close
close

Internet-exposed OT devices at risk amid geopolitical tensions

Posted on by darion

Aliquippa Hydroelectric Power Plant Cyberattack Revealed Vulnerabilities in OT Systems

Prajeet Nair (@prajeetspeaks) •
May 30, 2024

Internet-exposed OT devices at risk during Israel-Hamas war
The screen of a Unitronics device hacked in Aliquippa, Pennsylvania, November 25, 2023. (Photo: Aliquippa Municipal Water Authority)

The outbreak of war between Israel and Hamas has led to a sharp increase in the number of cyberattacks on operational technology, says Microsoft in a warning to critical infrastructure operators about the risks of operational technology available on the Internet.

See also: From cost center to strategic asset: cyber risk automation and compliance

Participants in the conflict are fighting with conventional weapons, but regional actors have launched proxy cyberattacks, many of which can be linked to Iran (see: Hamas is not fighting a cyberwar).

Systems recently targeted by hackers include OT equipment deployed in various sectors in Israel, including PLCs and HMIs manufactured by large international suppliers, as well as OT equipment from Israel deployed in other countries.

The most high-profile example so far is a November hack by the group CyberAv3ngers, affiliated with the Islamic Revolutionary Guard Corps, against pressure-monitoring equipment used at the Aliquippa hydroelectric plant in Pennsylvania. The attackers hacked into a programmable logic controller from Israeli manufacturer Unitronics and defaced its interface with an anti-Israel message. The attack did not affect water supply or quality, although local media reported that water pressure briefly dropped in two municipalities (see: Water PLCs displayed on the Internet are an easy target for Iran).

Social media posts around the same time showed other Unitronics PLCs displaying the same anti-Israel “has been hacked” message.

“Attackers can gain visibility of Internet-facing OT devices through search engines, identify vulnerable models and open communication ports, and then use contextual metadata to identify devices of particular interest, such as ICS systems at hydropower plants or other critical facilities,” it said on Thursday in a post on the Microsoft Threat Intelligence blog.

Microsoft’s investigation into the Aliquippa attack revealed a common methodology: hackers look for poorly secured OT devices exposed on the Internet. Investigators used internet scanning tools to identify a specific machine that matched the victim’s profile. This machine, exposed with its dedicated control port open, allowed attackers to reprogram the device, leading to destruction.

In response to this attack, the US Treasury Department imposed sanctions on officials of Iran’s Cyber-Electronics Command.

This trend continued in 2024, when pro-Russian hacktivists launched similar attacks on OT systems of the US water sector. In May, the U.S. Cybersecurity and Infrastructure Security Agency issued an advisory warning about recurring vulnerabilities in these systems.