C0031 Unitronics Defacement Campaign
The Unitronics Defacement Campaign was a collection of intrusions across multiple sectors by the CyberAv3ngers, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs’ HMIs.12
| Item | Value |
|---|---|
| ID | C0031 |
| Associated Names | |
| First Seen | November 2023 |
| Last Seen | November 2023 |
| Version | 1.0 |
| Created | 25 March 2024 |
| Last Modified | 15 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G1027 | CyberAv3ngers | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| ics | T0812 | Default Credentials | During the Unitronics Defacement Campaign, the CyberAv3ngers discovered and exploited default credentials found on many Unitronics Programmable Logic Controller (PLC) Human-Machine Interface (HMI). For many of these devices, the default password was set to ‘1111’.15 |
| ics | T0814 | Denial of Service | During the Unitronics Defacement Campaign, the CyberAv3ngers defaced controllers’ Human-Machine Interface (HMI), which prevented multiple entities from being able to operate their devices normally.1542 Additionally, the CyberAv3ngers caused a communications failure in a remote pumping station.6 |
| ics | T0883 | Internet Accessible Device | During the Unitronics Defacement Campaign, the CyberAv3ngers exploited devices connected to the public internet, such as internet connected Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI) and networking equipment such as cellular modems found in OT environments.13 |
| ics | T0826 | Loss of Availability | During the Unitronics Defacement Campaign, the CyberAv3ngers caused multiple businesses to halt operations due to the unavailability of the Programmable Logic Controller (PLC) and Human-Machine Interface (HMI). These victims covered multiple sectors.4 |
| ics | T0828 | Loss of Productivity and Revenue | During the Unitronics Defacement Campaign, the CyberAv3ngers caused multiple businesses to halt operations in their industrial environments, impacting their typical business operations. These victims covered multiple sectors.4 |
| ics | T0829 | Loss of View | During the Unitronics Defacement Campaign, the CyberAv3ngers replaced the existing graphic on the Programmable Logic Controller (PLC) Human-Machine Interface (HMI) with their own, thereby preventing PLC owners and operators from viewing PLC information on the HMI.14 |
References
-
DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024. ↩↩↩↩↩↩
-
Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024. ↩↩
-
Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024. ↩
-
Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024. ↩↩↩↩
-
DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024. ↩↩
-
WPXI. (2023, November 27). Officials investigating cyberattack on Municipal Water Authority of Aliquippa. Retrieved March 25, 2024. ↩