Critical Infrastructure Security
Cyberattack on Aliquippa Water Plant Highlights Vulnerabilities in OT Systems
The onset of war between Israel and Hamas led to a spike in cyberattacks against operational technology, says Microsoft in a warning to critical infrastructure operators about the dangers of internet-exposed operational technology.
See Also: Unlock the Future of Governance, Risk, and Compliance
Combatants in that conflict are fighting with conventional weapons, but regional actors have launched proxy cyberattacks, and many of them traceable to Iran (see: Hamas Isn’t Fighting a Cyberwar).
Systems recently targeted by hackers include OT equipment deployed across different sectors in Israel, including PLCs and HMIs manufactured by large international vendors as well as Israeli-sourced OT equipment deployed in other countries.
To date, the most high-profile example is the Islamic Revolutionary Guard Corps-affiliated group CyberAv3ngers’ November hack against pressure-monitoring equipment used by the Aliquippa water plant in Pennsylvania. Attackers hacked a programmable logic controller made by Israeli manufacturer Unitronics and defaced its interface with an anti-Israeli message. The attack had no effect on water service or quality, although local media reported that water pressure in two townships briefly dropped (see: Internet-Exposed Water PLCs Are Easy Targets for Iran).
Posts on social media around the same time showed other Unitronics PLCs displaying the same anti-Israeli “you have been hacked” message.
“Attackers can, and do, obtain visibility on OT devices that are open to the internet using search engines, identify vulnerable models and open communication ports, and then use the contextual metadata to identify devices that are of special interest, such as ICS systems in water plants or other critical facilities,” Microsoft Threat Intelligence said Thursday in a blog post.
Microsoft’s research into the Aliquippa attack revealed a common methodology: Hackers look for internet-exposed, poorly secured OT devices. The researchers used internet scanning tools to identify a specific machine that matched the victim’s profile. This machine, exposed with a dedicated control port open, allowed attackers to reprogram the device, leading to the defacement.
In response to this attack, the U.S. Department of the Treasury sanctioned officials in the Iranian Cyber-Electronic Command.
The trend continued into 2024 with pro-Russian hacktivists launching similar attacks on water sector OT systems in the U.S. In May, the U.S. Cybersecurity and Infrastructure Security Agency published an advisory warning about the recurring vulnerabilities in these systems.