A Florida regulatory agency that oversees the long-term supply of drinking water confirmed it responded to a cyberattack last week as top U.S. cybersecurity agencies warned of foreign attacks on water services.
A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed it had “identified suspicious activity in its IT environment.” and that “containment measures have been successfully implemented”.
THE agency does not have direct control over water utility technology.
On Friday, a ransomware gang said it attacked the organization, providing samples of what it stole. The cybercriminals did not specify the total amount of data recovered during the attack.
Most of the work of the St. Johns River Water Management District involves educating the public about water conservation, establishing water use rules, conducting research, collect data, restore and protect water above and below ground, and preserve natural areas.
“The District actively monitors its computer networks to ensure there is no malicious persistence,” the agency spokesperson said. “Accordingly, the District is continuing its normal business operations. Until our investigation is complete, we are unable to comment further.
IRGC attacks on Unitronics
The attack comes after US authorities sounded the alarm last week over several incidents involving companies involved in water treatment and distribution.
The Cybersecurity and Infrastructure Security Agency (CISA) said it was respond to active exploitation Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector.
CISA linked the notice to an opinion from the Water Information Sharing and Analysis Center (WaterISAC) regarding an attack on a water utility in Pennsylvania reported on November 26.
Another water utility serving 2 million people in North Texas said Tuesday it was also facing a cybersecurity incident that caused operational problemsbut officials did not say whether this was related to problems with Unitronics PLCs.
CNN reported Late last week, CISA told Senate and House staffers on Thursday that “fewer than 10” water facilities in different parts of the United States have faced cyberattacks in recent times. days.
The hackers behind the Pennsylvania incident filled their social media with references to Iranian leaders and promised attack any entity with products or ties to Israel – already touting attacks against 10 wastewater treatment plants in Israel.
On Friday, CISA worked with the FBI, the National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) to post a review warning that the hackers – who call themselves CyberAv3ngers – are linked to the Iranian government’s Islamic Revolutionary Guard Corps (IRGC).
The group is “actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs”),” the notice states.
The agencies said hackers affiliated with the IRGC have compromised the default credentials of Unitronics devices since at least November 22 and explicitly claim their motivation is to target anything associated with Israel, according to footage from deterioration seen by the American authorities.
The types of Unitronics devices attacked are often exposed to the Internet due to the remote nature of their control and monitoring capabilities, they explained.
At least 539 Unitronics automaton instances (port 20256/tcp) still publicly exposed worldwide (analysis of 02/12/2023). Unitronics PLC instances have recently been targeted in attacks on water and wastewater systems. (see @CISACyber @EauISAC alert: https://t.co/OywIVYxo8o) pic.twitter.com/XgYrRZbfBm
– Shadow Server (@Shadowserver) December 3, 2023
“The trade-off is to degrade the controller’s user interface and may render the controller inoperable. With this type of access, deeper device and network level accesses are available and could have additional and deeper cyberphysical effects on processes and equipment,” they said.
While the American campaign began in November, the hackers have been active since at least September, claiming on their Telegram channel both legitimate and false attacks against Israeli machines in the water, energy, maritime transport and distribution.
The Shadowserver Foundation, a cybersecurity nonprofit, said that through its research tool, they found at least 539 Unitronics controller instances still publicly displayed around the world.
Future saved
Intelligence cloud.
No previous articles
No new articles