Tag Archive for: U.S.

IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities

/in


SUMMARY

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as “the authoring agencies”—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.

The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.

Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

This advisory provides observed IOCs and TTPs the authoring agencies assess are likely associated with this IRGC-affiliated APT. For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.

For a PDF version of this CSA, see: 

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See Table 1 for threat actor activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.[1],[2],[3],[4],[5] The group claimed responsibility for cyberattacks in Israel beginning in 2020. CyberAv3ngers falsely claimed they compromised several critical infrastructure organizations in Israel.[2] CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon.

Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs.[1] The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256.

These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.

Threat Actor Activity

The authoring agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel. Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics’ default password. Observed activity includes the following:

  • Between September 13 and October 30, 2023, the CyberAv3ngers Telegram channel displayed both legitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors.
  • On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false. The group claimed to use a ransomware named “Crucio” against servers where the webcams camera software operated on port 7001.
  • Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.”

INDICATORS OF COMPROMISE

See Table 1 for observed IOCs related to CyberAv3nger operations.

Table 1: CyberAv3nger IOCs

Indicator

Type

Fidelity

Description

BA284A4B508A7ABD8070A427386E93E0

MD5

Suspected

MD5 hash associated with Crucio Ransomware

66AE21571FAEE1E258549078144325DC9DD60303

 

SHA1

Suspected

SHA1 hash associated with Crucio Ransomware

440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3

 

SHA256

 

Suspected

SHA256 hash associated with Crucio Ransomware

 

178.162.227[.]180

IP address

 

 

185.162.235[.]206

IP address

 

 

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 2 for referenced threat actor tactics and techniques in this advisory.

Table 2: Initial Access

Technique Title

ID

Use

Brute Force Techniques

T1110

Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access.

MITIGATIONS

The authoring agencies recommend critical infrastructure organizations, including WWS sector facilities, implement the following mitigations to improve your organization’s cybersecurity posture to defend against CyberAv3ngers activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Note: The below mitigations are based on threat actor activity against Unitronics PLCs but apply to all internet-facing PLCs.

Network Defenders

The cyber threat actors likely accessed the affected devices—Unitronics Vision Series PLCs with HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. To safeguard against this threat, the authoring agencies urge organizations to consider the following:

Immediate steps to prevent attack:

  • Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password is not in use.
  • Disconnect the PLC from the public-facing internet.

Follow-on steps to strengthen your security posture:

  • Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.
  • If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
  • Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity.
  • Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer.
  • Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.

In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by cyber threat actors:

  • Reduce risk exposure. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. CISA Cyber Hygiene services can help provide additional review of organizations’ internet-accessible assets. Email [email protected] with the subject line, “Requesting Cyber Hygiene Services” to get started.

Device Manufacturers

Although critical infrastructure organizations using Unitronics (including rebranded Unitronics) PLC devices can take steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default. The authoring agencies urge device manufacturers to take ownership of the security outcomes of their customers by following the principles in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, primarily:

  • Do not charge extra for basic security features needed to operate the product securely.
  • Support multifactor authentication, including via phishing-resistant methods.

By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.

For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 2).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

All organizations should report suspicious or criminal activity related to information in this CSA to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. For NSA client requirements or general cybersecurity inquiries, contact [email protected].

Additionally, the WaterISAC encourages members to share information by emailing [email protected], calling 866-H2O-ISAC, or using the online incident reporting form. State, local, tribal, and territorial governments should report incidents to the MS-ISAC ([email protected] or 866-787-4722).

REFERENCES

  1. CBS News: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group
  2. Industrial Cyber: Digital Battlegrounds – Evolving Hybrid Kinetic Warfare
  3. Bleeping Computer: Israel’s Largest Oil Refinery Website Offline After DDoS Attack
  4. Dark Reading: Website of Israeli Oil Refinery Taken Offline by Pro-Iranian Attackers
  5. X: @CyberAveng3rs

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

VERSION HISTORY

December 1, 2023: Initial version.

Source…

AUKUS Defense Ministers Meeting Joint Statement > U.S. Department of Defense > Release

/in


Secretary of Defense Lloyd J. Austin III hosted the Honourable Richard Marles MP, Deputy Prime Minister and Minister for Defence, Australia, and the Right Honourable Grant Shapps, Secretary of State for Defence, United Kingdom, at the Defense Innovation Unit Headquarters in California today to discuss the AUKUS enhanced defense and security partnership.

