The United States’ top cybersecurity agency is warning that hackers are targeting a particular tool used by water and wastewater system operators around the country, noting an attack the day after Thanksgiving on a water utility in Pennsylvania.

The Cybersecurity and Infrastructure Security Agency (CISA) wrote in an advisory this week that bad actors are looking to exploit programmable logic controllers (PLCs) that are used by such operations to monitor water treatment process, such as turning pumps on and off that fill tanks and reservoirs.

They also regulate pacing chemicals to meet regulations, collect compliance data, and alert to alarms to operations, CISA wrote.

In particular, the agency pointed to PLCs developed by Unitronics, which are used by the Municipal Water Authority in Aliquippa, Pennsylvania, which said threat actors took control of a system used to monitor water pressure for nearby towns. Officials there said there was no threat to drinking water, but operators were forced to take systems offline and shift to manual operations.

A report by researchers at cybersecurity firm Check Point said that a hacking group linked to Iran’s government, Cyber Av3ngers, took responsibility for the attack in Pennsylvania. The group has a history of attacking critical infrastructure, including water, electrical, and transportation operations.

Cyber Av3ngers Target Israeli-Made Equipment

Cyber Av3ngers, which like other pro-Palestinian hackers has ramped its activity in Israel since fighting with the Hamas terrorist group broke out last month, said in a note on the Telegram messaging platform that it was targeting equipment that was made in Israel. Unitronics is based in Israeli.

According to reports, the computer screens in the Aliquippa facility showed a note from the threat group announcing the hack and the message about Israeli equipment being targeted. The note also said “Down with Israel.”

The federal government is also investigating hacks of other U.S. water facilities, which also may be victims of Cyber Av3ngers, according to reports.

CISA said the hackers likely accessed the Unitronics Vision Series PLC with a Human Machine Interface (HMI) by abusing some security weaknesses, such as poor password security or the devices being exposed to the internet.

Check Point researchers noted that Cyber Av3ngers “for the targeting purposes … focuses on exploitation of vulnerabilities in internet facing devices. As part of their modus operandi, the group also seeks to utilize Microsoft Exchange vulnerabilities as an initial intrusion vector.” They added that incident with the Pennsylvania water system was a supply chain attack.

Steps to Protect

CISA recommended several steps water system organizations can take to protect against such attacks, including changing the Unitronics PLC default password from “1111” and requiring multifactor authentication for remote access to the operational technology (OT) network, both from the IT network and external networks.

It also suggested updating PLC/HMI to the latest version from Unitronics.

In addition, operators should disconnect the PLC from the open internet or implement a firewall and VPN in front of the PLC if remote access is necessary.

“A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication,” the agency noted. “Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.”

Administrators also should back up the logic and configurations on Unitronics PLCs to ensure fast recovery from an attack, use a TCP port that is different than the default port TCP 20256. Threat groups are targeting TCP 20256 after identifying it through network probing as a port associated with the Unitronics tool.

“Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection,” CISA wrote. “If available, use PCOM/TCP filters to parse out the packets.”

Protecting Critical Infrastructure a Priority

The Biden Administration has made protecting critical infrastructure in more than a dozen sectors – not only water, but also electrical, chemical, defense industrial base, financial services, IT, and food and agriculture, among others – from cyberattacks.

However, the Environmental Protection Agency last month was forced to withdraw an order it established in March to have states begin assessing the cybersecurity of their public water systems. However, a legal challenge from some states and water associations in federal court convinced the EPA to drop the order.

The high-profile attack on software maker SolarWinds in 2020 and on JBS Foods a year later put critical infrastructure threats on the front burner and the Check Point researchers said such attacks aren’t going away.

“ICS [industrial control system] and OT networks play a vital role in the global modern world but are also attractive targets to criminal groups,” they wrote, noting Cyber Av3ngers’s attacks on the water systems. “Threat actors are drawn to critical infrastructure and SCADA/ICS due to their inherent ability to cause economic disruption, espionage, intellectual property theft, and for geopolitical motives.”

Organizations that want to mitigate such risks “must prioritize implementing an ICS security solution, minimizing risk exposure in both IT and OT environments,” they wrote. “The solution must be proactive, block attacks before they compromise critical assets, and ensure uninterrupted industrial operations.”