Team82 Unveils Research on Unitronics PLC/HMI Attacks Targeting Critical Infrastructure
Recently, the cybersecurity research team known as Team82 has published an in-depth investigation into a series of cyberattacks targeting integrated Programmable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs) produced by Unitronics. These attacks, which took place in November of last year, specifically targeted critical infrastructure, including water treatment plants in the United States and Israel. The attacks are believed to have been orchestrated by CyberAv3ngers, a notorious hacker group with ties to Iran.
Notably, U.S. intelligence agencies finally revealed the identities of six CyberAv3ngers hackers and announced a substantial reward for their capture.
According to Team82’s detailed analysis, the attackers exploited significant vulnerabilities in Unitronics’ Vision and Samba series products. At the time of the attack, these devices lacked password protection for the PCOM communication protocol, a critical oversight that allowed the hackers to remotely access and manipulate the devices. By exploiting this weakness, the attackers were able to upload malicious projects, disrupt the normal operations of the PLCs, and leave threatening messages.
In response to these serious threats, Team82 has not only exposed the vulnerabilities but has also developed innovative tools to help defend against future attacks. These tools, now available for public use, are designed to empower security professionals and infrastructure operators to detect and respond to similar threats.
- PCOM2TCP: This tool converts PCOM protocol messages from serial format to TCP, facilitating the analysis of network traffic and helping to identify suspicious activities that could indicate an ongoing attack.
- PCOMClient: PCOMClient enables users to connect to Unitronics PLCs, extract data for forensic analysis, and examine the device’s functions. This tool is particularly valuable for incident response, allowing experts to retrieve critical information about device connections, user activity, and other data that could be instrumental in investigating and mitigating attacks.
Team82’s research also led to the discovery of two new vulnerabilities, identified as CVE-2024-38434 and CVE-2024-38435. Experts strongly recommend that all Unitronics users update their devices to software version 9.9.1 to minimize the risk of exploitation.
One of the challenges faced by Team82 during their research was establishing a direct connection to Unitronics devices, which do not typically come equipped with an Ethernet port. Demonstrating their ingenuity, the team created a custom cable that allowed them to connect to the devices and conduct a thorough examination of the PCOM protocol. This hands-on approach was crucial in uncovering the vulnerabilities and developing the tools that are now helping to secure critical infrastructure worldwide.
The tools developed by Team82 are not only advancing the understanding of Unitronics devices but are also playing a pivotal role in enhancing the security of critical infrastructure. By providing the means to quickly respond to cyberattacks, these tools are helping to safeguard essential services and prevent potentially catastrophic disruptions.
