In a joint cybersecurity advisory, the FBI, CISA, NSA, and partner agencies from Canada, the United Kingdom, and Israel have issued an urgent warning about ongoing malicious cyber activities by advanced persistent threat (APT) actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
The advisory provides critical new details on tactics, techniques, and procedures (TTPs) employed by these IRGC-linked cyber actors, known as “CyberAv3ngers,” and offers updated mitigation recommendations for organizations to protect their critical infrastructure.
The IRGC, designated a foreign terrorist organization by the United States and Canada, has been linked to a series of cyberattacks targeting critical infrastructure worldwide.
Recent investigations have uncovered that CyberAv3ngers, an IRGC-affiliated group, has been actively compromising industrial control systems (ICS) and programmable logic controllers (PLCs) used in water systems, energy facilities, and other essential sectors.
Among their significant targets are Israeli-made Unitronics Vision Series PLCs and human-machine interfaces (HMIs).
These devices, vital to operational technology (OT) systems, were compromised in late 2023 by exploiting default or absent passwords in internet-connected devices.
Victims included critical infrastructure entities in the United States, United Kingdom, Israel, and other nations.
Notable tactics employed by CyberAv3ngers include deploying custom malicious ladder logic files, renaming devices to delay recovery efforts, resetting software versions, and changing default network settings.
Most alarmingly, their actions could potentially trigger severe cyber-physical disruptions to processes and equipment.
The December 18, 2024, update to the advisory highlights the following:
The advisory urges organizations, particularly those in critical infrastructure sectors, to adopt the following measures immediately.
Category | Action |
---|---|
Update Firmware and Apply Strong Security Protocols | – Upgrade Unitronics Vision Series PLC software and firmware to the latest versions. |
– Replace all default passwords with strong, unique credentials. | |
– Configure new security-related access controls. | |
Remove Internet Exposure | – Disconnect PLCs and HMIs from public-facing internet connections. |
– Place devices behind firewalls. | |
– Implement VPNs or gateways to securely control access. | |
Enhance Detection and Defense | – Use network segmentation techniques like the Purdue Model to limit intrusion spread. |
– Deploy intrusion detection systems (IDS). | |
– Monitor traffic for unusual login attempts or rogue protocols. | |
Implement Immediate Protections | – Disable unused authentication methods. |
– Enforce multifactor authentication wherever feasible. | |
– Regularly update device software. | |
– Perform independent security audits. | |
Strengthen Incident Response Readiness | – Conduct regular backups of device configurations. |
– Retain cold-standby or replacement hardware for minimal recovery disruptions. |
The advisory stresses the responsibility of device manufacturers to design products securely.
Recommendations include ending the use of default passwords, enabling secure-by-default configurations, and providing strong security features without additional fees.
These measures would significantly reduce vulnerabilities exploited by actors like the CyberAv3ngers.
Organizations encountering suspicious cyber activity are encouraged to report incidents promptly:
This advisory underscores the escalating threat of Iranian state-sponsored cyber activities targeting critical systems across the globe. As technology becomes increasingly interconnected, the potential for widespread disruption emphasizes the importance of adopting robust cybersecurity measures.
For further details, organizations can refer to technical resources provided by CISA and partner agencies, including observables mapped to the MITRE ATT&CK® framework.
Governments and cybersecurity experts urge proactive action to mitigate risks and safeguard infrastructure against these evolving threats.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a proposed update to the National…
A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers…
In a decisive move to bolster cloud security, the Cybersecurity and Infrastructure Security Agency (CISA)…
Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…
Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…
The Cybersecurity and Infrastructure Security Agency (CISA) has released new best practice guidance to safeguard…