An ongoing cyber campaign against Unitronics PLC devices has impacted multiple U.S. water facilities, but authorities are also monitoring energy, healthcare, and food and beverage manufacturing.
The attacks arrive against a backdrop of heightened concerns about water and wastewater security in the U.S. The security of public drinking water and other water facilities has been a major focus of CISA and the Environmental Protection Agency, which attempted to implement mandatory water system audits in March but later had to withdraw the plan after a legal challenge.
Cyber Av3ngners has been linked to the late November attack against the Municipal Water Authority of Aliquippa in Pennsylvania. The hackers have targeted Israel since 2020 and have a history of making exaggerated and false claims about attacks against critical infrastructure, according to authorities.
“Even if they shut down water at these sites, their goal would be the same,” John Hultquist, chief analyst at Mandiant Intelligence, a Google Cloud unit, said via email. “They are trying to undermine our sense of security. It doesn’t really matter whether they do that through expertise or exaggeration.”
There are more than 1,800 Unitronics PLC devices exposed to the internet worldwide, according to research released by Forescout Wednesday. Dozens of them are exposed in several U.S. locations, including Chicago, Dallas and Chesterfield, S.C.
Researchers at Shadowserver reported 539 Unitronics instances still exposed as of Saturday.
Organizations using these devices should immediately change any default passwords, disconnect the PLC from the public facing internet and implement multifactor authentication to protect access to the OT network.
Between Sept. 13 and Oct. 30, Cyber Av3ngers claimed on a Telegram channel numerous attacks against critical infrastructure in Israel, however many of the claims were false, according to the advisory. Others, however, were legitimate.
The water and wastewater sector has already documented multiple attacks in recent weeks. A separate suspected ransomware attack, linked to the the Daixan Team threat group, was reported in North Texas last month
An October ransomware attack against Atlanta-based Mueller Water Products, disrupted the company’s operations and delayed its earnings report for the fiscal year ending Sept. 30. The company said Wednesday it had finally contained the incident and would report its fiscal 2023 earnings no later than Dec. 14, according to a filing with the Securities and Exchange Commission.
Camden, N.J.-based American Water, the nation’s largest regulated water and wastewater utility, said it was not impacted by the attacks, but “has taken several steps to help maintain the security of our systems,” and has worked with local, state and federal officials to prepare against potential threats.
“We recognize cyber threats’ sophistication and focus on understanding and minimizing impact if a breach occurs by constantly testing our cyber response protocols,” a company spokesperson said via email.
