Iran Cyber Activity Detected Across US Critical Infrastructure
30 Hospitals & 2 Water Infrastructure Entities Affected
North America has been taking a beating on the cyber front this week. After Microsoft and the FBI issued a warning regarding impending risk of cyber attack from Iran, Canada’s Center for Cybersecurity, along with RCMP, renewed warnings of ransomware attacks due to the attack that has recently resulted in a $480m lawsuit for victims of exposed medical information.
A North Texas water utility serving two million people is dealing with a cybersecurity incident that caused operational issues.
North Texas Municipal Water District (NTMWD) provides wholesale water, wastewater and solid waste management services to more than 13 cities in the state, including Plano and Frisco.
The Aliquippa Municipal Water Authority in Pennsylvania revealed one of its booster stations had fallen victim to a cyber-attack by an Iranian-backed group.
Matthew Mottes, Chairman of the Board of Directors for the Municipal Water Authority, disclosed to KDKA-TV that the hacking group, identified as Cyber Av3ngers, successfully took control of the station, setting off an immediate alarm. The group also took credit for the attack on X, along with attacks on 10 Israeli treatment plants. These attacks are unverified. The automated system was immediately shut down and operations resumed manually. CISA is now investigating the attack, and there are concerns about further attacks on critical infrastructure within the United States, in general.
The group allegedly gained access through an “IoT” Programmable Logic Controller used for water pressure by Unitronics, which has components that are Israeli-owned. During the attack and a message appeared on the screen reading: "You Have Been Hacked. Down With Israel, Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target."
On October 30th, the Cyber Av3ngers initiated a series of posts across their Telegram and Twitter/X communication channels claiming to have infiltrated “10 Water treatment stations” across Israel. Prior to that, the same channels had been used to post a small set of files they claim had been exfiltrated from these targets.
Throughout the following weeks, the group maintained its social media campaign with threats to “wipe and destruct all industrial equipment such as SCADA systems, PLCs and HMIs”. However, it was only on 26th November that the group’s threats expanded to include targeting of all critical infrastructure, including plants in the U.S., found to be using equipment manufactured in, or associated with, Israel.
A report released by Microsoft Threat Intelligence revealed another threat from IRGC-tied hackers, named by Microsoft as "Mint Sandstorm".
This threat actor’s modus operandi is to target energy and transportation infrastructure across the US, including ports, energy companies, and transit systems.
Cybersecurity firm Proofpoint also found Mint Sandstorm/APT42 conducting a phishing campaign against a US nuclear security expert early last year, pretending to be a senior fellow with the U.K. think tank from the Royal United Services Institute (RUSI) while attempting to spread malware.
DARKREADING: The hackers continue to adapt the tools used during their attacks, deploying “novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets,” Proofpoint said. Initially engaged in reconnaissance, the subgroup eventually began attacking critical infrastructure organizations in the United States in 2022.
A cyber-attack has shut down emergency rooms in at least three states, a hospital operator warned on Monday, forcing the organization to divert patients to other facilities
.
Ardent Health said it had been targeted by a ransomware attack over the Thanksgiving holiday. The corporation oversees 30 hospitals in states across the US, including New Mexico, Texas and Oklahoma. The attack had shut down a significant number of its computerized services, the company said in a news release. Ardent Health said that "in an abundance of caution, our facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals."
Ardent has not announced a timeline for when the issue could be resolved.
According to the Institute for Security and Technology, at least 299 hospitals have suffered ransomware attacks in 2023.
In 2022, there were 70,878 known incidents of online fraud in Canada, with more than $530-million stolen, according to the RCMP. The United States has seen $2.7-billion in losses since 2021.
Targeting and Tooling - Cyber Avengers
The current campaign targets Unitronics PLCs exposed to the public internet. A high-level search via Shodan indicates approximately 1800 Unitronics PLC devices are reachable globally. Around 280 of those are of the type in use by the Municipal Water Authority of Aliquippa.
Threat actors are scanning for exposed Unitronics devices listening on TCP port 20256, and when discovered, interrogating and where possible connecting to the vulnerable endpoint.
Cyber Av3ngers are known to use open source to conduct scanning, discovery and exploitation of OT and ICS devices. In particular, they leverage scripts specific to PCOM/TCP to query systems using Unitronics PLCs.
Industrial Control Systems equipment often comes with default passwords and backdoor ‘service’ or ‘admin’ accounts for remote administration. These are documented in publicly available operation manuals and represent a vulnerability if the installer or maintainer of the equipment did not take steps to change passwords and generally harden the devices against external attack.
Screenshots shared by the group on social media show the use of such open-source tools for scanning a range of exploitable ICS devices, including Siemens and SCADA devices.
The group has also previously exploited CVE-2023-28130, a remote command execution vulnerability in CheckPoint’s GAIA.
Additional Targeting of OT/ICS Equipment
The nature of many ICS/OT installations means they are often exposed to vulnerabilities and weak or unchanged default passwords. This, combined with their service-critical use, means they are both an easy and attractive target for threat actors.
Unsurprisingly, we find that Cyber Av3ngers is neither the only nor the first group to target such systems. Unitronics PLCs, in particular, have also recently been singled out for targeting by another Gaza-related hacktivist group called ‘GhostSec’.
On October 13, 2023, GhostSec posted messages claiming to have hacked a number of Unitronics devices along with 27 Aegis devices used to control water pumps.
Mitigating Risks to Unitronics PLCs and Other ICS Devices
In order to harden exposed devices, administrators are urged to follow CISA’s recommendations:
Change the Unitronics PLC default password and validate that the default password “1111” is not in use.
Require MFA for remote access to the OT network, including from the IT network and external networks.
Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable MFA if it is not supported by the device. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
If possible, utilize a TCP port that is different from the default port TCP 20256. If available, use PCOM/TCP filters to parse out packets.
Update PLC/HMI to the latest version provided by Unitronics