The overlaps between cyber threats and regional kinetic events have never been more evident than throughout 2023. Cyber adversaries have used the conflicts between Ukraine-Russia and Israel-Hamas to conduct targeted and opportunistic operations against critical infrastructure. Less sophisticated hacktivists, motivated by notoriety and drawing global attention to social and geopolitical events, have used both conflicts to spread misinformation, fear, uncertainty, and doubt (FUD) about industrial organizations’ resilience to cyber attacks and their ability to maintain critical services people rely on.
Dragos Threat Intelligence has been tracking an uptick in hacktivist cyber operations since the start of both conflicts. Several hacktivist groups have come out of the woodwork during the Israel-Hamas conflict. The Cyber Av3ngers is one such group. They were first observed in early September 2023 to claim the successful disruption of Israel Railway’s network systems – a claim Dragos Threat Intelligence later assessed as false. A few weeks later, in early October 2023, the Cyber Av3ngers made additional claims of successful disruptive cyber attacks against an Israeli power grid and a small Israeli city (Yavne). Like their claim about the Israel Railway disruption, Dragos Threat Intelligence assessed the October 2023 claims as false or grossly exaggerated. Also, during this time, the Cyber Av3ngers posted on their Telegram channel they would be targeting Israeli technology companies.
When a municipal water authority in the United States disclosed that the Cyber Av3ngers hacktivist group had compromised OT assets within their environment on or around November 25, 2023, it goes without saying that Dragos Threat Intelligence was a bit skeptical. However, after investigating the incident further, it was clear that Cyber Av3ngers had indeed successfully accessed one of the water authority’s Unitronics programmable logic controller (PLC) devices and altered the device’s menu page with anti-Israel commentary. Unitronics is a technology manufacturing company based in Israel. They provide automated solutions for companies in various industry sectors, including water, energy, agriculture, building automation systems, food and beverage, and chemicals. The attacks against Unitronics devices are rooted in the conflict in Israel, and there is no indication that Cyber Av3ngers were targeting one specific region or industry sector.
Hear from Dragos Threat Intelligence Experts
Watch our Intel Briefing to learn more about CyberAv3ngers threat activity targeting OT and what you can do to fortify your defenses.
Watch On-DemandThe initial infection vector is not fully understood, but Dragos Threat Intelligence suspects the Cyber Av3ngers utilized basic techniques to scan the internet, identify accessible Unitronics devices, and then tried to log in using default credentials, which can be found in online Unitronics operating manuals.
The downstream impacts to organizations by this intrusion will vary depending on the type of organization and what dependencies exist for the Unitronics devices, but at this time, Dragos Threat Intelligence is unaware of any significant downstream impacts. However, we have identified multiple global industry sectors that have Unitronics devices deployed within OT environments. It stands to reason that the Cyber Av3ngers could opportunistically try to gain access to as many Unitronics devices as possible.
On November 28, 2023, the Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) published an Advisory Alert (AA) titled, “Exploitation of Unitronics PLCs used in Water and Wastewater Systems.” The CISA alert provided the following recommendations:
- Change the Unitronics PLC default password—validate that the default password “1111” is not in use.
- Require multi-factor authentication (MFA) for all remote access to the OT network, including from the IT network and external networks.
- Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multi-factor authentication for remote access even if the PLC does not support multi-factor authentication. Unitronics also has a secure cellular-based, long haul transport device that is secure to their cloud services.
- Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
- If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber adversaries are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
- Update PLC/HMI to the latest version provided by Unitronics.
In addition to the above recommendations, Dragos recommends implementing the 5 Critical Controls for World-Class OT Cybersecurity to defend against these types of attacks.
- Ensure your company has an OT incident response plan in place that is tested frequently.
- Make sure all ICS assets are sufficiently hardened and appropriately segregated from other non-ICS/OT networks.
- A successful OT security posture is dependent on visibility and monitoring of critical ICS assets, including vulnerability maps, and mitigation plans for each component.
- Remote access should be secured with multi-factor authentication (MFA) and only made available to those who need it based on the actions they need to take.
- Organizations that have ICS assets within their environment need to know which technologies are vulnerable and have a plan to manage those vulnerabilities.
Watch Our Intel Briefing
Ready to put your insights into action?
Take the next steps and contact our team today.