Cyber Security Threat Summary:
A regulatory agency in Florida confirmed they responded to a recent cyber attack last week as US cybersecurity agencies warn of foreign attacks against water utilities. A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed that it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”

While the agency does not have direct control over water utility technology, they oversee the long-term supply of drinking water for the region, mostly relating to educating the public about water conservation, setting rules for water use, conducting research, collecting data, restoring and protecting water above and below the ground, and preserving natural areas.

The impacted utility was targeted by ransomware actors who provided samples of data it had stolen, though it is unclear how much data was taken.

Security Officer Comments:
This attack comes on the heels of a US advisory warning of several incidents against companies involved in water treatment and distribution. Specifically, CISA is warning about the active exploitation of Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector.

A Pennsylvanian water utility and brewery had their PLCs targeted in late November, and a water utility serving 2 million people in North Texas confirmed that they were dealing with a cyber event that had caused operational issues. CNN reported late last week that CISA told Senate and House staffers on Thursday that “less than 10” water facilities in different parts of the US have faced cyberattacks in recent days.

A pro-Iranian hacktivist group called the CyberAv3ngers has claimed responsibility for the Pennsylvanian attacks on social media, and is now touting attacks on 10 water treatment plants in Israel.

CISA worked with the FBI, National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) to release an advisory warning that actors are connected to the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The group is “actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs),” the advisory says.

The agencies said hackers affiliated with the IRGC have compromised default credentials in Unitronics devices since at least November 22 and explicitly claim that their motivation is to target anything associated with Israel, according to defacement images seen by U.S. authorities.

The kind of Unitronics devices being attacked are often exposed to the internet due to the remote nature of their control and monitoring functionalities, they explained. “The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment,” they said.

While the U.S. campaign began in November, the hackers have been active since at least September, claiming on their Telegram channel both legitimate and false attacks against Israeli PLCs in the water, energy, shipping, and distribution sectors. It is not uncommon for these actors to exaggerate the impacts of their attacks, a form of disinformation designed to shame and weaken Israel’s image.

Suggested Correction(s):
Cybersecurity nonprofit Shadowserver Foundation said that through its research tool, they found at least 539 Unitronics PLC instances still publicly exposed worldwide. While these devices may be connected to the Internet for remote monitoring and management, organizations should follow CISA provided best practices to secure these PLCs.

Immediate steps to prevent attack:

• Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password is not in use.
• Disconnect the PLC from the public-facing internet.

Follow-on steps to strengthen your security posture:

• Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.
• If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
• Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity.
• Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer.
• Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.

Link(s):
https://therecord.media/florida-water-agency-ransomware-cisa-warning-utilities
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a