- The Cybersecurity and Infrastructure Security Agency warned Tuesday that threat actors are attempting to exploit Unitronics programmable logic controllers that are used in water and wastewater treatment facilities.
- The warning comes days after a reported attack against the Municipal Water Authority of Aliquippa, which provides water treatment to facilities in multiple townships in Pennsylvania.
- The hack was connected to an Iran-linked group called Cyber Av3ngers, according to Check Point Research. The group has targeted critical infrastructure in Israel since the start of the war with Hamas in early October.
The incident raises the spotlight on a sector that has been the focus of Biden administration efforts to secure critical infrastructure. The attack comes weeks after the Environmental Protection Agency was forced to rescind water system audits after a legal challenge from state officials.
Check Point said the group has exploited Microsoft Exchange vulnerabilities for initial access into systems.
Federal authorities, including the FBI and Department of Homeland Security have taken the lead on investigating the incident, according to a Pennsylvania State Police spokesperson.
The FBI confirmed it is investigating multiple cyberattacks nationwide.
“The FBI is aware and investigating the various incidents across the country,” a spokesperson said via email. “We will continue to assist impacted organizations.”
The agency is asking anyone who thinks they may have been impacted by these attacks, to file a report with the Internet Crime Complaint Center at www.ic3.gov. The FBI did not specify which other cyber incidents were under investigation.
The Water Information Sharing and Analysis Center on Tuesday issued an advisory regarding the threat to water treatment facilities, noting the group has launched attacks against multiple facilities in Israel.
Officials at Unitronics were not immediately available for comment.
The programmable logic controllers are used to turn off pumps at a pump station to fill tanks and reservoirs, flow the pace chemicals and also gather monthly compliance data, according to CISA.
The hackers are suspected of accessing the device, a Unitronics Vision Series PLC with a human machine interface, by exploiting weaknesses in the system, including poor password security and exposure to the internet, the agency said.
CISA is urging organizations to take several immediate steps:
- Change the default password on the Unitronics PLC device.
- Require multifactor authentication for all access to the OT network.
- Disconnect the PLC from the open internet link. However if remote access is necessary, install a firewall or VPN to control network access.
- Backup the logic and configurations on any Unitronics PLC device.
- If possible, use a TCP port other than the TCP 20256 default port.
Editor's note: This story has been updated to include details on the FBI investigation.