Hackers working on behalf of the Iranian government are likely to target industrial control systems used at water treatment plants and other critical infrastructure to retaliate against recent military strikes by Israel and the US, federal government agencies are warning. One cybersecurity company says many US-based targets aren't adequately protected against the threat.
“Based on the current geopolitical environment, Iranian-affiliated cyber actors may target US devices and networks for near-term cyber operations,” an advisory jointly published by the The Cybersecurity and Infrastructure Security Agency, FBI, Department of Defense Cyber Crime Center, and the National Security Agency stated. “Defense Industrial Base (DIB) companies, particularly those possessing holdings or relationships with Israeli research and defense firms, are at increased risk.”
Easy targets
Of particular interest to the would-be hackers are control systems that automate industrial processes inside water treatment plants, dams, and other critical infrastructure, particularly when those systems are manufactured by Israel-based companies. Between November 2023 and January 2024, near the onset of the conflict between Israel and Hamas,, federal agencies said hackers affiliated with the Iranian Islamic Revolutionary Guard Corps actively targeted and compromised Israeli-made programmable-logic controllers and human-machine interfaces used in multiple sectors, Including US Water and Wastewater Systems Facilities. At least 75 devices, including at least 34 in US-based water facilities, were compromised.
Hackers in those operations targeted Unitronics Vision Series devices that automate processes inside water facilities. After gaining control of the devices, the hackers interfered with their ability to function normally. The actors also introduced changes that prevented the devices from being remotely accessed by administrators. The hacked devices were either protected by default passwords or no password at all, making them easy targets.
Monday's advisory came on the same day that security firm Censys said that Internet scans it performed recently showed that devices made by Israel-based Unitronics and three other manufacturers of control systems aren't properly configured to withstand hack attacks. The other three manufacturers are Orpak SiteOmat—also from Israel—Red Lion equipment, and the Tridium Niagara framework. The devices are widely used throughout the US.
During a six-month time frame from January to June of this year, Censys observed increases in the number of these devices that are exposed to the Internet. The biggest increase came from automation and control tools using the Niagara framework from Tridium. The tools are used to integrate building automation and controls for HVAC and security systems into a single interface. Over the six-month span, the number of exposed devices rose by 9 percent, from 39,371 to 43,167. Exposed devices from Red Lion, meanwhile, rose 7 percent from 2,453 to 2,639. Unitronics exposures increased 4 percent, from 1,622 to 1,697. Exposures of Opak devices fell by 24 percent over the same period.
Censys said that both Unitronics and Orpak SiteOmat devices ship or previously shipped with default credentials, a practice that can “render access to these systems trivial for a threat actor.”
Both of Monday's publications provide practical advice admins can follow to harden their control systems against such attacks. Chief among the directives is protecting devices with strong passwords.
Automattic puts Tumblr migration to WordPress on hold