In a joint cybersecurity advisory, the FBI, CISA, NSA, and partner agencies from Canada, the United Kingdom, and Israel have issued an urgent warning about ongoing malicious cyber activities by advanced persistent threat (APT) actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
The advisory provides critical new details on tactics, techniques, and procedures (TTPs) employed by these IRGC-linked cyber actors, known as “CyberAv3ngers,” and offers updated mitigation recommendations for organizations to protect their critical infrastructure.
Details of the Threat
The IRGC, designated a foreign terrorist organization by the United States and Canada, has been linked to a series of cyberattacks targeting critical infrastructure worldwide.
Recent investigations have uncovered that CyberAv3ngers, an IRGC-affiliated group, has been actively compromising industrial control systems (ICS) and programmable logic controllers (PLCs) used in water systems, energy facilities, and other essential sectors.
Among their significant targets are Israeli-made Unitronics Vision Series PLCs and human-machine interfaces (HMIs).
These devices, vital to operational technology (OT) systems, were compromised in late 2023 by exploiting default or absent passwords in internet-connected devices.
Victims included critical infrastructure entities in the United States, United Kingdom, Israel, and other nations.
Notable tactics employed by CyberAv3ngers include deploying custom malicious ladder logic files, renaming devices to delay recovery efforts, resetting software versions, and changing default network settings.
Most alarmingly, their actions could potentially trigger severe cyber-physical disruptions to processes and equipment.
Key New Findings
The December 18, 2024, update to the advisory highlights the following:
- Additional TTPs: Newly observed methods include replacing authentic ladder logic files, altering device settings to block operator access, and configuring unknown port numbers to evade detection.
- Broader Targeting: In addition to U.S. critical systems, attacks have expanded to devices in the UK, signaling a wider campaign against Israeli-linked technologies.
- Enhanced Risk for OT Systems: Experts warn that compromised PLCs in industries such as healthcare, energy, and transportation remain highly vulnerable to cascading cyber-physical effects.
Mitigation Strategies
The advisory urges organizations, particularly those in critical infrastructure sectors, to adopt the following measures immediately.
| Category | Action |
|---|---|
| Update Firmware and Apply Strong Security Protocols | – Upgrade Unitronics Vision Series PLC software and firmware to the latest versions. |
| – Replace all default passwords with strong, unique credentials. | |
| – Configure new security-related access controls. | |
| Remove Internet Exposure | – Disconnect PLCs and HMIs from public-facing internet connections. |
| – Place devices behind firewalls. | |
| – Implement VPNs or gateways to securely control access. | |
| Enhance Detection and Defense | – Use network segmentation techniques like the Purdue Model to limit intrusion spread. |
| – Deploy intrusion detection systems (IDS). | |
| – Monitor traffic for unusual login attempts or rogue protocols. | |
| Implement Immediate Protections | – Disable unused authentication methods. |
| – Enforce multifactor authentication wherever feasible. | |
| – Regularly update device software. | |
| – Perform independent security audits. | |
| Strengthen Incident Response Readiness | – Conduct regular backups of device configurations. |
| – Retain cold-standby or replacement hardware for minimal recovery disruptions. |
The advisory stresses the responsibility of device manufacturers to design products securely.
Recommendations include ending the use of default passwords, enabling secure-by-default configurations, and providing strong security features without additional fees.
These measures would significantly reduce vulnerabilities exploited by actors like the CyberAv3ngers.
Organizations encountering suspicious cyber activity are encouraged to report incidents promptly:
- U.S. entities may contact local FBI field offices, CISA’s 24/7 Operations Center, or the Multi-State Information Sharing and Analysis Center (MS-ISAC).
- Canadian organizations can reach out to the Canadian Centre for Cyber Security (CCCS).
- UK entities should engage with the National Cyber Security Centre (NCSC).
- Israeli teams are instructed to liaise with the Israel National Cyber Directorate (INCD).
This advisory underscores the escalating threat of Iranian state-sponsored cyber activities targeting critical systems across the globe. As technology becomes increasingly interconnected, the potential for widespread disruption emphasizes the importance of adopting robust cybersecurity measures.
For further details, organizations can refer to technical resources provided by CISA and partner agencies, including observables mapped to the MITRE ATT&CK® framework.
Governments and cybersecurity experts urge proactive action to mitigate risks and safeguard infrastructure against these evolving threats.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
.){kind=link}