Water Utilities in the Crosshairs of State-Sponsored Attacks
The St. Johns River Water Management District, a regulatory agency in Florida overseeing long-term drinking water supply, has fallen victim to a cyberattack. The incident, which occurred last week, has raised alarms as top U.S. cybersecurity agencies warn of nation-state attacks on water utilities.
The spokesperson for the water management district confirmed that they identified suspicious activity in their IT environment. While the agency does not directly control water utility technology, it works closely with utilities on various water supply issues. The district has successfully implemented containment measures, and they are actively monitoring their IT networks to prevent ongoing malicious activity.
On Friday, a ransomware gang claimed responsibility for the attack, providing samples of stolen data. The extent of the data breach remains undisclosed. The St. Johns River Water Management District focuses on water conservation education, rule-setting for water use, research, data collection, water restoration, and the preservation of natural areas.
This incident follows recent warnings from U.S. officials about multiple cybersecurity incidents targeting companies involved in water treatment and distribution. The Cybersecurity and Infrastructure Security Agency (CISA) is responding to the active exploitation of Unitronics programmable logic controllers (PLCs) used widely in the water sector.
CISA linked its advisory to a notice from the Water Information Sharing and Analysis Center (WaterISAC) regarding an attack on a water utility in Pennsylvania reported on November 26. Another water utility serving 2 million people in North Texas is also grappling with a cybersecurity incident causing operational issues.
CISA, in collaboration with the FBI, NSA, EPA, and Israel National Cyber Directorate (INCD), issued an advisory identifying the hackers as “CyberAv3ngers” connected to the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The group is actively targeting and compromising Unitronics Vision Series PLCs, particularly those made in Israel.
The hackers, affiliated with the IRGC, have compromised default credentials in Unitronics devices since at least November 22. Their motivation is explicitly tied to targeting entities associated with Israel, with a particular focus on water treatment plants. The compromised devices, often exposed to the internet due to remote functionalities, allow hackers to deface the controller’s user interface and potentially render the PLC inoperative.
While U.S. authorities worked to address the issue, the hackers claim to have been active since at least September, conducting both legitimate and false attacks against Israeli PLCs in various sectors, including water, energy, shipping, and distribution.
The cybersecurity nonprofit Shadowserver Foundation reported at least 539 publicly exposed Unitronics PLC instances worldwide, emphasizing the critical need for enhanced cybersecurity measures in the water utilities sector. The situation is evolving, and authorities are urging heightened vigilance to protect critical infrastructure from these state-sponsored cyber threats. Stay tuned for updates as the investigation unfolds.