For more than a century, the three nations have stood shoulder-to-shoulder, along with other allies and partners, to help sustain peace, stability and prosperity around the world. The Secretaries and Deputy Prime Minister acknowledged that, in the face of an evolving security environment, AUKUS presents a generational opportunity to modernize and enhance longstanding partnerships and cooperation to address global security challenges and contribute to stability and prosperity in the Indo-Pacific region and beyond. The Secretaries and Deputy Prime Minister reaffirmed that at the core of this partnership is the shared resolve to bolster security and stability and ensure that the Indo-Pacific remains a region free from coercion and aggression.

For Australia’s acquisition of conventionally armed, nuclear-powered submarines (Pillar I), AUKUS partners are collaborating to deliver this capability at the earliest possible date while upholding the highest nuclear non-proliferation standard. For Advanced Capabilities (Pillar II), AUKUS partners are substantially deepening cooperation on a range of security and defense capabilities, making sure that each nation has the capabilities needed to defend against rapidly evolving threats. Through these efforts, AUKUS contributes to integrated deterrence by pursuing layered and asymmetric capabilities that promote increased security and stability.

The Secretaries and Deputy Prime Minister reaffirmed the three nations’ commitment to maximize the strategic and technological advantage of AUKUS by combining national strengths and pooling resources to deliver game-changing capabilities. They agreed that advancing AUKUS requires continued commitment to streamlining defense trade controls and information-sharing while minimizing policy and financial barriers across public and private…

Source…

How the White House’s AI Executive Order could increase U.S. cyber vulnerabilities

/in


On October 30, the White House released its “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” It is a lengthy document, spanning over 30 pages in the Federal Register. But two short portions of the Executive Order (EO) are of particular concern in terms of the cybersecurity vulnerabilities they will create: Under the EO, the government will institute mandatory reporting of information about the “physical and cybersecurity measures taken to protect” model weights associated with certain large AI models, as well as the location and computing power of “large-scale computing cluster[s].”

Reporting requirements

The EO instructs the Department of Commerce to require this reporting within 90 days of the date of the EO. It also instructs the Department of Commerce to develop criteria for what constitutes reportable AI models and computing clusters and provides the following interim criteria:

  • Reportable AI model: “any model that was trained using a quantity of computing power greater than 1026 integer or floating-point operations, or using primarily biological sequence data and using a quantity of computing power greater than 1023 integer or floating-point operations.”
  • Reportable computing cluster: “any computing cluster that has a set of machines physically co-located in a single datacenter, transitively connected by data center networking of over 100 Gbit/s, and having a theoretical maximum computing capacity of 1020 integer or floating- point operations per second for training AI.”

Cybersecurity exposures

The very fact of requiring AI companies to report the “physical and cybersecurity measures taken to protect” model weights will itself undermine the utility of those measures. After all, one of the most basic principles of security is to avoid disclosing too many details of how an asset is protected. A well-protected jewelry store is secure in large part because would-be thieves are left guessing as to the full set of security measures that are in place.

The most sophisticated AI models are the result of enormous investments in both dollars and human effort. Those models have extraordinary economic…

Source…

Indian Hack-for-Hire Group Targeted U.S., China, and More for Over 10 Years

/in


Indian Hack-for-Hire Group

An Indian hack-for-hire group targeted the U.S., China, Myanmar, Pakistan, Kuwait, and other countries as part of a wide-ranging espionage, surveillance, and disruptive operation for over a decade.

The Appin Software Security (aka Appin Security Group), according to an in-depth analysis from SentinelOne, began as an educational startup offering offensive security training programs, while carrying out covert hacking operations since at least 2009.

In May 2013, ESET disclosed a set of cyber attacks targeting Pakistan with information-stealing malware. While the activity was attributed to a cluster tracked as Hangover (aka Patchwork or Zinc Emerson), evidence shows that the infrastructure is owned and controlled by Appin.

“The group has conducted hacking operations against high value individuals, governmental organizations, and other businesses involved in specific legal disputes,” SentinelOne security Tom Hegel said in a comprehensive analysis published last week.

“Appin’s hacking operations and overall organization appear at many times informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs with significant success.”

Cybersecurity

The findings are based on non-public data obtained by Reuters, which called out Appin for orchestrating data theft attacks on an industrial scale against political leaders, international executives, sports figures, and others. The company, in response, has dismissed its connection with the hack-for-hire business.

One of the core services offered by Appin was a tool named “MyCommando” (aka GoldenEye or Commando) that allowed its customers to log in to view and download campaign-specific data and status updates, communicate securely, and choose from various task options that range from open-source research to social engineering to a trojan campaign.

The targeting of China and Pakistan is confirmation that an Indian-origin mercenary group has been roped in to conduct state-sponsored attacks. Appin has also been identified as behind the macOS spyware known as KitM in 2013.

What’s more, SentinelOne said it also identified instances of domestic targeting with the goal of stealing login…

Source…