Another Cyberattack on Critical Infrastructure and the Outlook on Cyberwarfare

CyberAv3ngers, an Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated group, claimed credit for a Nov. 25 cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania. The threat group hacked a system with Israeli-owned parts at one of the water authority’s booster stations. The booster station was able to shut down the impacted system, which monitors water pressure, and switch to manual operations.

This cyberattack is one example among many of how critical infrastructure entities are being targeted by nation state and hacktivist threat actors. What was the impact of this CyberAv3ngers hack, and how will threat actors continue to pursue cyberwarfare?

The CyberAv3ngers Attack

CyberAv3ngers hacked a system known as Unitronics. During the attack, the following message appeared on the screen at the booster station:  "You Have Been Hacked. Down With Israel, Every Equipment 'Made In Israel' Is CyberAv3ngers Legal Target."

The Cybersecurity and Infrastructure and Security Agency (CISA) released a cybersecurity advisory on IRGC-affiliated actors’ exploitation of programmable logic controllers (PLCs) in multiple sectors. Unitronics PLCs are commonly used in water and wastewater systems, according to the advisory. PLCs operate with a human machine interface (HMI). “A human can walk over and touch a keypad and tell it what to do. Empty this tank or fill this tank or pump this water to this location. And those things can be controlled remotely,” Adam Meyers, senior vice president of counter adversary operations at cybersecurity technology company CrowdStrike, explains.

Related:Massive Okta Breach: What CISOs Should Know

Meyers expects that the threat actors were likely scanning for a particular type of hardware. They were likely able to compromise the PLCs at the water authority booster station because they were exposed to the internet and using a default password, according to the CISA advisory. The station was able to switch to a manual system, and the water supply was not impacted.

CrowdStrike has been tracking CyberAv3ngers since July 2020. The group has claimed a number of breaches of critical infrastructure organizations. Some claims are unverified and others false. For example, it falsely claimed the compromise of several critical infrastructure organizations in Israel. “They'll often make these claims just because it creates a news cycle. It creates panic,” says Meyers.

Meyers points to Stuxnet as a watershed event for Iranian cyber threat actors. Stuxnet is malware believed to be developed by US and Israeli intelligence services and deployed to compromise the industrial control systems of Iran’s nuclear material enrichment facility, according to the Council on Foreign Relations.

Related:CISA Rolls Out Program to Protect Critical Infrastructure From Ransomware

“They'd like to be able to do that to somebody else, and I think these types of attacks are demonstrative of the fact that they’re attempting to do it,” says Meyers.

Critical Infrastructure in the Crosshairs

CyberAv3ngers is just one among many nation-state backed groups that will continue to target critical infrastructure. These types of attacks incite fear, disrupt vital operations, and have the potential to cost lives.

Critical infrastructure entities must face risk of attack on both IT and operational technology (OT). The North Texas Municipal Water District was recently a victim of a ransomware attack, which impacted its phone and business computer systems. Critical infrastructure can work around compromised business systems, according to Christopher Warner, an industrial control systems (ICS)/OT expert with GuidePoint Security, a cybersecurity consulting services company. “If they came in the control side on the water district itself, they could shut it down,” he explains.

The cyberattack on Pennsylvania water authority did impact OT, but the booster station was able to shift to manual operations. That is not always possible for all critical infrastructure entities. Warner points out that electric grids may not be able to go into manual override.

Related:Security Questions to Ask After the ZeroedIn Breach

Approaching cybersecurity in critical infrastructure sectors presents unique challenges. Uptime is essential. For example, systems cannot be taken down to test patches. “You can't take down the water system or power grid. There just isn't downtime. So, they have to do maintenance on the fly,” says Warner. “And then if they’re hacked, they have to isolate that hack and still keep their systems running.”

More Cyberwarfare on the Horizon

Critical infrastructure attacks, like the one against the water authority in Pennsylvania, have occurred in the wake of the Israel-Hamas war. And geopolitical tension and turmoil expands beyond this conflict. Russia’s invasion of Ukraine has sparked cyberattacks. Chinese cyberattacks against government and industry in Taiwan have increased. “This is just going to be an ongoing part of operating digital systems and operating with the internet,” Dominique Shelton Leipzig, a partner and member of the cybersecurity and data privacy practice at global law firm Mayer Brown, tells InformationWeek.

While kinetic weapons are still very much a part of war, cyberattacks are another tool in the arsenal. Successful cyberattacks against critical infrastructure have the potential for widespread devastation. “The landscape of warfare is changing,” says Warner. And the weaponization of artificial intelligence is likely to increase the scale of cyberwarfare.

“We have the normal technology that we use for denial-of-service attacks, but imagine being able to do all of that on an even greater scale,” says Shelton Leipzig. “Not just one or two hospitals or one or two energy facilities, but just doing this for an entire region or the whole western part of the United States.”

With the risk of AI-amplified cyberattacks, cybersecurity is even more essential for critical infrastructure entities. While nation-state actors typically have sophisticated capabilities, they will eagerly take advantage of easily exploitable vulnerabilities, like the use of default passwords.

Basic cybersecurity protocols can go a long way to hardening a critical infrastructure entity’s security posture. “Change your passwords immediately, take an inventory of all your control systems, ensure your software is up to date,” says Warner.

In addition to cybersecurity hygiene, critical infrastructure entities can assess the risk of cyberattacks and develop comprehensive incident response plans. “National security needs to be folded in now just like any of the other risks that we would include in a tabletop exercise,” says Shelton Leipzig.