In December 2023, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) issued an alert regarding the activities of Iranian cyber actors dubbed “CyberAv3ngers” believed to be tied to Iran’s Islamic Revolutionary Guard Corps (IRGC). The alert cited that this group had made false and legitimate claims to have compromised critical infrastructure targets in Israel and the United States, the breadth of which warranted an advisory highlighting tactics, targets, and technical indicators of compromise to inform public and private organizations’ cybersecurity practices. The activities were substantial enough that in February 2024 the United States sanctioned six Iranians involved in these and other cyber activities further underscoring the seriousness of the intent and capabilities of these actors.
Unquestionably, the tendency of the CyberAv3ngers to deliberately target critical infrastructure is worrisome, especially given that any such access would facilitate executing a debilitating or other harmful action, putting this group in the crosshairs of both the United States and Israel. Most notably, the group appears to be focused on compromising water facilities, though it had previously targeted other infrastructures such as energy, shipping, and healthcare entities, as well. Per the alert, the CyberAv3ngers had successfully conducted operations against water facilities in the United States during November and December 2023. A Pennsylvania water authority, a Texas water utility, and a Florida water agency were among the compromised targets. Though these incidents did not result in any significant consequence, the group left messages claiming responsibility, expressing their views on Israel, and ultimately sending a clear message that it could compromise high-value targets and potentially do damage if it wanted.
When it comes to critical infrastructure security, energy and finance seem to always jump to the forefront of people’s concerns largely because of the impact and fallout should the worst-case scenario transpire. No doubt the very publicized attacks against Ukrainian power by Russia and notable incidents against financial institutions have contributed to this perception. But to be fair, any successful attack against any critical infrastructure can be devastating and given that there are 16 sectors warranting this designation, defending all with equal intensity, funding, and resourcing seems more aspirational than feasible. Nevertheless, what’s intriguing about the publicly reported incidents is that it appears that Iran is demonstrating a concerted interest in targeting water and wastewater treatment facilities to show that it has capabilities on par with other state actors, and what’s more, a history of going after targets that have direct implications on civilian populations.
Iran’s attention to water facilities can be traced back to at least 2013 when one Iranian actor obtained unauthorized access into the SCADA systems of New York’s Bowman Dam, for which he was indicted by the Department of Justice. The access provided the actor with information regarding the status of the operation of the dam, the ability to control water levels and flow rates and would have permitted him to remotely operate and manipulate the dam’s sluice gate. While this event seemed to be isolated, Iran’s interest in such targets would continue to increase over time. In April 2020, Iran allegedly executed cyber attacks against six Israeli water systems resulting in a pump at one site to operate continuously; the destruction of data at another; the manipulation of data at a third, and the takeover of an operating system at a fourth. In one incident, it appeared that the attackers attempted to modify chlorine levels in the water supplied to Israeli homes. June 2020 saw two more Iranian cyber attacks targeting agricultural and water pumps in two Israeli cities. Finally, the end of 2023 bore witness to the attacks against U.S.-based water facilities, as well as the unconfirmed attacks against 10 treatment facilities in Israel.
This frequent targeting of entities in the water sector does not appear to be happenstance. One reason may have to do with the actual target itself. For example, with respect to the attacks claimed by CyberAv3ngers, it is largely contended that the group purposefully went after their targets because they incorporated Israeli-made Unitronics programmable logic controllers that were exposed to the Internet. It didn’t hurt that these devices used default passwords and easily identified by Shodan. The CyberAv3ngers posted proof-of concept schematics in their social media channels to legitimize their claims, and in a defacement message stated that “every equipment made in Israel is Cyberav3ngers legal target.” Still, this seems quite an effort to just go after devices because they were Israeli made. It will be enlightening to see if the group goes after every Israeli device in a similar manner.
But while Unitronics supplying several water sector organizations’SCADA systems may explain the motivation behind the recent attacks, it does not reflect the greater interest in water facilities as viable targets. In fact, this increased attention to these entities promptly led DHS, the FBI, and the Environmental Protection Agency to publish revised cybersecurity recommendations to enhance protections for stakeholders to improve resiliency and reduce risk. Based on previous Iran-linked cyber activity against these high-value targets, it seems logical that Iran may be seeking to establish permanent access to be exploited at a time of their choosing, similar to the way China is allegedly doing in the energy sector. Such access does not have to be leveraged immediately but can be capitalized on later as long as a foothold can be established and preserved. While recently China has also been suspected of similar infiltrations against the U.S. water sector, Iran stands out as a more immediate threat due to its attempts to inflict harm by manipulating chlorine levels. This is of significant concern, especially given Iran’s track record of benefiting from the efforts of non-state proxies and sympathizers against its enemies. Cyber lends itself to such nonstate actor malfeasance providing a state both the advantage of its work as well as plausible deniability for its actions.
Whether such access if obtained would be used for destructive results would largely be dependent on how the Iranian regime perceives threats to its stability and authority. But it does send a message to which similar compromises to energy and finance cannot compare. People can live without power for a period and money can be replaced, but a potential threat to drinking water – that is, life – cannot be measured. Exacerbating the matter is that many of these facilities often lack the personnel and technical resources to address the threat or implement robust cybersecurity mechanisms. Such concerns are clarion calls prompting a recent meeting of key Administration officials and state and local officials to convene and discuss water sector cybersecurity. Like with other efforts in other critical infrastructure, this is a necessary first step on a very long road.
I previously suggested that the United States needs to rethink how it addressed critical infrastructure cybersecurity, and that still stands. It wasn’t that long ago when the threat of such targeting was a concern. Now it’s a reality. Perhaps more worrisome is the work that states are doing not to immediately attack these organizations, but to infiltrate them, set up beachheads, and hide and move within them undetected until they are operationalized. This will truly separate the savvy actors from the rest of the pact much to the cyber defender’s chagrin, truly underscoring the “zero trust” mindset being pushed by experts. Because soon, it will no longer be, “assume you have already been breached,” but “assume there is an actor already inside your perimeter,” and that’s a position no organization wants to find itself in.
This post was originally published on the 3rd party site mentioned in the title of this this site