US cybersecurity experts failing, can’t stop Iran-backed hackers from going after their water systems

Iranian-backed hackers have been going after several water treatment and sewage treatment plants in the US for quite some time now. While authorities in the US are actively addressing the cyber attack campaign, so far they have been failing, miserably.

Their novel situation? Stop using the automated systems, and operate the vital systems of the plants, manually.

Eric Goldstein, Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency, reported the active targeting and exploitation by these hackers. While a “small number” of water utilities have been compromised, Goldstein reassured that there has been no known impact on the safety of drinking water or operational systems.

Among the affected utilities is the Municipal Water Authority of Aliquippa in western Pennsylvania, which had to resort to manual systems, as reported by WaterISAC, an industry information-sharing body.

The CyberAv3ngers group, affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps, has been identified as the perpetrators. They are specifically targeting programmable logic controllers, manufactured by Unitronics, an Israeli company. These controllers are widely used in water and wastewater systems, as well as in other industries such as energy, food and beverage manufacturing, and healthcare.

A joint cybersecurity advisory issued by US agencies, including CISA, the FBI, and the National Security Agency, along with the Israeli National Cyber Directorate, warned about the potential breach of these controllers, emphasizing the risks associated with internet connectivity and the use of default passwords.

The CyberAv3ngers group, known for claiming responsibility for various attacks on critical infrastructure since 2020, has faced scepticism regarding the actual impact of their actions. Experts, including John Hultquist from Mandiant Intelligence, noted that the group tends to fabricate or exaggerate their impact, focusing more on undermining a sense of security than causing physical harm.

Michael Hamilton, Founder and Chief Information Security Officer at Critical Insight, highlighted that the success of these less sophisticated hackers often results from security oversights by their victims. The fragmented nature of the US water industry, comprising approximately 165,000 drinking water and wastewater systems, adds to the challenge, with many lacking basic cybersecurity protections.

(With inputs from agencies)