The Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated APT groups have recently intensified their cyberattacks against critical infrastructure worldwide by employing advanced techniques, including spearphishing, exploitation of vulnerabilities, lateral movement, and data exfiltration.
To mitigate these threats, organizations should prioritize patch management, implement robust network segmentation, strengthen endpoint security, and maintain vigilant monitoring for suspicious activity.
The IRGC, a designated terrorist organization, launched cyberattacks targeting Israeli-made Unitronics PLCs and HMIs, which are widely used in critical infrastructure sectors like water and wastewater, energy, and healthcare.
CyberAv3ngers, an IRGC-affiliated group, compromised these systems and defaced them with anti-Israel messages, which highlight the growing threat of state-sponsored cyberattacks targeting critical infrastructure.
In order to reduce the dangers that are posed by these attacks, organizations, particularly those operating in essential industries, are required to implement robust cybersecurity measures.
An advanced persistent threat (APT) that is affiliated with the IRGC, CyberAv3ngers, has broadened its scope of attack to include older models of Unitronics PLCs.
They’ve developed custom ladder logic files to compromise these devices, allowing them to supplant existing logic, rename devices, reset software versions, disable upload/download functions, and change default port numbers, which provides deep device and network access, potentially enabling cyber-physical attacks.
The NCSC has observed similar PLC targeting in the UK, highlighting the ongoing risk to organizations using these devices in OT systems.
It launched multiple cyberattacks targeting U.S. critical infrastructure, particularly water and wastewater systems, by exploiting vulnerabilities in internet-exposed Unitronics PLCs with default credentials.
The attacks involved compromising devices, modifying ladder logic files, disabling remote access, and displaying defacement messages, which disrupted operations, hindered recovery efforts, and potentially posed risks to physical infrastructure.
IRGC-affiliated attackers exploited weak passwords on internet-connected PLCs to gain access. To mitigate this, organizations should update PLC firmware and software, replace default passwords, and disconnect PLCs from the internet.
Multi-factor authentication, network segmentation, and firewalls should be implemented to control access and prevent unauthorized modifications, while organizations should monitor network traffic for suspicious activity and implement intrusion detection and prevention systems.
The authoring agencies recommend a proactive approach to enhance organizational security, which involves aligning existing security technologies with specific MITRE ATT&CK techniques, rigorously testing their effectiveness, and analyzing their performance.
By iteratively refining security programs, organizations can optimize their defenses against potential threats. Continuous testing and validation in production environments are crucial to maintaining optimal security posture against the identified ATT&CK techniques.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical Next.js Cache Poisoning Flaw Triggers Denial of Service Attacks")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Severe Hikvision applyCT Flaw Allows Remote Code Execution on Devices")
-affiliated%20APT%20groups%20have%20recently%20intensified%20their%20cyberattacks%20against%20critical%20infrastructure%20worldwide.){kind=link}