Iran-Linked CyberAv3ngers Hacker Disrupt Water Operations in Western Pennsylvania

On Saturday, October 29, 2023, the Municipal Water Authority of Aliquippa (MWA) in western Pennsylvania was targeted by an Iranian-backed cyber group known as CyberAv3ngers. The attack reportedly affected a remote booster station serving two townships, but the MWA assured residents that there was no known risk to the drinking water or water supply.

According to local news reports, CyberAv3ngers gained control of a Unitronics Vision Series PLC, which is used to monitor and regulate pressure for Raccoon and Potter Townships. The attack triggered an alarm, and the system was immediately taken offline and switched to manual operation.

CyberAv3ngers claims to be an activist group focused on targeting Israeli water and energy sites. The group has previously claimed responsibility for attacks on ten water treatment facilities in Israel. It is unclear why the group targeted the MWA, but it is possible that they were attempting to disrupt the U.S. water supply or send a message to the Israeli government.

The Cybersecurity and Infrastructure Security Agency (CISA) is investigating the attack and has issued an alert warning of the potential risk to other water and wastewater facilities. CISA is urging organizations to take the following steps to protect their systems:

1. Change the Unitronics PLC default password.
2. Require multifactor authentication for all remote access to the OT network.
3. Disconnect the PLC from the open internet.
4. Back up the logic and configurations on any Unitronics PLCs.
5. Utilize a TCP port that is different than the default port TCP 20256.
6. Update PLC/HMI to the latest version provided by Unitronics.

This attack highlights the growing threat to critical infrastructure from cyberattacks. Water and wastewater facilities are particularly vulnerable because they rely on programmable logic controllers (PLCs) that are often connected to the Internet. Organizations can protect their systems by following CISA’s recommendations and implementing additional security measures, such as network segmentation and intrusion detection systems.