Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hackers Knew How to Target PLCs in Israel Water Facility Attacks: Sources

The actions of the hackers who recently targeted water facilities in Israel show their sophistication and prove that they knew exactly what they were doing, according to people with knowledge of the attacks.

The actions of the hackers who recently targeted water facilities in Israel show their sophistication and prove that they knew exactly what they were doing, according to people with knowledge of the attacks.

The Israeli government revealed recently that several water and wastewater facilities across the country were targeted in a coordinated attack on April 24 and 25. Authorities said the threat actors targeted industrial control systems (ICS), but that they did not manage to cause any damage.

The attacks targeted wastewater treatment plants, pumping stations and sewage facilities, and organizations in the water sector have been instructed by Israeli authorities to immediately take measures to prevent attacks, including changing passwords to internet-exposed control systems, reducing internet exposure, and ensuring that all software is up to date.

Sources told SecurityWeek that the attackers targeted programmable logic controllers (PLCs) used to control valves. The changes made to the PLC logic were valid, which indicates that the attackers knew exactly what they were doing.

The attack may have been discovered after the compromised PLCs caused suspicious valve changes, but it’s unclear if the attackers were trying to cause damage by tampering with valves or if they made an error that led to their discovery.

It’s worth pointing out that the 2017 Triton/Trisis attack on a critical infrastructure organization in the Middle East came to light after hackers accidentally caused a process shutdown.

Radiflow, an Israel-based industrial cybersecurity firm, pointed out in a blog post that smaller local water facilities, such as the ones targeted in these attacks, often use cellular communications to remotely connect to their systems. The cellular routers are in many cases exposed to attacks and it’s possible that the hackers targeted these devices for the initial intrusion.

Radiflow believes that another possibility is that this was a supply chain attack where the threat actor targeted contractors that have access to the water facilities for legitimate purposes.

Advertisement. Scroll to continue reading.

“Some of these firms don’t have appropriate cyber security posture to deal with more sophisticated attacks like targeted spear phishing,” Radiflow said.

The company pointed out that the targeted water utilities are unlikely to hold any valuable confidential information, which suggests that the attackers’ goal was to cause disruption.

“It is believed that physical on-site evidence helped detect this attack,” Radiflow noted.

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

SCADAfence, an Israel-based OT and IoT security company, told SecurityWeek that its sources say the attacks may have originated from the Gaza region and they might have been launched by an anti-Israel hacktivist group calling itself the Jerusalem Electronic Army, which has mentioned the attacks on its Facebook page.

SCADAfence also believes this may have been a joint operation between the Jerusalem Electronic Army and Gaza Cybergang, which was previoulsly linked to the Palestinian terrorist organization Hamas and has mainly conducted espionage operations. Gaza Cybergang is believed to consist of several groups, including ones that have launched sophisticated campaigns targeting, among many types of organizations, utilities and industrial entities.

“Although water facilities were attacked first, many more attacks could be forthcoming,” Michael Yehoshua, VP of marketing at SCADAfence, told SecurityWeek. “These include industrial espionage, shutting down the refrigerators in supermarkets and medical lab networks, spying on gas stations, damaging water dams, disabling critical manufacturing plants and even explosions. These are some of the additional cybersecurity related dangers that can come next if Israel isn’t careful.”

Attacks on water facilities are not unheard of and experts have warned that these types of organizations often have internet-exposed systems that put them at risk.

Internet-exposed SCADA system at a water utility

Ilan Barda, founder and CEO of Radiflow, told SecurityWeek in an interview that he believes water sector organizations in Israel may be better prepared to handle cyberattacks compared to ones in Europe and North America as a result of clear guidelines provided by the Israeli government. However, while bigger regional facilities have implemented comprehensive security measures, many smaller organizations are still going through the process and they may be more vulnerable.

Yehoshua has also confirmed that Israel has a “strong focus on cyber security” and it has the necessary technology to prevent critical infrastructure intrusions.

Related: Attackers Alter Water Treatment Systems in Utility Hack

Related: Cryptocurrency Mining Malware Hits Monitoring Systems at European Water Utility

Related: What the Onslow Water and Sewer Authority Can Teach About Responsible Disclosure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

Chris Burger has been named Chief Information Security Officer at F5.

Bedrock Security has appointed George Gerchow as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.