US government confirms Iran is behind cyberattacks on water companies

These devices are also sometimes used in the energy, food and beverage manufacturing, and healthcare industries, the advisory added. 

Mitigations advised

Apparently, CyberAv3ngers are with Iran’s Islamic Revolutionary Guard Corps (IRGC), and have decided to target the PLCs because they were manufactured by an Israeli company. 

“Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices,” it says in the joint advisory. “The IRGC-affiliated cyber actors left a defacement image stating, ‘You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.’ The victims span multiple US states.”

So far these have only been defacement campaigns, and there are no reports of ransomware being installed.

CISA said all the affected endpoints were “publicly exposed to the internet with default passwords and by default are on TCP port 20256.” Going forward, CISA advises all critical infrastructure firms to change all default passwords on Unitronics devices and make sure they’re disconnected from the wider internet. Adding multi-factor authentication (MFA) is also helpful, as well as setting up and maintaining backups. 

Other countries are using PLCs from the same manufacturer, too. Infosecurity says the UK’s National Cyber Security Centre (NCSC) recently issued an update warning of the potential risk, but adding that the risk was most likely “minimal, confined to small providers” and would probably not disrupt the country’s water supply.

Via Infosecurity Magazine

More from TechRadar Pro

• Millions more 23andMe records leaked online
• Here's a list of the best firewalls today
• These are the best endpoint protection software right now