Full Report
U.S. security agencies on Monday urged critical infrastructure operators to stay alert for possible cyberattacks by Iranian state-sponsored... The post Critical infrastructure warned of rising Iranian cyber threats; urged to detect, disconnect vulnerable OT, ICS devices appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Iranian State-Sponsored or Affiliated Cyber Actors (Including Hacktivists)
## Attribution & Identity
Identified as Iranian state-sponsored or affiliated threat actors, including associated hacktivist groups. Direct identification of a *single* coordinated campaign by US agencies has not yet occurred, but high alert is warranted given geopolitical tensions. Some previous activity was linked to **Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated hackers**.
## Activity Summary
1. **General Targeting:** Routinely targeting poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks.
2. **Geopolitical Response:** Conducting hack-and-leak operations and information operations (including social media amplification) to protest the Israel-Hamas conflict in Gaza, aiming to undermine public confidence and embarrass victims.
3. **Recent Campaigns:** Observed conducting extensive website defacements and leaking sensitive information exfiltrated from victims. Significant increase anticipated in Distributed Denial of Service (DDoS) campaigns against U.S. and Israeli websites.
4. **Partnerships:** May conduct ransomware attacks in collaboration with cybercriminal groups, including encrypting systems and stealing data for subsequent leaks.
5. **Historical OT Campaign (Nov 2023 - Jan 2024):** IRGC-affiliated hackers targeted and breached Israeli-made Programmable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs), affecting dozens of U.S. victims across multiple sectors during the Israel-Hamas conflict.
## Tactics, Techniques & Procedures
- Exploiting targets of opportunity using **unpatched/outdated software** (known CVEs).
- Exploiting the use of **default or common passwords** on internet-connected accounts and devices.
- **Automated password guessing** and cracking password hashes using online resources.
- Inputting **default manufacturer passwords**.
- **Targeting OT/ICS:** Using system engineering and diagnostic tools to hit engineering/operator devices, performance/security systems, and vendor/third-party maintenance systems.
- **Data Theft and Leakage:** Exfiltrating sensitive data for public release (hack-and-leak operations).
- **Disruption:** Website defacements and anticipated **DDoS campaigns**.
- Leveraging factory-default settings (passwords, TCP ports) on internet-connected ICS/OT devices.
## Targeting
- Sectors: Critical Infrastructure (general), Defense Industrial Base (DIB) with ties to Israeli research/defense firms, Water and Wastewater, Energy, Food and Beverage Manufacturing, Healthcare and Public Health, U.S. Internet Protocol Television (IPTV) companies.
- Geography: U.S. networks and devices, Israeli websites and infrastructure.
- Victims: Organizations using vulnerable, internet-connected ICS devices, including those using Unitronics PLCs.
## Tools & Infrastructure
- **Malware families used:** Implied use of tools associated with ransomware operations. Specific malware names were not detailed.
- **Infrastructure (C2, domains, IPs - defang URLs):** The article noted that actors previously targeted devices accessible via default TCP ports. Specific IPs or URLs linked to the actors were not provided.
## Implications
Iranian-affiliated actors pose an immediate threat to U.S. critical infrastructure and the DIB, especially concerning operational technology (OT). Their motivation appears linked to geopolitical events, employing both disruptive (DDoS) and espionage/shaming tactics (hack-and-leak). The reliance on easily exploitable vulnerabilities (default passwords, unpatched systems) suggests a high volume, low-sophistication approach targeting the weakest links in ICS environments.
## Mitigations
- **Network Segmentation:** Identify and immediately disconnect OT/ICS assets from the public internet.
- **Authentication:** Implement phishing-resistant Multi-Factor Authentication (MFA) for accessing OT networks from external networks. Require MFA for making changes to high-value controllers.
- **Patching:** Apply the manufacturer’s latest software patches for all internet-facing systems.
- **Configuration Management:** Ensure all internet-connected ICS have strong, non-default credentials.
- **Monitoring:** Monitor user access logs for remote connections into the OT network and track firmware/configuration changes.
- **Operational Controls:** Implement OT processes blocking unauthorized changes, maintaining visibility, and enforcing control (e.g., keeping PLCs in run mode, activating safety systems and interlocks).
- **Resilience:** Maintain robust business continuity and incident response plans, including full system and data backups, to ensure rapid recovery.