{
	"id": "ec00ab35-59c5-45b9-933d-639bce3e649d",
	"created_at": "2026-04-06T00:11:26.913766Z",
	"updated_at": "2026-04-10T03:25:41.227055Z",
	"deleted_at": null,
	"sha1_hash": "33e401ef448d055e42873f72f3a8de2892958267",
	"title": "Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38599,
	"plain_text": "Breaches by Iran-affiliated hackers spanned multiple U.S. states,\r\nfederal agencies say\r\nBy By  FRANK BAJAK and MARC LEVY\r\nPublished: 2023-12-02 · Archived: 2026-04-05 19:01:39 UTC\r\nUpdated 6:08 PM UTC, December 2, 2023\r\nHARRISBURG, Pa. (AP) — A small western Pennsylvania water authority was just one of multiple organizations\r\nbreached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it\r\nis Israeli-made, U.S. and Israeli authorities say.\r\n“The victims span multiple U.S. states,” the FBI, the Environmental Protection Agency, the Cybersecurity and\r\nInfrastructure Security Agency, known as CISA, as well as Israel’s National Cyber Directorate said in an advisory\r\nemailed to The Associated Press late Friday.\r\nThey did not say how many organizations were hacked or otherwise describe them.\r\nMatthew Mottes, the chairman of the Municipal Water Authority of Aliquippa, which discovered it had been\r\nhacked on Nov. 25, said Thursday that federal officials had told him the same group also breached four other\r\nutilities and an aquarium.\r\nCybersecurity experts say that while there is no evidence of Iranian involvement in the Oct. 7 attack into Israel by\r\nHamas that triggered the war in Gaza they expected state-backed Iranian hackers and pro-Palestinian hacktivists to\r\nstep up cyberattacks on Israeli and its allies in its aftermath. And indeed that has happened.\r\nThe multiagency advisory explained what CISA had not when it confirmed the Pennsylvania hack on Wednesday\r\n— that other industries outside water and water-treatment facilities use the same equipment — Vision Series\r\nprogrammable logic controllers made by Unitronics — and were also potentially vulnerable.\r\nThose industries include “energy, food and beverage manufacturing and healthcare,” the advisory says. The\r\ndevices regulate processes including pressure, temperature and fluid flow.\r\nThe Aliquippa hack promoted workers to temporarily halt pumping in a remote station that regulates water\r\npressure for two nearby towns, leading crews to switch to manual operation. The hackers left a digital calling card\r\non the compromised device saying all Israeli-made equipment is “a legal target.”\r\nThe multiagency advisory said it was not known if the hackers had tried to penetrate deeper into breached\r\nnetworks. The access they did get enabled “more profound cyber physical effects on processes and equipment,” it\r\nsaid.\r\nThe advisory says the hackers, who call themselves “Cyber Av3ngers,” are affiliated with Iran’s Islamic\r\nRevolutionary Guards Corps, which the U.S. designated as a foreign terrorist organization in 2019. The group\r\nhttps://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b\r\nPage 1 of 2\n\ntargeted the Unitronics devices at least since Nov. 22, it said.\r\nAn online search Saturday with the Shodan service identified more than 200 such internet-connected devices in\r\nthe U.S. and more than 1,700 globally.\r\nThe advisory notes that Unitronics devices ship with a default password, a practice experts discourage as it makes\r\nthem more vulnerable to hacking. Best practices call for devices to require a unique password to be created out of\r\nthe box. It says the hackers likely accessed affected devices by “exploiting cybersecurity weaknesses, including\r\npoor password security and exposure to the internet.”\r\nExperts say many water utilities have paid insufficient attention to cybersecurity.\r\nIn response to the Aliquippa hack, three Pennsylvania congressmen asked the U.S. Justice Department in a letter\r\nto investigate. Americans must know their drinking water and other basic infrastructure is safe from “nation-state\r\nadversaries and terrorist organizations,” U.S. Sens. John Fetterman and Bob Casey and U.S. Rep. Chris Deluzio\r\nsaid. Cyber Av3ngers claimed in an Oct. 30 social media post to have hacked 10 water treatment stations in Israel,\r\nthough it is not clear if they shut down any equipment.\r\nSince the beginning of the Israel-Hamas war, the group has expanded and accelerated targeting Israeli critical\r\ninfrastructure, said Check Point’s Sergey Shykevich. Iran and Israel were engaged in low-level cyberconflict prior\r\nto the Oct. 7. Unitronics has not responded to the AP queries about the hacks.\r\nThe attack came less than a month after a federal appeals court decision prompted the EPA to rescind a rule that\r\nwould have obliged U.S public water systems to include cybersecurity testing in their regular federally mandated\r\naudits. The rollback was triggered by a federal appeals court decision in a case brought by Missouri, Arkansas and\r\nIowa, and joined by a water utility trade group.\r\nThe Biden administration has been trying to shore up cybersecurity of critical infrastructure — more than 80% of\r\nwhich is privately owned — and has imposed regulations on sectors including electric utilities, gas pipelines and\r\nnuclear facilities. But many experts complain that too many vital industries are permitted to self-regulate.\r\nSource: https://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b\r\nhttps://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b"
	],
	"report_names": [
		"hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "daf2219f-08f1-44ef-9245-9a062ceff7a4",
			"created_at": "2023-11-08T02:00:07.120507Z",
			"updated_at": "2026-04-10T02:00:03.419124Z",
			"deleted_at": null,
			"main_name": "Cyber Av3ngers",
			"aliases": [],
			"source_name": "MISPGALAXY:Cyber Av3ngers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775791541,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33e401ef448d055e42873f72f3a8de2892958267.pdf",
		"text": "https://archive.orkl.eu/33e401ef448d055e42873f72f3a8de2892958267.txt",
		"img": "https://archive.orkl.eu/33e401ef448d055e42873f72f3a8de2892958267.jpg"
	}
}