US government confirms Iran is behind cyberattacks on water companies

A white padlock on a dark digital background.
(Image credit:

Iranian hackers were apparently behind recent attacks on US water plants, according to the findings of the government's Cybersecurity and Infrastructure Security Agency (CISA).

CISA has published a joint advisory together with the FBI, the NSA, the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD), noting a hacker (or a group) with the alias “CyberAv3ngers” targeted Unitronics programmable logic controllers (PLCs), endpoints usually used by firms in the Water and Wastewater Systems (WWS) Sector. 

These devices are also sometimes used in the energy, food and beverage manufacturing, and healthcare industries, the advisory added. 

Mitigations advised

Apparently, CyberAv3ngers are with Iran’s Islamic Revolutionary Guard Corps (IRGC), and have decided to target the PLCs because they were manufactured by an Israeli company. 

“Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices,” it says in the joint advisory. “The IRGC-affiliated cyber actors left a defacement image stating, ‘You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.’ The victims span multiple US states.”

So far these have only been defacement campaigns, and there are no reports of ransomware being installed.

CISA said all the affected endpoints were “publicly exposed to the internet with default passwords and by default are on TCP port 20256.” Going forward, CISA advises all critical infrastructure firms to change all default passwords on Unitronics devices and make sure they’re disconnected from the wider internet. Adding multi-factor authentication (MFA) is also helpful, as well as setting up and maintaining backups. 

Other countries are using PLCs from the same manufacturer, too. Infosecurity says the UK’s National Cyber Security Centre (NCSC) recently issued an update warning of the potential risk, but adding that the risk was most likely “minimal, confined to small providers” and would probably not disrupt the country’s water supply.

Via Infosecurity Magazine

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.