{
	"id": "fc67a4b0-ed47-4400-b92d-5f7a562ac05f",
	"created_at": "2026-04-06T00:07:28.912626Z",
	"updated_at": "2026-04-10T13:12:26.524623Z",
	"deleted_at": null,
	"sha1_hash": "06e3d21155b659d4dc0b7c6227c9ef41cb3d8e58",
	"title": "Florida water agency latest to confirm cyber incident as feds warn of nation-state attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78345,
	"plain_text": "Florida water agency latest to confirm cyber incident as feds warn\r\nof nation-state attacks\r\nBy Jonathan Greig\r\nPublished: 2023-12-04 · Archived: 2026-04-05 23:40:48 UTC\r\nA regulatory agency in Florida that oversees the long-term supply of drinking water confirmed that it responded to\r\na cyberattack over the last week as the top cybersecurity agencies in the U.S. warned of foreign attacks on water\r\nutilities.\r\nA spokesperson for the St. Johns River Water Management District, which works closely with utilities on water\r\nsupply issues, confirmed that it “identified suspicious activity in its information technology environment” and that\r\n“containment measures have been successfully implemented.”\r\nThe agency does not have direct control over water utility technology.\r\nOn Friday, a ransomware gang said it attacked the organization, providing samples of what it stole. The\r\ncybercriminals did not say how much total data was taken in the attack.\r\nMost of the work by the St. Johns River Water Management District is centered around educating the public about\r\nwater conservation, setting rules for water use, conducting research, collecting data, restoring and protecting water\r\nabove and below the ground, and preserving natural areas.\r\n“The District is actively monitoring its IT networks to ensure there is no ongoing, malicious persistence,” the\r\nagency spokesperson said. “Accordingly, the District is continuing its normal business operations. Until our\r\ninvestigation is complete, we are unable to comment further.”\r\nIRGC attacks on Unitronics\r\nThe attack comes after U.S. officials raised alarms last week about several incidents involving companies\r\ninvolved in water treatment and distribution.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) said it is responding to the active exploitation of\r\nUnitronics programmable logic controllers (PLCs) used by many organizations in the water sector.\r\nCISA linked the advisory to a notice from the Water Information Sharing and Analysis Center (WaterISAC) about\r\nan attack on a water utility in Pennsylvania reported November 26.\r\nAnother water utility serving 2 million people in North Texas said Tuesday that it is also dealing with a\r\ncybersecurity incident that caused operational issues, but officials did not say if it was related to issues with\r\nUnitronics PLCs.\r\nCNN reported late last week that CISA told Senate and House staffers on Thursday that “less than 10” water\r\nfacilities in different parts of the US have faced cyberattacks in recent days.\r\nhttps://therecord.media/florida-water-agency-ransomware-cisa-warning-utilities\r\nPage 1 of 3\n\nThe hackers behind the incident in Pennsylvania have filled their social media feed with references to the leaders\r\nof Iran and have pledged to attack any entities with products or ties to Israel — already touting attacks on 10 water\r\ntreatment plants in Israel.\r\nBy Friday, CISA worked with the FBI, National Security Agency (NSA), Environmental Protection Agency\r\n(EPA), and the Israel National Cyber Directorate (INCD) to release an advisory warning that hackers — who go\r\nby the name CyberAv3ngers — are connected to the Iranian government’s Islamic Revolutionary Guard Corps\r\n(IRGC).\r\nThe group is “actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic\r\ncontrollers (PLCs),” the advisory says.\r\nThe agencies said hackers affiliated with the IRGC have compromised default credentials in Unitronics devices\r\nsince at least November 22 and explicitly claim that their motivation is to target anything associated with Israel,\r\naccording to defacement images seen by U.S. authorities.\r\nThe kind of Unitronics devices being attacked are often exposed to the internet due to the remote nature of their\r\ncontrol and monitoring functionalities, they explained.\r\nAt least 539 Unitronics PLC instances (port 20256/tcp) still publicly exposed worldwide (2023-12-02\r\nscan). Unitronics PLC instances have been targeted recently as part of attacks against Water \u0026\r\nWastewater systems. (see @CISACyber @WaterISAC alert: https://t.co/OywIVYxo8o)\r\npic.twitter.com/XgYrRZbfBm\r\n— Shadowserver (@Shadowserver) December 3, 2023\r\n“The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative.\r\nWith this type of access, deeper device and network level accesses are available and could render additional, more\r\nprofound cyber physical effects on processes and equipment,” they said.\r\nWhile the U.S. campaign began in November, the hackers have been active since at least September, claiming on\r\ntheir Telegram channel both legitimate and false attacks against Israeli PLCs in the water, energy, shipping, and\r\ndistribution sectors.\r\nCybersecurity nonprofit Shadowserver Foundation said that through its research tool, they found at least 539\r\nUnitronics PLC instances still publicly exposed worldwide.\r\nNo previous article\r\nhttps://therecord.media/florida-water-agency-ransomware-cisa-warning-utilities\r\nPage 2 of 3\n\nNo new articles\r\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/florida-water-agency-ransomware-cisa-warning-utilities\r\nhttps://therecord.media/florida-water-agency-ransomware-cisa-warning-utilities\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/florida-water-agency-ransomware-cisa-warning-utilities"
	],
	"report_names": [
		"florida-water-agency-ransomware-cisa-warning-utilities"
	],
	"threat_actors": [
		{
			"id": "5484a633-c850-4380-921b-72fce1a32e72",
			"created_at": "2024-01-18T02:02:34.026014Z",
			"updated_at": "2026-04-10T02:00:04.636248Z",
			"deleted_at": null,
			"main_name": "CyberAv3ngers",
			"aliases": [],
			"source_name": "ETDA:CyberAv3ngers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b125b5c1-1431-4880-9ab8-582a583811ea",
			"created_at": "2024-04-24T02:00:49.643067Z",
			"updated_at": "2026-04-10T02:00:05.421434Z",
			"deleted_at": null,
			"main_name": "CyberAv3ngers",
			"aliases": [
				"CyberAv3ngers",
				"Soldiers of Soloman"
			],
			"source_name": "MITRE:CyberAv3ngers",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/06e3d21155b659d4dc0b7c6227c9ef41cb3d8e58.pdf",
		"text": "https://archive.orkl.eu/06e3d21155b659d4dc0b7c6227c9ef41cb3d8e58.txt",
		"img": "https://archive.orkl.eu/06e3d21155b659d4dc0b7c6227c9ef41cb3d8e58.jpg"
	}
}