AmandaLifeHacks

View Original

Who are CyberAv3ngers?

CISA, along with the FBI, NSA, and EPA, has identified Cyber Av3ngers as an Advanced Persistent Threat group affiliated with the Iranian Islamic Revolutionary Guard Corps.

The primary objective of Cyber Av3ngers appears to be geopolitical disruption, targeting primarily Israeli and US infrastructure, with a broader aim of sowing discord and undermining trust in these nations' cybersecurity capabilities.

Expanding Beyond Israel

Initially focusing on Israel, Cyber Av3ngers have expanded their cyber operations to the United States. As detailed in a Check Point Research report, they exploit vulnerabilities in Israeli-made equipment to target US infrastructure. This shift reveals a strategy of dual retaliation, simultaneously targeting the US and Israel.

Documented Attacks

  • Israeli Targets: Starting from 2020, they have claimed various cyberattacks in Israel.

  • Hacking US Industrial Controllers: Focusing on Unitronics’ PLC devices across multiple US states, affecting critical infrastructure sectors.

  • Aliquippa Municipal Water Authority Incident: They were responsible for defacing workstations in Pennsylvania, targeting municipal services over the weekend leading up to November 28, 2023.

  • Control of Booster Station in Raccoon and Potter Townships: Seizing control of a booster station, impacting public utilities and services on Saturday, November 25, 2023​.

Technical Capabilities & Tactics

Cyber Av3ngers exploits vulnerabilities in specific Israeli-made equipment, particularly Unitronics Vision Series PLCs. The group targets PLCs exposed to the public internet, exploiting weak or default passwords.

They use open-source tools to scan and exploit a range of ICS devices and have been known to exploit vulnerabilities like CVE-2023-28130.

The group employs spear-phishing, zero-day exploits, and custom malware. They are known for reconnaissance, privilege escalation, lateral movement, and data exfiltration within target networks.

They use social media platforms to make claims about their attacks, sometimes exaggerating their success to enhance their perceived threat.

Mitigation

To counter these threats, administrators are urged to follow CISA’s recommendations, such as changing default passwords, implementing MFA, disconnecting PLCs from the open internet, and updating PLCs to the latest version. CISA Advisory on Cyber Av3ngers

Summary

Cyber Av3ngers poses a significant cyber threat Their activities underscore the evolving landscape of cyber warfare and the importance of cybersecurity in critical infrastructure.

Sources for Further Reading

  1. Check Point Research Report on Cyber Av3ngers

  2. SentinelOne Analysis of Cyber Av3ngers

  3. SC Media Coverage on Cyber Av3ngers

  4. WaterWorld Report on Cyber Av3ngers' Attacks