Who Are the CyberAv3ngers?
CyberAv3ngers is believed to be either IRGC operated or controlled Iran-based nation-state Advanced Persistent Threat (APT) group, the leading Iranian military and intelligence organization. Their tools, techniques, and infrastructure have evolved quite considerably in the last two years, and their objectives have turned more toward disruption and sabotage-type activities compared to traditional espionage activities.
Notable Cyberattacks
1. Unitronics PLC Exploit Campaign
CyberAv3ngers started targeting a particular kind of device in late 2023: the Unitronics programmable logic controllers (PLCs). Such devices are used in a broad range of industrial environments — from water treatment facilities to power systems — to automate processes.
What they did: They exploited default login passwords that had not been changed on these systems. After they gained access, they were able to shut down processes and even put up politically driven messages like “You have been hacked, down with Israel.”
Scale of the attack: Dozens of hundreds of computers worldwide, including those critical to civilian services, had been hit.
Real-world impact: Although it is not possible to measure the financial damage, organizations suffered downtime, emergency measures, and rebuilding of systems at high costs. Smaller municipalities too were directly hit, as they are not likely to have high levels of cyber defense measures in place.
2. Raid of the Municipal Water Authority of Aliquippa (Pennsylvania, October 2023) One of the least expected events happened in western Pennsylvania, where a cyberattack was perpetrated on a water treatment plant.
What happened: Hackers infiltrated a Unitronics PLC controlling a water booster station.
Impact on operations: While the quality of the water was not at risk, the system had to be shut down. Staff had to operate in manual while the system was being re-validated and re-secured.
Fallout: It created unwelcome cost and extra oversight by the federal regulators. It was a wake up call not just for Aliquippa, but also to similar facilities across the country that could possibly also be in peril.
3. Concurrent Strikes on Israeli Targets
CyberAv3ngers have indicated that they want to target Israeli systems, which are in line with the contemporary geopolitical tensions.
Primary targets: Israel’s railway system, water infrastructure, and supply chain logistics.
Tactics deployed: In certain instances, attackers attempted to breach water treatment systems — potentially having serious health implications if they were to have succeeded. They also disrupted train operations by attacking industrial networks and in the process causing transit service disruptions and emergency safety protocols. Not only did these events have short-term effects, but they also drove Israel to invest heavily in enhancing its general posture in the area of cyber security. Incident response processes were also revamped by multiple agencies as a result.
What Happened?
In the last several weeks, the group launched a wave of synchronized cyberattacks against:
– Water treatment plants: Malware disrupted automated processes, causing city water supplies to shut down and slow down.
– Oil & Gas pipelines: Monitoring system vulnerabilities were exploited to gain unauthorized access to internal control panels.
– Private utility operators: Phishing and supply chain attacks were both leveraged in order to breach contractor networks.
Their malware was specifically designed to bring down or hijack systems in a bid to disrupt the physical, rather than the virtual, operations.
Why This Assault Matters
The targets and character of these assaults make them particularly dangerous:
-Operational Disruption: As opposed to ransomware that seeks payment, these attacks target disrupting essential systems like water pressure valves and gas valve flows.
-Hard to Find: Malware hides in industrial environments and bypasses conventional endpoint protection.
-National Impact: One weak link in water or power facilities can cause a ripple effect in cities or even entire states.
Response and Cost: It had to shut down and restart its control systems at a cost of emergency repairs, reputational damage, and increased efforts at cybersecurity by the federal agencies.
3. Terrorist attacks on Israeli Critical Infrastructure
CyberAv3ngers have repeatedly targeted Israeli interests in line with geopolitical confrontation and aimed at lowering the country’s morale. Targets include Israel’s railway system, water treatment facilities, and logistics companies.
-Attempted to disrupt water treatment controls with potential public health consequences.
-Delayed service and safety protocol activation due to intrusion in the ICS network when the train operates.
Damage Assessment: These strikes caused intermittent service disruptions and led to cybersecurity upgrades at many critical nodes. Israel’s government officials responsible for cybersecurity indicated increased investment in threat detection and incident response technologies as a consequence.
How the US Responded
The attacks elicited immediate reactions from: CISA (Cybersecurity and Infrastructure Security Agency): Published an advisory and issued IoCs (Indicators of Compromise) to utility companies.
DHS (Department of Homeland Security): Threat intel disseminated to private sector operators
Local officials: They shut down some of the water pumps temporarily and switched the electricity operations to manual control.
CyberAv3ngers is only one facet of a much broader trend: cyber war against physical infrastructure. As geopolitical tensions with Iran and other nation-state actors rise, so too will the frequency and sophistication of such attacks.
