Connect with us

Hi, what are you looking for?



ICS at Multiple US Water Facilities Targeted by Hackers Affiliated With Iranian Government

Security agencies say the Cyber Av3ngers group targeting ICS at multiple water facilities is affiliated with the Iranian government.

Water company ransomware

The hackers behind recent cyberattacks targeting industrial control systems (ICS) at water facilities in the US are affiliated with the Iranian government, according to security agencies in the United States and Israel.

The FBI, CISA, the NSA, the EPA and Israel’s National Cyber Directorate on Friday published a  joint advisory focusing on the threat actor responsible for the recent attack on the Municipal Water Authority of Aliquippa in Pennsylvania.

The hackers, calling themselves Cyber Av3ngers, compromised an ICS associated with a booster station that monitors and regulates water pressure, but the water facility said there was no risk to the water supply or drinking water.  

The threat actor targeted a Unitronics Vision series programmable logic controller (PLC) with an integrated human-machine interface (HMI). 

Unitronics is an Israel-based company and its products are used not only in the water and wastewater systems sector, but also in industries such as energy, healthcare, and food and beverage manufacturing. In some cases, the PLCs may be rebranded and appear to have been made by other companies.

In the weeks prior to attacking the Aliquippa water utility, Cyber Av3ngers targeted ICS at water, energy, shipping, and distribution organizations in Israel. However, some of their claims turned out to be false. 

Since the Israel-Hamas conflict escalated on October 7, they claimed to have breached the systems of many water treatment stations in Israel. In the case of the Aliquippa facility attack, they claimed to have targeted the PLC because it was made by an Israeli company. 

While Cyber Av3ngers claims to be a hacktivist group, CISA, the FBI and the other agencies said it’s actually a persona used by cyber actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC). The Cyber Av3ngers persona, previously described as a pro-Iran threat group, has been used to target Israeli entities since 2020.

Advertisement. Scroll to continue reading.
Cyber Av3ngers hackers

The agencies said IRGC-affiliated threat actors targeted multiple US water sector facilities that rely on Unitronics Vision PLCs since November 22. The victims were located in multiple states. 

Unitronics PLCs have been known to be affected by critical vulnerabilities that could expose them to attacks. However, in the recent attacks, the devices were likely compromised because they were exposed to the internet on the default port and were protected by default passwords.

Once they compromised the devices, the hackers defaced their user interface, which could make the PLC inoperable.

“With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities,” the joint advisory reads.

A Shodan search shows that roughly 1,800 Unitronics PLCs located around the world are exposed to the internet, including a few hundred like the one targeted in the Aliquippa attack. 

“Cyber Av3ngers are known to use open source to conduct scanning, discovery and exploitation of OT and ICS devices. In particular, they leverage scripts specific to PCOM/TCP to query systems using Unitronics PLCs,” cybersecurity firm SentinelOne said in a blog post last week. 

Regarding Cyber Av3ngers’ recent public statements, John Hultquist, chief analyst at Google Cloud’s Mandiant Intelligence, said the group has a long history of publicly exaggerating superficial intrusions, claiming significant access to critical infrastructure. 

“Unfortunately, an insignificant hack against the right target, viewed without proper context, can be quite alarming. We have to be careful not to give these actors too much credit,” Hultquist said. “Even if they shut down the water at these sites, their goal would be the same. They are trying to undermine our sense of security. It doesn’t really matter whether they do that through expertise or exaggeration.”

The advisory released by the security agencies provides indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with Iranian cyber operations, as well as recommendations for defenders and device manufacturers. 

Related: CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack

Related: Congressmen Ask DOJ to Investigate Water Utility Hack, Warning It Could Happen Anywhere

Related: EPA Mandates States Report on Cyber Threats to Water Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.