US Tries to Contain Hacking Campaign Targeting Water Systems

(Bloomberg) -- US authorities are working to contain a campaign by Iranian hackers against multiple drinking water and sewage systems around the country.

Most Read from Bloomberg

• Apps That Use AI to Undress Women in Photos Soaring in Use

• Carlyle’s Rubenstein Is in Talks to Acquire Baltimore Orioles

• Hunter Biden Indicted in Tax Case as White House Woes Mount

• The Record Rush to Buy a Rolex or a Patek Philippe Is Over

• Americans Rush to Portugal Ahead of Changes to Expat Tax Breaks

“We are aware of active targeting by these actors and exploitation,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, told reporters in a call on Monday. A “small number” of water utilities have been compromised, he said, and he urged operators to bolster security.

There has been no known impact on safe drinking water or operational systems, Goldstein said.

The Municipal Water Authority of Aliquippa, in western Pennsylvania, is among the utilities that was hacked and had to switch to manual systems, according to WaterISAC, an industry information-sharing body.

A group called the CyberAv3ngers, who are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps, has been targeting technology that runs physical systems, called programmable logic controllers, that are made by Unitronics, an Israeli company, according to US and Israeli government agencies. The devices are commonly used in water and wastewater systems, in addition to other industries including energy, food and beverage manufacturing and health care.

The US designated the IRGC as a terrorist organization in 2019.

In a joint cybersecurity advisory issued on Friday, US agencies including CISA, the FBI and the National Security Agency, as well as Israeli National Cyber Directorate, warned that the controllers could be breached if they are connected to the internet and because they often use default passwords issued by the manufacturer.

Unitronics didn’t immediately respond to a request for comment.

Paul Lukoskie, director of threat intelligence services at the cybersecurity firm Dragos, which is helping Unitronics customers shield themselves from the threat, told Bloomberg that ideally no products that run critical infrastructure systems would be on the public internet at all, but would instead be protected behind a “monster firewall.”

The CyberAv3ngers group has claimed responsibility for numerous attacks against critical infrastructure organizations since 2020 but is known for fabricating or exaggerating their impact, according to John Hultquist, chief analyst at Mandiant Intelligence, a cybersecurity unit at Google.

“Obviously you don’t want a group like this to have control or have access to any part of critical infrastructure,” he told Bloomberg, saying the group is less focused on physical impact than making a splash. “The purpose is to undermine our sense of security.”

In November, the hacking group posted on X, “Every equipment ‘Made In Israel’ Is Cyber Av3ngers Legal Target!”

Michael Hamilton, founder and chief information security officer at Critical Insight, a network security company, said the attackers aren’t sophisticated hackers but succeed due to security oversights by their victims.

The problem is also compounded because of the fragmented nature of the US water industry, which has about 165,000 drinking water and wastewater systems in total. Many lack basic cybersecurity protections, according to Hamilton.

--With assistance from Jamie Tarabay.

Most Read from Bloomberg Businessweek

• Salesforce Signals the Golden Age of Cushy Tech Jobs Is Over

• How the Biggest Boutique Fitness Company Turned Suburban Moms Into Bankrupt Franchisees

• Hottest Job in US Pays $80,000 a Year, No College Degree Needed

• At World Central Kitchen, José Andrés Is in the Middle of a Mess

• SpaceX’s Colossal Starship Sets Pace in Race to Build Larger Rockets

©2023 Bloomberg L.P.