At least one attack on water utilities has been confirmed thus far, but two anonymous sources have told the media that a “single digit” amount across the US have been targeted by a group of Iranian hackers.
The damage is limited thus far as the Iranian hackers appear to be targeting a particular component made by an Israeli company, and this component does not provide them with the opportunity to taint water supplies. The one attack that has been made public, which took place in Pennsylvania, indicates the outages are more of an annoyance that forces water utilities to switch the impacted component to manual operations for a time. The public is not going without water or in danger, but the Iranian hackers have already prompted at least one utility company to drop the Israeli parts out of fear of future incidents.
Struggling water utilities poorly equipped to handle targeted hacking
The water utilities are being attacked by a group calling itself “Cyber Av3ngers,” which has a record of prior attacks on industrial control systems and has been linked to Iran’s Islamic Revolutionary Guard Corps. As with most of Iran’s state-backed hacking efforts, the group focuses on denial of service and defacement with political messages and usually only pops up during periods of significant international conflict.
The Aliquippa organization that was hit appears to be doing exactly what the Iranian hackers want all the water utilities they target to do: dump components made by Unitronics, a manufacturer based in Tel Aviv. It is hard to blame these utilities, particularly smaller ones (in this case serving a total population of 15,000), as their funding for IT staffing and defense is often scant at best. If a component has known vulnerabilities, such as shipping with a default password of “1111” that the manufacturer makes public, it may well be the more prudent move to simply replace it and stop buying that brand.
While these particular Iranian hackers do not have the track record of the elite Chinese and Russian threat actors, or even the North Korean crews that steal cryptocurrency, they are still likely too much for underfunded water utilities that may not even have one full-time IT staff member. As the Israel-Hamas conflict drags on, even more attacks of this nature are expected with critical infrastructure companies right in the middle of the crossfire.
The Unitronics components do not really need to be dumped, however, at least not according to the advice CISA has posted for water utilities. The components can be secured by simply disconnecting them from the internet, and access can be made much more difficult by switching the TCP port they default to, ensuring the default password is not still on, and enabling MFA.
Iranian hackers hunting components made by Israeli firms
The first notice of the Iranian hackers appears to be a splash screen on monitoring panels of devices that have been impacted, full of anti-Israel statements and images. Officials in Aliquippa said that an alarm was tripped when the hackers broke in.
The components that are being targeted are part of “booster stations,” or pumps that are used to increase the water pressure to more remote areas. In Aliquippa, this meant that two townships in the county and about 1,200 people were impacted. The Iranian hackers can shut off the normal automatic operation, but maintenance personnel can be dispatched to the station to turn the pumps on and off manually. There is no risk of the water being tainted and impacted customers will still get service, but it creates an extra headache and expense for water utilities.
The FBI, CISA and the Department of Homeland Security have all been brought in to investigate this string of attacks. It remains unclear if the pumps have some common vulnerability, or the hackers are simply hitting on weak passwords.