Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

CyberAv3ngers (Cyber Avengers) Threat Actor

January 23, 2025
Reading Time: 4 mins read
in APT, Threat Actors
CyberAv3ngers (Cyber Avengers) Threat Actor

CyberAv3ngers

Other Names

CyberAveng3rs
Cyber Avengers

Location

Iran

Date of initial activity

2020

Suspected Attribution 

State-sponsored threat group

Associated Groups

Soldiers of Solomon

Government Affiliation

Yes

Motivation

Cyberwarfare

Associated Tools

Crucio Ransomware

Overview

CyberAv3ngers is an Advanced Persistent Threat (APT) group associated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Emerging in 2020, CyberAv3ngers has been known for its targeted cyberattacks against critical infrastructure, particularly focusing on Israeli entities. This group, also known under variations like CyberAveng3rs or Cyber Avengers, has been linked to several high-profile attacks and defacement operations, leveraging sophisticated techniques to compromise and manipulate operational technology. Their recent activities include targeting U.S. water and wastewater systems by exploiting vulnerabilities in programmable logic controllers (PLCs), highlighting their ongoing and evolving threat to global infrastructure security. Upgrade Device Firmware: Ensure that PLCs, particularly Unitronics Vision Series devices, are updated to the latest firmware versions. For instance, VisiLogic version 9.9.00 addresses vulnerabilities related to default passwords. This update requires users to change default passwords, reducing the risk of unauthorized access. Change Default Passwords: Immediately update default passwords on all PLCs and other critical devices. Use strong, unique passwords to enhance security and prevent exploitation through brute force attacks. Disconnect from Public Internet: If feasible, disconnect PLCs and other critical infrastructure devices from public-facing internet connections. This reduces the attack surface and mitigates the risk of remote exploitation. Implement Multifactor Authentication (MFA): Where possible, deploy multifactor authentication for access to OT networks and systems. This adds an additional layer of security beyond just passwords. Use Firewalls and VPNs: For remote access requirements, use firewalls and virtual private networks (VPNs) to control network access. Ensure that VPNs or gateway devices support multifactor authentication to secure remote connections. Create Strong Backups: Regularly create and maintain strong backups of PLC configurations and logic. This allows for quick recovery in case of a ransomware attack or other forms of cyber intrusion. Monitor and Update Security Practices: Continuously monitor and update security practices to address new threats and vulnerabilities. Stay informed about the latest security patches and updates from device manufacturers. Engage with Third-Party Vendors: Ensure that third-party vendors involved in managing or maintaining critical infrastructure devices are also applying recommended security measures to mitigate risks.

Common targets

Israeli Infrastructure: They have claimed responsibility for cyberattacks against critical infrastructure in Israel, including water, energy, shipping, and distribution sectors. U.S. Water and Wastewater Systems (WWS) Facilities: More recently, CyberAv3ngers has targeted U.S.-based facilities operating Unitronics Vision Series PLCs, exploiting vulnerabilities in these devices.

Attack Vectors

Bruteforce Attacks

Credential Based attacks

How they operate

At the core of CyberAv3ngers’ tactics is the exploitation of vulnerabilities in operational technology (OT) systems. One of their primary targets has been Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are widely used across various sectors, including water and wastewater systems, energy, food and beverage manufacturing, and healthcare. The group has leveraged default credentials and weak security practices to gain unauthorized access to these devices. By targeting internet-facing PLCs with default passwords, CyberAv3ngers has been able to deface interfaces and potentially disrupt critical operations. The group’s activities have been linked to the deployment of Crucio ransomware, which has been used to encrypt and lock critical systems. Indicators of compromise (IOCs) associated with Crucio include specific MD5, SHA1, and SHA256 hashes, as well as associated IP addresses. The ransomware’s deployment underscores CyberAv3ngers’ ability to integrate traditional malware techniques with targeted cyber operations. Additionally, their operations have involved brute force attacks (MITRE ATT&CK technique T1110), which they use to systematically guess or crack passwords, gaining access to compromised systems. CyberAv3ngers’ technical approach also includes defacement tools used to alter the visual presentation of compromised PLC interfaces. This tactic serves not only as a direct form of disruption but also as a psychological operation, sending a political message and asserting control over targeted systems. The defacement often features slogans and statements aligned with the group’s geopolitical motives, such as anti-Israel messages.

MITRE Tactics and Techniques

Brute Force (T1110): The threat actors obtained login credentials through brute force techniques, which they used to gain access to Unitronics PLCs.
References:
  • IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
  • IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
Tags: Advanced Persistent ThreatAPTCyber AvengersCyberAv3ngersCyberAveng3rsGovernmentIranThreat ActorsUnitronicsVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

APT36 Targets Indian Defense Linux Systems

hpingbot Botnet Uses Pastebin C2 Channel

Hackers Abuse Driver Signing For Malware

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

Subscribe to our newsletter

    Latest Incidents

    Ransomware Attack Causes Outage at Ingram

    Call of Duty Players Hacked on Game Pass

    RansomHub Claims Theft of Coppell City Data

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial