While most Americans were enjoying their Thanksgiving holiday weekend, Iranian-backed hacking group CyberAv3ngers managed to gain partial control of a municipal water booster station just outside of Pittsburgh, Pennsylvania. The booster station belongs to the Municipal Water Authority of Aliquippa, which supplies water for over 6,500 residents.
There is currently no known risk or disruption to the water supply, and the system has been disabled while authorities investigate and monitor the situation further. The CyberAv3ngers have previously carried out attacks against critical infrastructure targets in Israel, including water treatment facilities. This attack comes as the U.S. and other governments are attempting to develop new strategies to defend against cyberattacks on critical infrastructure.
The Aliquippa Municipal Water Hack
On Saturday, November 25th, an alarm sounded notifying the Aliquippa Municipal Water Authority of a cyberattack at one of their booster stations. During the attack, the Iranian-backed hacker group CyberAv3ngers was able to gain control of several surveillance cameras and partial control of a pump which monitors and regulates water pressure for Raccoon and Potter township.
Chairman of the Board of Directors for the Aliquippa Municipal Water Authority Matthew Mottes stressed that there is no known risk to the water supply. He also stated hackers did not gain access to any other parts of the water system, as the pump was on its own network, separated from the rest of system and other networks. Water authority workers were able to immediately take manual control of the system after the alarm notified them of the breach, and residents did not experience any disruption to their water supply.
A control panel displayed anti-Israeli imagery along with the message “You have been hacked. Down with Israel. Every equipment made in Israel is CyberAv3engers legal target.” The water system utilizes a Unitronics system, which has parts and software that are Israeli owned.
Unitronics systems have been the targets of previous hacks, and information that can be leveraged in attacks, such as default passwords, can easily be found online. A photo shared by the water authority to local news sites regarding the attack clearly showed the make and model of the hacked monitor, and a quick search revealed numerous online resources for operating the equipment. Video tutorials of troubleshooting techniques, technical manuals, and training guides were all readily available, which could be used to aid hackers. Federal authorities cautioned against sharing photos that could reveal sensitive technical information in the future.
U.S. authorities believe the hackers exploited vulnerabilities such as poor password security and system exposure to the internet. CyberAv3ngers recently hacked at least 10 Israeli water facilities, and most likely utilized experience they gained hacking targets with the same Unitronics components to carry out the U.S. attack.
In April of 2023, Israeli irrigation systems utilizing Unitronics components were temporarily disabled due to a cyberattack. Over 220 Unitronics systems are currently in use in the United States and over 1,800 worldwide in various industries such as agriculture and energy production. There are concerns that this recent attack was just a probing test in preparation for attacks against larger targets in the U.S. and worldwide utilizing these systems. Engineers and investigators are working to identify other areas of vulnerability and notify other municipalities that may be at risk.
Who are the CyberAv3ngers?
While the name may conjure up images of Marvel superheroes, this is an Iranian-backed hacker group that has been active since at least 2021. CyberAv3ngers specialize in targeting critical infrastructure and have carried out numerous attacks, primarily against Israel. On October 10th, they posted on their X (formerly Twitter) account claiming responsibility for a series of cyberattacks on Israeli water treatment facilities.
In July, they launched a successful DDoS attack on BAZAN, one of Israel’s largest oil refineries, which disrupted traffic to their company websites. CyberAv3ngers also claim to have hacked an Israeli electrical station, however an official from the plant said the power disruption was due to a “technical error.” Further investigation by Kaspersky proved that the images CyberAv3ngers shared as “proof” of their success turned out to be recycled images from a previous hack by Moses Staff, another Iranian hacker group.
On their Telegram channel, CyberAv3ngers have posted screenshots showing things such as Supervisory Control and Data Acquisition (SCADA) systems and Unitronics controllers as alleged proof of their previous hacks. They have yet to make any posts on social media regarding their cyberattack on the Aliquippa Municipal Water station, and some experts are wondering why, considering how quick they’ve been to boast about their previous attacks. Could it simply have been a target of opportunity since it used Unitronics components? Or was it an initial probing attack to test the limits and response times?
Other Iranian-backed hacking groups have also targeted U.S. infrastructure. Mint Sandstorm, also known as TA453, is tied to the IRGC and has carried out attacks against energy companies and a major utility & gas company.
Critical Infrastructure Becoming a Common Target
Water treatment facilities, electrical power stations, oil pipelines and more have become common targets in emerging cyber warfare strategy for terror groups and state-sponsored threats. Russia has used cyberattacks against Ukrainian infrastructure with great success. They often plan attacks to coincide with conventional military offenses, including the initial 2021 invasion, and seen again when Hamas began it’s incursion into Israel. Concerns are mounting that China will use cyberattacks against Taiwan in the event of a ground invasion to disrupt communications and power. Experts also believe China will leverage cyberattacks against Western allies to delay or prevent a response in defending Taiwan.
Both physical and cyberattacks against critical infrastructure are on the rise in the United States, and this is not the first time U.S. water facilities have been hacked. In 2021, hackers installed a web shell which enabled remote access at another Pennsylvania water treatment facility, but the attack was thwarted before any further damage could occur. Earlier this year it was discovered that Volt Typhoon, a China-affiliated hacking group, successfully infiltrated numerous infrastructure sectors such as telecommunications and power stations on Guam.
The potential for disastrous consequences from cyberattacks are high. In January of this year, over 45,000 people were left without power after a physical attack on an electrical substation. Federal agencies such as CISA and the Department of Energy are bolstering their defense strategies against both physical and cyberattacks as threats persist.
Although there were no serious consequences from the Aliquippa Municipal Water hack, it highlights the need for America to protect its infrastructure. Recent conflicts across the globe have shown that critical infrastructure has become a common target by conventional militaries and terror groups due to the chaos and disruption the fallout can cause. Utility providers across the US should be proactive about security measures against physical and cyber threats, and not assume they will not be targeted due to geographic location, size, or other factors. As fifth generation warfare evolves, countries can expect to see attacks on critical infrastructure with increasing frequency.