Table of Contents
Cyber Av3ngers, an Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) group, has emerged as a significant threat to critical infrastructure, particularly targeting operational technology (OT) assets. The group, gaining prominence alongside the Israel-Hamas conflict, focuses on exploiting vulnerabilities in internet-connected devices, with a particular emphasis on Unitronics Programmable Logic Controllers (PLCs). Their actions, driven by political motivations linked to Iranian interests, pose a serious risk to critical infrastructure, especially in the United States and Israel. While exhibiting characteristics of state-sponsored hacktivism, Cyber Av3ngers' actions highlight the increasing vulnerability of interconnected industrial systems. For a deeper understanding, consider exploring the basics of vi text editor.
Origins & Evolution
Cyber Av3ngers first appeared on cybersecurity professionals’ radar in early September 2023, although some reports indicate activity dating back to 2020. The group's initial public presence coincided with the escalating Israel-Hamas conflict. They initially claimed responsibility for disruptions to Israeli railway networks and power grids, claims that were largely dismissed by security experts like Dragos Threat Intelligence as false or significantly exaggerated. However, a confirmed attack on a U.S. municipal water authority in November 2023, where a Unitronics PLC was compromised and defaced with anti-Israel commentary, solidified their status as a credible threat.
The group's affiliation with the Iranian IRGC is supported by multiple sources, including CISA, Secureworks, and the U.S. Department of the Treasury, and The U.S. government. The U.S. Department of Treasury sanctioned six IRGC-CEC officials in February 2024 in connection with Cyber Av3ngers. These individuals are Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian. The U.S. government, through the Rewards for Justice program, is offering up to $10 million for information leading to the identification or location of individuals involved in Cyber Av3ngers' activities. The evolving cybersecurity landscape demands constant vigilance.
The group reportedly has links to another IRGC-connected group called Soldiers of Solomon. While their tactics resemble those of a state-sponsored hacktivist movement, the IRGC affiliation suggests a level of organization and resources beyond typical hacktivist groups. Cyber Av3ngers had a verified account on X (formerly Twitter), which they used to amplify their claims and propaganda, a tactic more common among hacktivists than highly covert APTs.
Threat Actor Card for Cyber Av3ngers
|
Attribute
|
Description
|
|---|---|
|
Name
|
Cyber Av3ngers
|
|
Aliases
|
Soldiers of Solomon (suspected link)
|
|
Affiliation
|
Suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)
|
|
Motivation
|
Politically motivated, anti-Israel, "Down with Israel"
|
|
Targets
|
Primarily critical infrastructure (Water and Wastewater Systems), Israeli-made technology. Other impacted sectors include energy, food & beverage, manufacturing, transportation, and healthcare.
|
|
TTPs
|
Exploiting default passwords/no passwords on internet-facing PLCs, using default ports, defacement, potentially data exfiltration, and disruption of PLC functions. Potential association with "Crucio" ransomware.
|
|
First Seen
|
Claims dating back to 2020, gained public attention in July 2023, wider attention during the recent Israel-Hamas conflict.
|
|
Notable Attacks
|
Claimed attacks on Israeli railways (2023), Confirmed attack on US water facility (Nov 2023), Attacks on other water facilities, a brewery, and an aquarium.
|
Tactics & Techniques
Cyber Av3ngers' modus operandi centers on exploiting vulnerabilities in internet-connected OT devices, particularly Unitronics PLCs. Their primary attack vector relies on surprisingly basic techniques:
Scanning and Identification: The group scans the internet (likely using tools like Shodan) to identify publicly accessible Unitronics PLCs. These devices are often exposed due to misconfiguration or a lack of awareness of the security risks.
Default Credential Exploitation: A key tactic is attempting to log in using default credentials, which are readily available in online Unitronics manuals (e.g., the default password "1111"). This highlights a fundamental security weakness in many OT deployments. It's crucial to have a patch management strategy to mitigate such risks.
Port Exploitation: The attackers target the default TCP port (20256) often used by Unitronics devices.
Defacement: Once access is gained, Cyber Av3ngers typically alters the PLC's menu page or HMI screen, displaying anti-Israel messages and claiming responsibility for the attack. This defacement serves both a propaganda purpose and disrupts operations.
Ladder Logic Manipulation: They have developed custom ladder logic files to download for each of these device types. They erase the original ladder logic files and upload their own (with no inputs or outputs). They also rename compromised devices, set the software version of their ladder logic files to older versions, disable upload and download functions, enable password protection for upload settings, and change the default port number for remote communication.
Potential Further Access: While defacement is the most visible outcome, CISA warns that gaining access to the PLC provides a potential pathway for deeper access into the compromised network, potentially leading to more severe cyber-physical effects. The importance of security logging and monitoring cannot be overstated.
Possible Ransomware Connection: Some reports suggest a possible association with "Crucio" ransomware, although these claims are unverified and considered questionable by some security researchers.
Cyber Av3ngers uses open-source tools for scanning, discovery, and exploitation. Their attacks have been mapped to MITRE ATT&CK TTPs, including:
[T1110] Brute Force
[T1078.001] Valid Accounts: Default Accounts
[T1565.001] Data Manipulation: Stored Data Manipulation
[T1531] Account Access Removal
[T1499] Endpoint Denial of Service
[T1491.001] Internal Defacement
Targets or Victimology
Cyber Av3ngers' primary motivation is clearly political, driven by an anti-Israel agenda. This is evident in their defacement messages and target selection. Their attacks are not necessarily focused on specific sectors, but rather on organizations utilizing Israeli-made technology, particularly Unitronics PLCs. However, the widespread use of Unitronics PLCs across various critical infrastructure sectors creates a broad target profile:
Water and Wastewater Systems (WWS): This sector has been a primary focus, with confirmed attacks on multiple U.S. water facilities. The potential impact on public health and safety makes this a particularly concerning target. These attacks often start with phishing attacks.
