Multiple organizations in the United States, including a small water authority in western Pennsylvania, have fallen victim to a cyberattack carried out by Iranian-affiliated hackers targeting Israeli-made industrial control devices. The FBI, Environmental Protection Agency (EPA), Cybersecurity and Infrastructure Security Agency (CISA), and Israel's National Cyber Directorate have confirmed the breach and stated that the victims span across multiple U.S. states. The exact number of hacked organizations has not been disclosed.

The Municipal Water Authority of Aliquippa, which discovered the cyberattack on November 25, was informed by federal officials that the same group had also breached four other utilities and an aquarium. While there is no evidence linking Iranian involvement in the October 7 attack by Hamas on Israel, cybersecurity experts predicted that state-backed Iranian hackers and pro-Palestinian hacktivists would intensify cyberattacks against Israel and its allies following the conflict. Unfortunately, this prediction has come true.

The advisory issued by multiple agencies shed light on the cyberattack in Pennsylvania, revealing that industries beyond water and water-treatment facilities are potentially vulnerable due to their use of the same equipment - Vision Series programmable logic controllers manufactured by Unitronics. Sectors such as energy, food and beverage manufacturing, and healthcare may also be at risk. These controllers regulate critical processes involving pressure, temperature, and fluid flow.

In the Aliquippa hack, workers were forced to temporarily halt pumping in a remote station responsible for regulating water pressure in two nearby towns. Manual operation was initiated by the crews. The hackers left a digital calling card on the compromised device, stating that all Israeli-made equipment is a "legal target." The multiagency advisory has expressed concerns about whether the hackers attempted to penetrate deeper into the breached networks, as the access they obtained could enable more profound cyber-physical effects on processes and equipment.

The hackers, identifying themselves as "Cyber Av3ngers," are allegedly affiliated with Iran's Islamic Revolutionary Guards Corps, designated a foreign terrorist organization by the U.S. in 2019. They have been targeting Unitronics devices since at least November 22. A search conducted using the Shodan service identified over 200 internet-connected devices of the same type in the U.S. and over 1,700 globally. The advisory highlights the vulnerability of these devices due to their shipment with a default password. Experts discourage this practice, emphasizing the importance of creating a unique password immediately upon installation.

The lack of adequate cybersecurity measures in water utilities has been a concern raised by experts for some time. Following the Aliquippa hack, three congressmen from Pennsylvania sent a letter to the U.S. Justice Department, urging an investigation into the matter. U.S. Senators John Fetterman and Bob Casey, along with U.S. Representative Chris Deluzio, emphasized the need for Americans to be confident in the safety of their drinking water and other essential infrastructure against nation-state adversaries and terrorist organizations.

The Cyber Av3ngers claimed responsibility for hacking ten water treatment stations in Israel through a social media post on October 30. However, it remains unclear whether they managed to disrupt any equipment. Since the start of the Israel-Hamas conflict, the group has expanded its targeting of critical Israeli infrastructure, accelerating its cyberattacks, according to Sergey Shykevich from Check Point.

Unitronics, the manufacturer of the targeted devices, has not responded to queries regarding the hacks. The attack occurred less than a month after the EPA rescinded a rule that would have required cybersecurity testing in regular federally mandated audits for U.S. public water systems. This rollback was prompted by a federal appeals court decision resulting from a case brought by Missouri, Arkansas, and Iowa, with support from a water utility trade group. The Biden administration has been working to strengthen the cybersecurity of critical infrastructure, which is primarily privately owned, by imposing regulations on sectors such as electric utilities, gas pipelines, and nuclear facilities. However, experts argue that many essential industries still have the freedom to self-regulate, which raises concerns about their preparedness against cyber threats.