Skip links

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA is investigating a cyberattack against a Pennsylvania water authority that has been linked to what are suspected to be Iranian miscreants. The US Homeland Security agency also warned it is expecting more attempts to subvert programmable logic controllers in America’s critical infrastructure.

Over the weekend, the Municipal Water Authority of Aliquippa, which serves about 15,000 customers in the Pittsburgh area, said an anti-Israel cybercrime gang called Cyber Av3ngers infiltrated one of its booster stations the Friday after Thanksgiving. This same crew claimed to have compromised 10 water systems in Israel, and boasted about its exploits on its Twitter feed.

The compromised Aliquippa system, a Unitronics Vision Series PLC, displayed a warning that the intruders would be targeting Israeli-made gear because of the ongoing Israel-Hamas war.

The water authority immediately took the system offline, switching to manual operations after the intrusion, which didn’t affect the region’s drinking water or water supply.

“It’s a pain,” Robert J. Bible, the water authority’s general manager, told CNN

“Somebody’s got to wake up at three in the morning and go turn on or turn off those pump stations. It’s just a big inconvenience until we can get the (automated) system back up and running.”

The US Cybersecurity and Infrastructure Security Agency (CISA) said it’s probing the cyberattack, and urged utilities to harden the security of their PLCs. These devices are used to control and monitor water and wastewater treatment processes, including controlling the pumps to fill tanks and reservoirs, the distribution of flow pacing chemicals, and sounding alarms about operational threats. 

“Attempts to compromise WWS [water and wastewater systems] integrity via unauthorized access threaten the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” CISA warned.

Specific to the Aliquippa intrusion, Cyber Av3ngers likely breached the device “by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” the agency noted.

How to secure PLCs

The Unitronics PLC default password is “1111,” and if this hasn’t already been changed, it’s a good idea to do so immediately. Making the equipment reachable from the public internet is also not a great idea. Additionally, water utilities should require multi-factor authentication (MFA) for all remote access to the operational technology network, including from the IT and any other external networks, the CISA recommends.

It’s a good idea to disconnect the PLC from the open internet. But if remote access is a must, then require a secure VPN or place some other gateway in front of the PLC as that should provide stronger authentication, security, and MFA, even if the PLC doesn’t support it, is the advice. Also, if possible, change the default access port, TCP port 20256, to something else. 

“Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC,” according to CISA. “Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection.”

It sounds to us like miscreants are scanning the internet for open TCP 20256 ports, and trying to log in using weak, default, or brute-forced passwords, or perhaps some other weakness; blocking that off and requiring a secure tunnel to access is a good move as well as changing the device passcode. And, as always, back up the logic and configurations to enable fast recovery — especially in the case of a ransomware infection. 

Ransomware crew hits Texas water district

Speaking of which: another water authority — this one in Texas — is in the process of fixing its IT systems after ransomware crew Daixin Team claimed to have broken into its network and stolen sensitive information.

Daixin listed the water district on its website as a victim, and claimed to have stolen more than 33,000 files potentially containing names, dates of birth, Social Security numbers, and other personal information. The gang said a “full leak” of the information may happen “soon.”

The North Texas Municipal Water District, which provides services to more than two million customers, “recently detected a cybersecurity incident affecting our business computer network,” spokesperson Alex Johnson told The Register.

The district’s core water, wastewater, and solid waste management services were not affected by the intrusion, Johnson added. 

While most of the business network has been restored, the phone system remains down. “We hope to have it back online this week,” Johnson said.

The water district has also notified law enforcement, and hired security specialists to investigate the digital break-in. “The investigation is ongoing at this time and includes a review of any potentially impacted District data,” Johnson said.

Daixin is the same group of criminals that, in October, shut down IT systems across five Ontario, Canada hospitals and claimed to have stolen more than 5.6 million patient records.

On Monday, Daixin listed the purloined papers as “sold” on its leak site. ®