Yesterday, CISA and other federal and international partners released a joint Cybersecurity Advisory (CSA) “Iranian Cyber Actors' Brute Force and Credential Access Activity Compromise Critical Infrastructure.” The advisory highlights known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by Iranian cyber threat actors to disrupt organizations across critical infrastructure sectors.
The threat posed by Iranian nation-state actors is one not to be dismissed by the water sector – as witnessed by the operational technology-focused breach at the Municipal Water Authority of Aliquippa in November last year. That attack was conducted by the Iranian-backed group known as the CyberAv3ngers and involved exploitation of vulnerabilities in Israeli-made Unitronics PLCs.
The joint CSA notes that these Iranian attackers are using brute force and password spraying attacks to compromise user accounts, modify MFA registrations to enable persistent access, and perform discovery on the compromised networks to obtain additional credentials and identify other points of access. The CSA further points out that these attackers are acting as initial access brokers, selling the obtained information on cybercriminal forums to other threat actors to conduct additional malicious activity.
Emboldened by global conflicts, state-affiliated actors are increasingly using cybercriminals and their tools to achieve their goals. The Microsoft Digital Defense Report 2024, which covers trends between July 2023 and June 2024, highlights this trend showing how nation-state actors (Iran, Russia, and North Korea) have engaged in operations aimed at financial profit, recruited cybercriminals to gather intelligence, and utilized the same infostealers, command and control frameworks, and tools commonly used by the cybercriminal community.
Members are encouraged to review the joint advisory, the IOCs and TTPs used by these threat actors, and to follow the guidance in the mitigations section. For more details and analysis, visit Bleeping Computer. Access the full joint advisory at CISA.
Previous WaterISAC Coverage of Iranian Cyber Actors
- Joint Cybersecurity Advisory – Iranian Cyber Actors Targeting Personal Accounts to Support Operations | October, 2024
- Cyber Resilience - Why Modern Hacktivism Matters to Water and Wastewater Utilities | July, 2024
- Awareness – U.S. Issues Sanctions Against Unitronics PLC Attackers | February, 2024
- CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats | December, 2023
- (TLP:CLEAR) Water Utility Control System Cyber Incident Advisory: ICS/SCADA Incident at Municipal Water Authority of Aliquippa (Updated November 30, 2023) | November, 2023
- Understanding the Domestic Threats Posed by the Iranian Regime during Time of Increased Vigilance | October, 2023
Additional Resources
- Iran Cyber Threat Overview and Advisories | CISA
- Microsoft Digital Defense Report 2024 | Microsoft
