A small water authority in western Pennsylvania was among numerous organizations in the United States that fell victim to a cyberattack orchestrated by Iran-affiliated hackers. The motive behind the attack was their targeting of a particular Israeli-made industrial control device, according to U.S. and Israeli authorities. The FBI, Environmental Protection Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Israel's National Cyber Directorate released a joint advisory, stating that the victims of the breach were spread across multiple states, although no specific details about the organizations were provided.

The Municipal Water Authority of Aliquippa, which first discovered the breach on November 25, revealed that federal officials informed them that the same hacker group had targeted four other utilities and an aquarium. Although there is no evidence linking Iranian involvement to the Hamas attack on Israel on October 7, cybersecurity experts anticipated an increase in cyberattacks from state-backed Iranian hackers and pro-Palestinian hacktivists against Israel and its allies following the conflict. As predicted, such incidents have indeed occurred.

The advisory provided further insight into the Pennsylvania hack, confirming that industries beyond water and water-treatment facilities were also at risk. These industries included energy, food and beverage manufacturing, and healthcare. It was revealed that the Vision Series programmable logic controllers made by Unitronics, the Israeli device targeted by the hackers, were employed in regulating various processes such as pressure, temperature, and fluid flow. The breach in Aliquippa led to temporary pumping halts in a remote station responsible for water pressure regulation in two nearby towns, prompting manual operation by the maintenance crew.

The hackers left a digital calling card on the compromised device, asserting that all Israeli-made equipment was a "legal target." While it remains unclear whether the hackers attempted to penetrate deeper into the breached networks, the advisory disclosed that the hackers, self-identifying as "Cyber Av3ngers," were affiliated with Iran's Islamic Revolutionary Guards Corps, which the U.S. designated as a foreign terrorist organization in 2019. The group had been targeting Unitronics devices since at least November 22. A search using the Shodan service revealed the presence of over 200 internet-connected devices of this kind in the U.S. and more than 1,700 globally.

The advisory also highlighted a security vulnerability related to Unitronics devices. These devices were shipped with a default password, a practice experts discourage as it increases the likelihood of hacking. Best practices suggest that devices should require users to create a unique password upon initial use. The hackers were likely able to access the compromised devices by exploiting weaknesses in cybersecurity, including poor password security and exposure to the internet.

In response to the Aliquippa hack, three Pennsylvania congressmen wrote a letter to the U.S. Justice Department, urging an investigation into the matter. Senators John Fetterman and Bob Casey, along with Representative Chris Deluzio, emphasized the importance of ensuring the safety of drinking water and other critical infrastructure from potential threats posed by nation-state adversaries and terrorist organizations.

Cyber Av3ngers claimed in an October 30 social media post to have hacked ten water treatment stations in Israel, but it remains unclear whether they were able to disrupt any equipment. The AP's queries regarding the hacks were left unanswered by Unitronics. This attack occurred less than a month after a federal appeals court ruling prompted the EPA to withdraw a rule that would have required cybersecurity testing in regular federally mandated audits for U.S. public water systems. The court decision, resulting from a case filed by Missouri, Arkansas, and Iowa, supported by a water utility trade group, led to the rollback of the rule. The Biden administration has been striving to enhance the cybersecurity of critical infrastructure, primarily privately owned, and has imposed regulations on sectors such as electric utilities, gas pipelines, and nuclear facilities. However, many experts argue that too many critical industries are allowed to self-regulate.

The breach enabled the hackers to inflict more profound cyber and physical effects on processes and equipment. Water utilities, in general, have been criticized for not prioritizing cybersecurity adequately. Since the beginning of the Israel-Hamas conflict, the hacking group has intensified its targeting of Israeli critical infrastructure, as stated by Sergey Shykevich from Check Point. Prior to the October incident, Iran and Israel had already engaged in a low-level cyber conflict.