CISA Publish Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs - 20231204002¶
Overview¶
Since the publication of Advisory #20231129001, CISA have released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors, including U.S. Water and Wastewater Systems (WWS) facilities, by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated advanced persistent threat (APT) cyber actors using the persona “CyberAv3ngers”.
Cyber Actor Information¶
CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.
CyberAv3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies.
Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs. The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256. These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities.
Indicators of Compromise (IOCs)¶
| Indicator | Type | Fidelity | Description |
|---|---|---|---|
| BA284A4B508A7ABD8070A427386E93E0 | MD5 | Suspected | MD5 hash associated with Crucio Ransomware |
| 66AE21571FAEE1E258549078144325DC9DD60303 | SHA1 | Suspected | SHA1 hash associated with Crucio Ransomware |
| 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 | SHA256 | Suspected | SHA256 hash associated with Crucio Ransomware |
| 178.162.227[.]180 | IP address | ||
| 185.162.235[.]206 | IP address |
Recommendations¶
The WA SOC encourages OT/ICS organizations to review this guidance and implement its mitigations and recommendations. Additionally, it is highly recommended to perform validation of PLC configurations in recent backups.