There is perhaps no organization that better embodies the true spirit of a villain like the hacktivist group. Ripped from the pages of a graphic novel, these organizations are as altruistic in the motives as they are ruthless in getting results. Fueled by an unwavering belief in a cause that they know is right, these groups are bold, intelligent and dangerous.
One such case is a group that goes by the name of the Cyber Av3ngers. The Iran-affiliated group has been vehement in their anti-Israel stance, using social media to propagate a narrative that the social and economic issues of the region are the result of corrupt and over-zealous military action by Israel.
The group first registered on the cybersecurity radar in September of last year, taking credit for attacks against Israeli infrastructure and tech companies that were widely disputed. However, in November a municipal water authority in Pennsylvania revealed that they had been the victim of a Cyber Av3ngers attack that compromised OT assets by accessing the organization’s programmable logic controllers.
The attack was made possible by exploiting poor password protocols and unsecure internet connections. According to several reports, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Cyber Av3ngers utilized basic techniques to scan the internet, identify the devices made by Israel-based Unitronics, and then log in using default credentials that were never changed during implementation.
For those unfamiliar with PLCs, these devices are used help control and monitor various production processes, and can include regulating the functionality of instrumentation and automation equipment. By obtaining access to the PLC, a hacker has a way into the industrial control system and, depending on the level of segmented cyber defense, potentially unlimited control of the production facility or enterprise. It’s a gateway into critical OT systems.
In this instance, the group could have turned pumps on or off to control water supply, or infiltrated key operational systems that impact water treatment. Fortunately, the utility in question was able to identify the attack quickly enough to shut down the PLCs and resort to manual operations until the hack was resolved. The only known damage was the Cyber Av3ngers leaving anti-Israel commentary on the control panel of several Unitronics customers.
However, several other users, including several U.S. breweries, were forced to shut down operations until a solution was provided by Unitronics. Beyond water treatment, the company’s PLCs are used in numerous industrial applications, including food and chemical processing.
While the attack stemmed from a very specific geo-political philosophy, the results were much further reaching, and illustrate the dangers of such groups and the potential threat, however unintentional, that they present to the ICS. After all, if this group was able to figure out how to hack PLCs, what would prevent more notorious and well-organized ransomware groups from targeting these same components and their affiliated systems with distributed denial of service (DDoS) and extortion campaigns.
CISA has since issued guidelines for responding to the vulnerability that include:
- Changing all default passwords on PLCs and HMIs (human machine interfaces) to a stronger password. Believe it or not, the agency felt compelled to state that the default password of 1111 should not be used.
- Require multifactor authentication for all remote access, including from the IT and external networks.
- Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC by implementing a Firewall/VPN in front of the PLC. Unitronics also offers a secure cellular-based longhaul transport device that is secure to their cloud services.
- Use an allow list of IPs for access.
- Back up the logic and configurations on any Unitronics PLCs to enable fast recovery.
- If possible, utilize a TCP port that is different than the default port.
- Update the PLC/HMI to the latest version provided by Unitronics.
In looking for greater depth on the situation, we recently sat down with Marty Edwards, deputy CTO for OT and IoT at Tenable, a leading industrial cybersecurity solutions provider.
Jeff Reinke, editorial director: What has been the extent of the damage caused by this attack?
Marty Edwards, deputy CTO for OT and IoT, Tenable: In an alert issued on November 28, CISA confirmed that Unitronic PLC devices were actively being exploited. Cybercriminals are taking advantage of persistent usage of default passwords to obtain access and threaten the ability of the Water and Wastewater Systems (WWS) sector to provide clean potable water and effectively manage wastewater.
Investigations are still ongoing, but it’s assumed with a degree of certainty that cybercriminals exploited Unitronics PLC devices to launch a ransomware attack on the Municipal Water Authority of Aliquippa in Pennsylvania.
JR: It’s hard to imagine that default passwords could have been kept in place for such an important asset. Do you think this access point was targeted, or found unintentionally by the hacking group?
ME: Likely a mix of both – routine cybercriminal activity involves searching the internet for connected devices and assessing whether the user has neglected to change the default password, or is using a common weak password (think “Admin”). A cyber attacker likely found a Unitronics PLC using the default password and took note of other exposed devices with the same issue to launch a coordinated attack.
It’s clear the attackers were intentionally targeting this brand of PLCs. I don’t think the wastewater sector was specifically targeted, nor was the specific entity.
JR: Can you expand or provide more specifics on the comments from CISA stating that access stemmed from “exposure to the internet” – what type of exposure are they referencing?
ME: This set of attacks takes advantage of direct internet accessibility, a highly favorable attack method as companies have turned to making their control systems assets more remotely available. While connectivity provides countless benefits in the digital age, it can also leave an organization exposed if not properly secured.
It is very easy for attackers to search the internet for devices that are protected only by a factory default password, which is even easier to find online in the user manual. Manufacturers and end users must layer defenses in place, like two robust multifactor authentication programs - one to get into the enterprise network and another to get between corporate environments and sensitive OT networks – which PLCs fall within.
JR: It’s 3+ years after Colonial Pipeline and we’re still having issues with critical infrastructure and poor password security. Is this just an internal oversight? Trying to connect new technology to legacy systems? Poor endpoint security? A combination of these issues, or something else?
ME: The reality is likely a combination of all of these issues. The active exploitation of Unitronics PLCs is continued evidence that industrial security is in need of significant improvements, and government regulation at some capacity is necessary to ensure the cyber safety of public services like water and wastewater systems.
Manufacturers supplying industrial components with default passwords that are not required to be changed upon installation is certainly a factor and “secure by design” initiatives should help. A basic implementation error, such as leaving a default password in place when installing a device, highlights the immediate need for basic cybersecurity hygiene.