CyberAv3ngers | |
Other Names | CyberAveng3rs |
Location | Iran |
Date of initial activity | 2020 |
Suspected Attribution | State-sponsored threat group |
Associated Groups | Soldiers of Solomon |
Government Affiliation | Yes |
Motivation | Cyberwarfare |
Associated Tools | Crucio Ransomware |
Overview
CyberAv3ngers is an Advanced Persistent Threat (APT) group associated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Emerging in 2020, CyberAv3ngers has been known for its targeted cyberattacks against critical infrastructure, particularly focusing on Israeli entities. This group, also known under variations like CyberAveng3rs or Cyber Avengers, has been linked to several high-profile attacks and defacement operations, leveraging sophisticated techniques to compromise and manipulate operational technology. Their recent activities include targeting U.S. water and wastewater systems by exploiting vulnerabilities in programmable logic controllers (PLCs), highlighting their ongoing and evolving threat to global infrastructure security.
Upgrade Device Firmware: Ensure that PLCs, particularly Unitronics Vision Series devices, are updated to the latest firmware versions. For instance, VisiLogic version 9.9.00 addresses vulnerabilities related to default passwords. This update requires users to change default passwords, reducing the risk of unauthorized access.
Change Default Passwords: Immediately update default passwords on all PLCs and other critical devices. Use strong, unique passwords to enhance security and prevent exploitation through brute force attacks.
Disconnect from Public Internet: If feasible, disconnect PLCs and other critical infrastructure devices from public-facing internet connections. This reduces the attack surface and mitigates the risk of remote exploitation.
Implement Multifactor Authentication (MFA): Where possible, deploy multifactor authentication for access to OT networks and systems. This adds an additional layer of security beyond just passwords.
Use Firewalls and VPNs: For remote access requirements, use firewalls and virtual private networks (VPNs) to control network access. Ensure that VPNs or gateway devices support multifactor authentication to secure remote connections.
Create Strong Backups: Regularly create and maintain strong backups of PLC configurations and logic. This allows for quick recovery in case of a ransomware attack or other forms of cyber intrusion.
Monitor and Update Security Practices: Continuously monitor and update security practices to address new threats and vulnerabilities. Stay informed about the latest security patches and updates from device manufacturers.
Engage with Third-Party Vendors: Ensure that third-party vendors involved in managing or maintaining critical infrastructure devices are also applying recommended security measures to mitigate risks.
Common targets
Israeli Infrastructure: They have claimed responsibility for cyberattacks against critical infrastructure in Israel, including water, energy, shipping, and distribution sectors.
U.S. Water and Wastewater Systems (WWS) Facilities: More recently, CyberAv3ngers has targeted U.S.-based facilities operating Unitronics Vision Series PLCs, exploiting vulnerabilities in these devices.
Attack Vectors
Bruteforce Attacks
Credential Based attacks
How they operate
At the core of CyberAv3ngers’ tactics is the exploitation of vulnerabilities in operational technology (OT) systems. One of their primary targets has been Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are widely used across various sectors, including water and wastewater systems, energy, food and beverage manufacturing, and healthcare. The group has leveraged default credentials and weak security practices to gain unauthorized access to these devices. By targeting internet-facing PLCs with default passwords, CyberAv3ngers has been able to deface interfaces and potentially disrupt critical operations.
The group’s activities have been linked to the deployment of Crucio ransomware, which has been used to encrypt and lock critical systems. Indicators of compromise (IOCs) associated with Crucio include specific MD5, SHA1, and SHA256 hashes, as well as associated IP addresses. The ransomware’s deployment underscores CyberAv3ngers’ ability to integrate traditional malware techniques with targeted cyber operations. Additionally, their operations have involved brute force attacks (MITRE ATT&CK technique T1110), which they use to systematically guess or crack passwords, gaining access to compromised systems.
CyberAv3ngers’ technical approach also includes defacement tools used to alter the visual presentation of compromised PLC interfaces. This tactic serves not only as a direct form of disruption but also as a psychological operation, sending a political message and asserting control over targeted systems. The defacement often features slogans and statements aligned with the group’s geopolitical motives, such as anti-Israel messages.
MITRE Tactics and Techniques
Brute Force (T1110): The threat actors obtained login credentials through brute force techniques, which they used to gain access to Unitronics PLCs.