Full Report
New Censys data examined recent internet exposure of four device types previously targeted or monitored by Iranian threat... The post Censys researchers find industrial devices still wide open online as Iranian hackers circle appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Iranian Threat Actors / Pro-Iranian Hacktivists (Linked to CyberAv3ngers)
## Attribution & Identity
The analysis focuses on general threats posed by **Iranian threat actors** and **pro-Iranian hacktivists**, noting potential links to the **Iranian Revolutionary Guard Corps (IRGC)** via the group **CyberAv3ngers**.
## Activity Summary
The summary highlights a heightened threat environment following US airstrikes on Iranian nuclear sites, leading to elevated risk of cyberattacks against US critical infrastructure (CI). Specifically, the **CyberAv3ngers** group claimed a November 2023 campaign targeting **Unitronics HMIs**, making changes to disrupt operations, prevent operator connectivity, and leaving anti-Israel defacement messages. U.S. security agencies issued alerts regarding potential Iranian cyber activity targeting organizations in the Defense Industrial Base (DIB) with ties to Israeli research or defense firms. Recent internet exposure data (Jan-Jun 2025) indicates an ongoing exposure of previously targeted ICS devices.
## Tactics, Techniques & Procedures
- **Reconnaissance:** Threat actors conduct research on ICS devices, including querying common industrial routers, PLCs, and electric companies in specific regions.
- **Credential Exploitation:** Exploiting devices/software shipped with easily searchable **default credentials** for trivial access.
- **Disruption:** Making changes to Unitronics systems to disrupt operations and prevent operator connection.
- **Defacement:** Leaving anti-Israel messages on system splash pages (observed in CyberAv3ngers Unitronics campaign).
- **Exposure:** Increased internet exposure of critical systems (Unitronics, Red Lion, Tridium Niagara) suggests easy access pathways for actors.
## Targeting
- **Sectors:** Critical Infrastructure (CI), including power and water systems. Defense Industrial Base (DIB) organizations with ties to Israeli research or defense firms. Industrial Control Systems (ICS).
- **Geography:** Primarily the **U.S.** (where most targeted devices are observed), but also historical and current presence in Australia and Israel regarding Unitronics devices. Increased exposure noted in Germany, Sweden, and Japan.
- **Victims:** Sectoral targets include **water and wastewater systems** (Unitronics exploitation noted).
## Tools & Infrastructure
The article focuses more on vulnerable hardware/software than specific C2 infrastructure, but notes:
- **Malware families used:** Not explicitly named, but disruption and defacement were components of the CyberAv3ngers campaign.
- **Vulnerable Systems/Software Exposed:**
- Unitronics PLCs/HMIs
- Orpak SiteOmat
- Red Lion equipment
- Tridium Niagara framework (Building automation software)
- **Infrastructure Observations:** Many exposed systems appear hosted on **mobile or consumer Internet Service Providers** rather than cloud networks.
- Unitronics observed often on ASN-TELSTRA (Australia).
- Tridium Niagara observed frequently on CELLCO-PART, COMCAST-7922, and AMAZON-02.
## Implications
The threat environment is heightened, likely in response to geopolitical tensions. The continued, significant internet exposure of widely used ICS devices, often retaining default credentials, provides low-effort, high-impact access vectors for both nation-state actors and associated hacktivist groups targeting critical infrastructure in the US and allied nations.
## Mitigations
- **Password Management:** Operators must change **default passwords** on all devices (especially Unitronics and Orpak SiteOmat) immediately. Manufacturers should avoid shipping devices with default credentials.
- **Network Segmentation:** Take measures to **remove interfaces** (ICS devices) from direct exposure to the Internet.
- **Vigilance:** CI operators and network administrators must remain vigilant against potential Iranian cyber activity.