Iranian Hackers Compromise American Water Utilities

U.S. government officials confirmed on Friday that “Cyber Av3ngers”, an Islamic Revolutionary Guard Corps-affiliated hacking group, attacked a Pittsburgh-area water utility and nearly ten other small utilities across the United States by compromising an Israeli-made industrial control device. Making good on threats to target any Israeli equipment anywhere in the world, the attackers are probing American resolve and attempting to scare small U.S. businesses away from purchasing Israeli products.

To penetrate the utilities, Cyber Av3ngers exploited a vulnerability in a device made by the Israeli company Unitronics for controlling industrial processes, warning “Every equipment ‘made in Israel’ is Cyber Av3ngers legal target.” Water utilities use these types of devices to automatically control water flow, pressure, and chemical composition. Press reports and an advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency, and the Israeli National Cyber Directorate conclude that the attackers likely breached devices that were exposed to the internet and used a simple default password. Lacking cybersecurity awareness and resources, small water utilities may have done a poor job of installing and configuring dozens of these devices, leaving themselves unprotected.

In the case of the Municipal Water Authority of Aliquippa, PA, the breach shut down one of the utility’s automated water pump stations, forcing it to operate in manual mode. CISA confirmed that none of the other hacks affected operations or access to safe drinking water. Brett Leatherman, section chief of national security cyber operations at the FBI, however, warned that hackers can use the kind of access that Cyber Av3ngers achieved to gain deeper network access and cause “more profound cyber-physical effects.”

Cyberattacks against Israeli targets by Iran-backed and pro-Hamas hackers have skyrocketed since the start of the Israel-Hamas war. Cyber Av3ngers itself claimed in a social media post in October to have hacked at least 10 water treatment stations in Israel, but the objective of the attacks in the United States seems different. Rather than causing an operational disruption, the hacks are an apparent attempt to dissuade companies from using Israeli technology or purchasing Israeli equipment. This information operation is a form of cyber-enabled economic warfare designed to weaken the strategic relationship between the United States and Israel.

The Iranian attacks add urgency to the Biden administration’s efforts and those of members of Congress to shore up the cybersecurity of the water sector, one of the most vulnerable sectors of U.S. critical infrastructure. Improving the sector’s resilience requires enhanced collaboration among utilities, industry-led associations and information sharing bodies, and U.S. government agencies. This collaboration should create best practices, guidance, and standards that raise baseline cybersecurity.

At the same time, the Biden administration needs to send a clear signal to Iran that these attacks are unacceptable. After Russian-based cyber criminals conducted ransomware attacks on a large gas pipeline in May 2021, President Biden warned his Russian counterpart that the U.S. government would respond to cyberattacks on critical infrastructure, possibly using America’s own cyber capabilities. Iranian leadership appears to need a reminder. At a minimum, U.S. Cyber Command should disable the network infrastructure of Iranian hackers to send that message.

Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD research fellow. Suyash Pasi is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Annie on X @afixler. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.