On December 1, an Iran-linked hacking group breached a water treatment facility located near Pittsburgh. Federal officials also confirmed that several other water utilities have been recently attacked by hackers.
Since the start of Israel’s recent hostilities with Hamas in the Gaza region, there’s been a slow but steady increase in nation-state backed cyber attacks against U.S. infrastructure. The CISA also reported that anti-Israel messaging appeared on the programmable logic controller (PLC) screens during the breach.
Who Was Behind The Attack?
The group responsible for the attack calls themselves CyberAv3ngers, and they are strongly believed to have nation-state backing from the Islamic Revolutionary Guard Corps (IRGC). IRGC is known to be an Iranian military group that has been designated as a foreign terrorist organization by the US government.
This type of hack isn’t necessarily about ransomware and making money. Although they lock out the equipment in a way similar to ransomware, this particular equipment can potentially be reflashed or restored. It’s not like ransoming hundreds of thousands or millions of files on a server.
The real goal for CyberAv3ngers was to be disruptive and to create concern and fear about doing business with Israel.
And they don’t really care about how they’re being disruptive. They could have chosen to target life support systems in a hospital. If things are blowing up, if the lights are going out, or in this case, if water can’t flow, then the hack serves their purpose.
They’re dealing in fear, uncertainty, and doubt, and they win even if their malware isn’t successful. Just making headlines and potentially scaring people is a victory for this type of hack, because Americans may choose not to buy certain equipment if they’re concerned about the stability of their own infrastructure.
How Did The Attack Happen?
The hack itself was extremely easy to execute. CyberAv3ngers broke into the water treatment facilities’ PLCs, which are used in industrial operations to control machines and perform automated operations.
The facility’s PLCs were connected to the internet, and their only protection was a default password. As a result, the hackers were essentially able to walk straight in and take control.
Some manufacturers are using randomized passwords at the factory, but it’s still not uncommon for gear to be shipped to end users with default passwords. And a quick Google search can find those default passwords to get anybody into that equipment.
Thankfully, the compromise was caught early on in this particular situation. The municipality was able to switch to manual operations and keep the water supply flowing before there was any serious impact to workers or citizens.
What Implications Do These Types of Hacks Have for U.S. Companies?
Worldwide, there’s been an uptick of attacks specifically targeting Israeli-made goods and equipment since September 2023. Interestingly enough, that was just before the start of the Gaza incursion and the current conflict with Hamas.
The frequency of nation-states backing cyber attacks against critical infrastructure has more than doubled in the last two years.
And given the success of these campaigns, and the relatively low bar that they’re targeting, it’s unlikely that there’s going to be any decrease until there’s some sort of significant retaliation or consequences.
At the moment, many of these nations are under sanctions and have already been denounced for terrorism, misinformation and cyber crimes. Unless there’s an escalation that makes the cost of perpetrating these attacks more risky for these organizations, it’s unlikely for us to see a slowdown.
What Kind of Organizations Are at Risk of This Kind of Attack?
Public infrastructure is the most at-risk because it commonly uses this particular programmable logic controller. But any type of manufacturing plant will have programmable logic controllers and could be susceptible to a similar type of attack.
At the moment, it’s the Israeli-made equipment being targeted because there’s a specific prescription on how to break into and attack this particular type of equipment.
But the same things could be fairly easily replicated with other types of industrial equipment. Anybody that’s in a sector that uses programmable logic controllers is at risk.
What Specific Steps Should Organizations in the U.S. Take?
These steps could apply to anything, not just programmable logic controllers, but first and foremost, we recommend having good backups and procedures to restore and recover if an incident of this nature occurs.
PLCs are firmware-driven, and it’s fairly easy to make backups of this kind. And, they don’t change very often, so maintaining those backups does not become a burden over time.
Secondly, we recommend that these PLCs in particular be patched. Good hygiene is critical. Patches must be up to date because we patch in order to close known vulnerabilities, fix bugs, and close holes.
Default passwords were involved in this incident as well. As always, it’s imperative to not use default or easy-to-guess passwords. Setting long, unique, complex passwords is a very simple thing that can be done to avoid these attacks.
More importantly, PLCs are generally not the type of machines that should be Internet-facing. At a minimum, there should be a firewall between the PLCs and the public Internet.
When these machines are put on the public Internet, it’s often for convenience so that they can be remotely accessed. But there should be some sort of a private network, a VPN, or some other type of routing standing in between these devices and the Internet for this exact reason.
It’s hard to monitor the activity to these devices, especially when they’re remote. These PLCs may be buried in the heart of a manufacturing plant, or, in the instance of water treatment, they could be controlling the flow of far distant pipes.
They’re not sitting in a data center or computer room behind a controlled environment, and that’s a setting that induces more risk.
Although it’s not always applicable to PLCs, if you can enable multi-factor authentication, it will quickly help stop these types of attacks. Even if you are using default passwords, multi-factor will create that second layer of security and provide an early warning if there is a breach attempt.
And lastly — don’t panic. These types of attacks are easy to thwart and easy to recover from. The major risk is that if a breach occurs and is not detected, then the results could be catastrophic. If it’s caught early, then there’s little need to fret.
Consult With Black Kilt to Secure Your Infrastructure
If you manage a manufacturing facility or municipal-related infrastructure, contact Black Kilt for a consultation and for help getting your protection in order. We’ve already reached out to some of our current and former clients and made them aware of this particular exploit and advised them on appropriate responses. This is an area where we have had extensive experience with direct responsibility and direct development.
