top of page

Subscribe to our newsletter

Iranian CyberAv3ngers Target Unitronics Vision PLCs in US Critical Infrastructure Amid Rising Geopolitical Tensions

  • 5 days ago
  • 5 min read
Image for post about Iran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During War

Executive Summary

Iran-linked Advanced Persistent Threat (APT) groups, most notably those affiliated with the Islamic Revolutionary Guard Corps (IRGC) and operating under the CyberAv3ngers persona, have intensified cyber operations targeting the United States and allied nations amid ongoing geopolitical tensions and regional conflict. These campaigns have focused on critical infrastructure sectors, particularly water and wastewater systems, energy, transportation, and healthcare. The attackers exploit insecure operational technology (OT) devices, especially Unitronics Vision Series Programmable Logic Controllers (PLCs), leveraging default credentials, internet exposure, and weak network segmentation. The result is a heightened risk of operational disruption, data manipulation, and potential physical consequences for affected organizations. This advisory provides a comprehensive technical analysis of the threat, observed tactics, techniques, and procedures (TTPs), exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The primary threat actors in these campaigns are Iranian state-linked APT groups, with CyberAv3ngers being the most prominent. CyberAv3ngers is widely attributed to the IRGC and has been active since at least 2020, targeting critical infrastructure in the US, Israel, and other Western nations. The group is known for its focus on OT environments, particularly those using Israeli-made or rebranded equipment, and for its use of public defacement and psychological operations to amplify the impact of its attacks. Other associated groups include Soldiers of Solomon and additional IRGC-linked personas, which often share TTPs and infrastructure. These actors are highly opportunistic, leveraging open-source intelligence (OSINT) to identify vulnerable targets and exploiting geopolitical events to justify and time their operations.

Technical Analysis of Malware/TTPs

The technical modus operandi of CyberAv3ngers and affiliated groups centers on exploiting internet-exposed Unitronics Vision Series PLCs and Human-Machine Interfaces (HMIs). The attack chain typically begins with reconnaissance, using tools such as Shodan and Censys to identify devices with open TCP port 20256 (the default for Unitronics PLCs). Attackers then attempt authentication using default or no passwords, a tactic mapped to MITRE ATT&CK T1078.001 (Valid Accounts: Default Accounts) and T1110 (Brute Force).

Upon gaining access, the attackers execute a series of disruptive actions:

They erase the original ladder logic files and upload custom, non-functional logic, effectively disabling device functionality (T1565.001 - Stored Data Manipulation). Devices are renamed to delay operator remediation (T1531 - Account Access Removal), and the software version is downgraded to block legitimate engineering workstation access. Upload/download functions are disabled, password protection is enabled, and default communication ports are changed (often from 20256 to 20257), corresponding to T1499 (Endpoint Denial of Service). Attackers also upload defacement messages to HMI screens, such as “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target,” mapped to T1491.001 (Internal Defacement).

Persistence is achieved by preventing retrieval of malicious logic files and blocking operator access. The attackers’ deep access to OT environments raises the risk of more profound cyber-physical effects, including potential manipulation of physical processes.

Indicators of Compromise (IOCs) include:

Compromised Unitronics Vision Series PLCs (multiple models, including older and rebranded units), default TCP port 20256 (changed to 20257 by attackers), custom ladder logic files with no inputs/outputs, and the aforementioned defacement messages. At least 75 devices were compromised in the US between November 2023 and January 2024, with 34 in the water and wastewater sector.

Exploitation in the Wild

Multiple confirmed breaches have been reported in the United States, including the Municipal Water Authority of Aliquippa in Pennsylvania and Vero Utilities in Florida. In these incidents, attackers gained access to internet-exposed Unitronics PLCs, uploaded malicious ladder logic, and displayed defacement messages. Similar attacks have been observed in Israel and the United Kingdom, targeting water, energy, and transportation infrastructure. Public claims of responsibility have been made via the CyberAv3ngers Telegram channel and other social media platforms, often accompanied by screenshots of compromised devices.

The attacks have not been limited to a single sector or geography. The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have issued joint advisories warning of ongoing campaigns and urging immediate action to secure vulnerable OT assets. The National Cyber Security Centre (NCSC) in the UK has also reported related activity.

Victimology and Targeting

The primary targets of these campaigns are organizations operating critical infrastructure, with a particular focus on water and wastewater systems, energy providers, food and beverage manufacturers, transportation networks, and healthcare facilities. The attackers prioritize devices that are internet-exposed, use default or weak credentials, and lack robust network segmentation. Geographic impact has been most pronounced in the United States, with confirmed incidents in multiple states, but similar activity has been observed in Israel, the United Kingdom, and other countries with critical infrastructure using Unitronics or rebranded PLCs.

Victims are often small to mid-sized utilities and organizations with limited cybersecurity resources, making them attractive targets for opportunistic exploitation. The attackers’ use of public defacement and psychological operations is intended to maximize the perceived impact and sow distrust in the security of critical infrastructure.

Mitigation and Countermeasures

Organizations operating Unitronics Vision Series PLCs or similar OT devices should take immediate action to mitigate the risk of compromise:

Upgrade all Unitronics Vision Series PLCs to the latest firmware and VisiLogic software (version 9.9.00 or higher). Replace all default passwords on PLCs and HMIs with strong, unique credentials. Disconnect PLCs from the public internet or place them behind firewalls and VPNs; disable remote programming unless absolutely necessary. Change default ports and device names, and monitor for unauthorized changes. Implement multifactor authentication for OT network access where possible. Monitor for unusual logins, protocol mismatches, and configuration changes on PLCs and OT networks. Retain cold-standby hardware and maintain strong, tested backups of PLC logic and configurations.

In addition, organizations should review the latest advisories from CISA, FBI, and NSA, and implement recommended best practices for OT security, including network segmentation, continuous monitoring, and incident response planning.

References

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and critical infrastructure. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure operational resilience. For more information or to discuss how Rescana can support your cybersecurity program, we are happy to answer questions at ops@rescana.com.

bottom of page