Who are CyberAv3ngers?

In the NewsCybersecurity
Written By Amanda Sue Walker
a digitized map of the world

CISA, along with the FBI, NSA, and EPA, has identified Cyber Av3ngers as an Advanced Persistent Threat group affiliated with the Iranian Islamic Revolutionary Guard Corps.

The primary objective of Cyber Av3ngers appears to be geopolitical disruption, targeting primarily Israeli and US infrastructure, with a broader aim of sowing discord and undermining trust in these nations' cybersecurity capabilities.

Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks and data.
— The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment

Expanding Beyond Israel

Initially focusing on Israel, Cyber Av3ngers have expanded their cyber operations to the United States. As detailed in a Check Point Research report, they exploit vulnerabilities in Israeli-made equipment to target US infrastructure. This shift reveals a strategy of dual retaliation, simultaneously targeting the US and Israel.

Documented Attacks

  • Israeli Targets: Starting from 2020, they have claimed various cyberattacks in Israel.

  • Hacking US Industrial Controllers: Focusing on Unitronics’ PLC devices across multiple US states, affecting critical infrastructure sectors.

  • Aliquippa Municipal Water Authority Incident: They were responsible for defacing workstations in Pennsylvania, targeting municipal services over the weekend leading up to November 28, 2023.

  • Control of Booster Station in Raccoon and Potter Townships: Seizing control of a booster station, impacting public utilities and services on Saturday, November 25, 2023​.

Technical Capabilities & Tactics

Cyber Av3ngers exploits vulnerabilities in specific Israeli-made equipment, particularly Unitronics Vision Series PLCs. The group targets PLCs exposed to the public internet, exploiting weak or default passwords.

Artistic rendering of a Programmable Logic Controller with neon glowing components.

They use open-source tools to scan and exploit a range of ICS devices and have been known to exploit vulnerabilities like CVE-2023-28130.

The group employs spear-phishing, zero-day exploits, and custom malware. They are known for reconnaissance, privilege escalation, lateral movement, and data exfiltration within target networks.

They use social media platforms to make claims about their attacks, sometimes exaggerating their success to enhance their perceived threat.

Mitigation

To counter these threats, administrators are urged to follow CISA’s recommendations, such as changing default passwords, implementing MFA, disconnecting PLCs from the open internet, and updating PLCs to the latest version. CISA Advisory on Cyber Av3ngers

Summary

Cyber Av3ngers poses a significant cyber threat Their activities underscore the evolving landscape of cyber warfare and the importance of cybersecurity in critical infrastructure.

Sources for Further Reading

  1. Check Point Research Report on Cyber Av3ngers

  2. SentinelOne Analysis of Cyber Av3ngers

  3. SC Media Coverage on Cyber Av3ngers

  4. WaterWorld Report on Cyber Av3ngers' Attacks

Amanda Sue Walker https://TheLyonsBrand.Com
Previous

Economics of Cybersecurity: Insights from the Colonial Pipeline Incident
Next

The Next Wave of AI is Coming: Project Q*