G1027 CyberAv3ngers
The CyberAv3ngers are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The CyberAv3ngers have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel.1
In 2023, the CyberAv3ngers engaged in a global targeting and hacking of the Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface.1
| Item | Value |
|---|---|
| ID | G1027 |
| Associated Names | Soldiers of Soloman |
| Version | 1.0 |
| Created | 25 March 2024 |
| Last Modified | 10 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Soldiers of Soloman | CyberAv3ngers reportedly has connections to the IRGC-linked group Soldiers of Solomon.1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| ics | T0812 | Default Credentials | During the Unitronics Defacement Campaign, the CyberAv3ngers discovered and exploited default credentials found on many Unitronics Programmable Logic Controller (PLC) Human-Machine Interface (HMI). For many of these devices, the default password was set to ‘1111’.13 |
| ics | T0814 | Denial of Service | During the Unitronics Defacement Campaign, the CyberAv3ngers defaced controllers’ Human-Machine Interface (HMI), which prevented multiple entities from being able to operate their devices normally.1324 Additionally, the CyberAv3ngers caused a communications failure in a remote pumping station.5 |
| ics | T0883 | Internet Accessible Device | During the Unitronics Defacement Campaign, the CyberAv3ngers exploited devices connected to the public internet, such as internet connected Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI) and networking equipment such as cellular modems found in OT environments.16 |
| ics | T0826 | Loss of Availability | During the Unitronics Defacement Campaign, the CyberAv3ngers caused multiple businesses to halt operations due to the unavailability of the Programmable Logic Controller (PLC) and Human-Machine Interface (HMI). These victims covered multiple sectors.2 |
| ics | T0828 | Loss of Productivity and Revenue | During the Unitronics Defacement Campaign, the CyberAv3ngers caused multiple businesses to halt operations in their industrial environments, impacting their typical business operations. These victims covered multiple sectors.2 |
| ics | T0829 | Loss of View | During the Unitronics Defacement Campaign, the CyberAv3ngers replaced the existing graphic on the Programmable Logic Controller (PLC) Human-Machine Interface (HMI) with their own, thereby preventing PLC owners and operators from viewing PLC information on the HMI.12 |
References
-
DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024. ↩↩↩↩↩↩↩
-
Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024. ↩↩↩↩
-
DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024. ↩↩
-
Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024. ↩
-
WPXI. (2023, November 27). Officials investigating cyberattack on Municipal Water Authority of Aliquippa. Retrieved March 25, 2024. ↩
-
Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024. ↩