Energy: Unitronics devices are used in various energy sector applications, making this another potential target.
Food & Beverage: The attack on a brewery in Pittsburgh demonstrates the group's willingness to target industries beyond traditional critical infrastructure.
Manufacturing: PLCs are fundamental to many manufacturing processes, making this sector vulnerable.
Building Automation: Unitronics provides solutions for building automation, expanding the potential target surface.
Healthcare: Unitronics products are also found in healthcare.
Geographic Scope: While initially focused on Israel, their attacks have expanded to include the United States and potentially other countries.
The impact of these attacks ranges from operational disruption (as seen in the water authority and brewery incidents) to potential risks to public safety and national security. The focus on critical infrastructure highlights the potential for significant consequences. Understanding the MITRE ATT&CK framework is crucial for defense.
Attack Campaigns
Several notable attack campaigns have been attributed to Cyber Av3ngers:
Israeli Railway Systems (July 2023): The group claimed to have disrupted operations at 28 Israeli railway stations by targeting 150 servers. These claims are disputed.
U.S. Municipal Water Authority (November 2023): This confirmed attack involved the compromise of a Unitronics PLC at a water pumping station in Aliquippa, Pennsylvania. The attackers defaced the HMI and disrupted operations, forcing the authority to switch to manual control.
Multiple U.S. WWS Facilities (November 2023 - January 2024): CISA reported that Cyber Av3ngers targeted U.S.-based Unitronics PLC devices used in multiple critical infrastructure industries, including the WWS Sector, likely in four separate waves of cyberattacks. The actors compromised at least 75 devices, including at least 34 in the WWS Sector in the United States.
Other U.S. Targets: Besides the water authority, other confirmed targets include a brewery in Pittsburgh and an aquarium.
Claimed Attacks on Israeli Water Treatment Stations The group claimed in October 2023 to have infiltrated 10 water treatment stations in Israel. These claims have been questioned.
Targeting in the UK: The group has also been observed targeting PLCs in the United Kingdom.
Ransomware association: There's a possible, albeit unverified, connection with the "Crucio" ransomware.
Defenses
Defending against Cyber Av3ngers and similar threats requires a multi-layered approach focusing on both basic security hygiene and more advanced OT security practices. The following recommendations combine guidance from CISA, Dragos, and general best practices:
Specific to Unitronics PLCs:
Change Default Passwords Immediately: This is the most critical and easily implemented step. Validate that the default password "1111" (or any other default) is not in use. Passwordless Authentication is increasingly important.
Implement Multi-Factor Authentication (MFA): Require MFA for all remote access to the OT network, including access to PLCs.
Isolate PLCs from the Public Internet: Disconnect PLCs from the open internet whenever possible. If remote access is necessary, use a secure VPN and firewall to restrict access.
Regular Backups: Back up PLC logic and configurations regularly to enable quick recovery in case of an attack. Implement the 3-2-1 backup strategy (3 copies of data, 2 different media, 1 offsite).
Change Default Port: Change the default TCP port (20256) used by Unitronics devices, if the device allows.
Update Firmware: Keep PLC and HMI firmware updated to the latest version to patch known vulnerabilities. Upgrade to VisiLogic software, which mandates password changes.
IP Allow listing: Configure the PLC to only accept connections from authorized IP addresses.
Physical security: Many PLCs have physical security keys to lock and unlock.
General OT Security Best Practices:
Network Segmentation: Implement strong network segmentation between the IT and OT networks to limit the impact of a potential breach.
Vulnerability Management: Regularly scan for and patch vulnerabilities in OT systems. Have a vulnerability management plan.
Intrusion Detection and Monitoring: Implement OT-specific intrusion detection systems (IDS) and monitor network traffic for anomalous activity.
Incident Response Plan: Develop and regularly test an OT-specific incident response plan.
Security Awareness Training: Train personnel on the risks of phishing and social engineering, and the importance of strong passwords.
Secure Remote Access: Implement secure remote access solutions with MFA and strong access controls.
Vendor Security: Assess the security practices of OT vendors and ensure they are following secure development practices. Supply chain attacks are a significant threat.
Security control testing: Continuous security control testing using a framework such as MITRE ATT&CK.
Supply Chain Security: Monitor vendors and suppliers for incidents and vulnerabilities.
Conclusion
Cyber Av3ngers, despite relying on relatively unsophisticated techniques like exploiting default passwords, represents a significant threat due to their targeting of critical infrastructure and affiliation with the Iranian IRGC. The group's actions, while primarily focused on defacement and disruption, highlight the vulnerability of interconnected OT systems and the potential for more severe consequences. The attacks serve as a wake-up call for organizations operating critical infrastructure to prioritize basic security hygiene, implement robust OT security practices, and remain vigilant against evolving cyber threats. The ongoing geopolitical tensions and the potential for escalation underscore the importance of proactive cybersecurity measures to protect essential services and national security. It is also important to stay updated on what is threat intelligence.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Critical Security Update for Migration Toolkit for Containers (MTC) 1.8.4
Hackers Expose Multiple Vulnerabilities in Tesla EV Chargers at Tokyo Contest
Iran Linked Hackers Deploy Sophisticated IOCONTROL Malware Targeting Critical Infrastructure
New Linux Rootkit Pumakit Employs Advanced Stealth Techniques to Evade Detection
New Malware Threatens Industrial Engineering Workstations with Process Termination
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 10, 2025
- March 10, 2025
- March 10, 2025
- March 10, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 10, 2025
- March 10, 2025
- March 10, 2025
- March 10, 2025
