The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that it's responding to a cyber attack that involved the active exploitation of Unitronics programmable logic controllers (PLCs) to target the Municipal Water Authority of Aliquippa in western Pennsylvania.
The attack has been attributed to an Iranian-backed hacktivist collective known as Cyber Av3ngers.
"Cyber threat actors are targeting PLCs associated with [Water and Wastewater Systems] facilities, including an identified Unitronics PLC, at a U.S. water facility," the agency said.
"In response, the affected municipality's water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality's drinking water or water supply."
According to news reports quoted by the Water Information Sharing and Analysis Center (WaterISAC), Cyber Av3ngers is alleged to have seized control of the booster station that monitors and regulates pressure for Raccoon and Potter Townships.
It's thought that the threat actors accessed the affected device, a Unitronics Vision Series PLC with a Human Machine Interface (HMI), by taking advantage of lax password security and it being publicly accessible over the the internet.
With PLCs being used in the WWS sector to monitor various stages and processes of water and wastewater treatment, disruptive attacks attempting to compromise the integrity of such critical processes can have adverse impacts, preventing WWS facilities from providing access to clean, potable water.
To mitigate such attacks, CISA is recommending that organizations change the Unitronics PLC default password, enforce multi-factor authentication (MFA), disconnect the PLC from the internet, back up the logic and configurations on any Unitronics PLCs to enable fast recovery, and apply latest updates.
Cyber Av3ngers has a history of targeting the critical infrastructure sector, claiming to have infiltrated as many as 10 water treatment stations in Israel. Last month, the group also claimed responsibility for a major cyber assault on Orpak Systems, a prominent provider of gas station solutions in the country.
"Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target," the group claimed in a message posted on its Telegram channel on November 26, 2023.
Update
In a follow-up advisory, cybersecurity agencies from the U.S. and Israel blamed Iranian threat actors for targeting publicly-exposed Unitronics Vision Series PLCs through the use of default passwords.
"These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities," the agencies noted.
"The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment."