber security posture to deal with more sophisticated attacks like targeted spear phishing,” Radiflow said.

The company pointed out that the targeted water utilities are unlikely to hold any valuable confidential information, which suggests that the attackers’ goal was to cause disruption.

“It is believed that physical on-site evidence helped detect this attack,” Radiflow noted.

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

SCADAfence, an Israel-based OT and IoT security company, told SecurityWeek that its sources say the attacks may have originated from the Gaza region and they might have been launched by an anti-Israel hacktivist group calling itself the Jerusalem Electronic Army, which has mentioned the attacks on its Facebook page.

SCADAfence also believes this may have been a joint operation between the Jerusalem Electronic Army and Gaza Cybergang, which was previoulsly linked to the Palestinian terrorist organization Hamas and has mainly conducted espionage operations. Gaza Cybergang is believed to consist of several groups, including ones that have launched sophisticated campaigns targeting, among many types of organizations, utilities and industrial entities.

“Although water facilities were attacked first, many more attacks could be forthcoming,” Michael Yehoshua, VP of marketing at SCADAfence, told SecurityWeek. “These include industrial espionage, shutting down the refrigerators in supermarkets and medical lab networks, spying on gas stations, damaging water dams, disabling critical manufacturing plants and even explosions. These are some of the additional cybersecurity related dangers that can come next if Israel isn’t careful.”

Attacks on water facilities are not unheard of and experts have warned that these types of organizations often have internet-exposed systems that put them at risk.

Internet-exposed SCADA system at a water utility

Ilan Barda, founder and CEO of Radiflow, told SecurityWeek in an interview that he believes water sector organizations in Israel may be better prepared to handle cyberattacks compared to ones in Europe and North America as a result of clear guidelines provided by the Israeli government. However, while bigger regional facilities have implemented comprehensive security measures, many smaller organizations are still going through the process and they may be more vulnerable.

Yehoshua has also confirmed that Israel has a “strong focus on cyber security” and it has the necessary technology to prevent critical infrastructure intrusions.

Related: Attackers Alter Water Treatment Systems in Utility Hack

Related: Cryptocurrency Mining Malware Hits Monitoring Systems at European Water Utility

Related: What the Onslow Water and Sewer Authority Can Teach About Responsible Disclosure

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.