{ "id": "e5576386-4e70-415a-9294-bf0e1750ca09", "created_at": "2026-04-06T00:19:29.259498Z", "updated_at": "2026-04-10T03:30:57.12605Z", "deleted_at": null, "sha1_hash": "43437ca229f69672819bf00a4d930cbe4a2ee195", "title": "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159961, "plain_text": "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors,\r\nIncluding US Water and Wastewater Systems Facilities | CISA\r\nPublished: 2024-12-18 · Archived: 2026-04-05 20:15:02 UTC\r\n1. Address operational technology connected insecurely to the internet.\r\n2. Implement multifactor authentication.\r\n3. Use strong, unique passwords.\r\n4. Check PLCs for default or no passwords.\r\nSummary\r\nNote: This updated joint Cybersecurity Advisory reflects new investigative and analytic insights for network\r\ndefenders on malicious cyber activities conducted by advanced persistent threat (APT) cyber actors affiliated with\r\nthe Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). This advisory includes recent and\r\nhistorically observed tactics, techniques, and procedures (TTPs) to help organizations protect their critical\r\ninfrastructure systems against such activities.\r\nOriginally published Dec. 1, 2023, updates to this advisory include:\r\nDec. 18, 2024\r\nNew information on the extent of the activity, including newly observed TTPs employed by IRGC-affiliated APT cyber actors targeting U.S. and global critical infrastructure.\r\nMapping of these newly observed TTPs to additional MITRE ATT\u0026CK® Tactics and Techniques.\r\nNew recommended mitigations that organizations should take to protect their infrastructure, based\r\non the new TTPs.\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the\r\nNational Security Agency (NSA), the Environmental Protection Agency (EPA), the Israel National Cyber\r\nDirectorate (INCD), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber\r\nSecurity Centre (NCSC)—hereafter referred to as “the authoring agencies”—are releasing this updated joint\r\nadvisory to warn network defenders of continued malicious cyber activity by IRGC-affiliated APT cyber\r\nactors. This joint advisory provides TTPs obtained from extensive FBI investigation on this activity.\r\nBackground Information\r\nThe Iranian Government charged the IRGC, an armed force, with defending Iran’s revolutionary regime from\r\nperceived internal and external threats. The IRGC is designated as a foreign terrorist organization by the United\r\nStates and Canada. In November 2023, IRGC-affiliated cyber actors using the persona “CyberAv3ngers” began\r\nactively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 1 of 10\n\nand human machine interfaces (HMIs). The IRGC-affiliated cyber actors left a defacement image stating, “You\r\nhave been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The\r\nvictims spanned multiple U.S. states and foreign countries. These PLCs are commonly used in the Water and\r\nWastewater Systems (WWS) Sector and used in other industries including, but not limited to, energy, food and\r\nbeverage manufacturing, transportation systems, and healthcare. The PLCs may be rebranded and appear as\r\noriginating from different manufacturers and companies. \r\nComplementing a previously published CISA Alert, the authoring agencies are releasing this updated joint\r\nadvisory to share TTPs associated with IRGC cyber operations. The authoring agencies urge all organizations,\r\nespecially those within critical infrastructure sectors, to apply the recommendations listed in the Mitigations\r\nsection of this advisory to reduce the risk of compromise from these IRGC-affiliated cyber actors.\r\nOverview of Updated Information\r\nThis advisory provides observed TTPs the authoring agencies assess are likely associated with this IRGC-affiliated APT. The late 2023 campaign conducted by CyberAv3ngers compromised additional Unitronics version\r\ntypes, including older PLC models, than were previously outlined. The IRGC-affiliated APT cyber actors also\r\ndeveloped custom ladder logic files to download for each of these device types. Previously unreported TTPs also\r\noutline how the actors supplanted existing ladder logic files with their own, renamed devices likely to forestall\r\nowner access, reset software versions to older versions, disabled upload and download functions, and changed the\r\ndefault port numbers. With this type of access, deeper device and network level accesses are available and could\r\nrender additional, more profound cyber-physical effects on processes and equipment. Additionally, the NCSC\r\nobserved the targeting of PLC devices, including in the United Kingdom, likely as part of a wider cyber campaign\r\nagainst Israel and Israeli-made technology. This targeting of PLCs poses an ongoing risk to UK organizations that\r\nutilize these components in their operational technology (OT) systems. For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the\r\nFBI’s Iran Threat webpage.\r\nDownload the PDF version of this report: \r\nFor a downloadable copy of the indicators of compromise (IOCs), see:\r\nNote: These IOCs are from the original joint advisory published Dec. 1, 2023, and are not current.\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 16. See Table 1\r\nthrough Table 4 for threat actor activity mapped to MITRE ATT\u0026CK tactics and techniques. For assistance with\r\nmapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s Best\r\nPractices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nOverview and History of Threat Actor Activity\r\nCyberAv3ngers is an Iranian IRGC-affiliated cyber persona (also known as CyberAveng3rs or Cyber Avengers)\r\nthat has claimed responsibility for numerous attacks against critical infrastructure organizations primarily in the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 2 of 10\n\nwater and energy sectors in the United States, Israel, and other countries.[1 ][2 ][3 ][4 ][5 ][6 ][7 ][8\r\n][9 ][10 ] Since 2020, CyberAv3ngers has claimed responsibility for cyberattacks in Israel, although several\r\nof these claimed compromises of critical infrastructure organizations in Israel are false.[3 ] In October 2023,\r\nCyberAv3ngers claimed credit on their Telegram Channel for cyberattacks against Israel-based PLCs. The PLCs\r\nwere internet-facing, used Unitronics’ default passwords or no password, and connected to default ports—\r\nvulnerabilities that were likely exploited by the actors. CyberAv3ngers also reportedly has connections to another\r\nIRGC-linked group known as Soldiers of Solomon. The observed activity includes the following:\r\nBetween Sept. 13, 2023, and Oct. 30, 2023, the CyberAv3ngers Telegram channel displayed both\r\nlegitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in\r\nthe water, energy, shipping, and distribution sectors.\r\nBeginning on Nov. 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate\r\nHMI-capable Unitronics Vision Series PLCs likely by compromising internet accessible devices with\r\ndefault or no passwords. The targeted PLCs displayed the defacement message, “You have been hacked,\r\ndown with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.”\r\n(Update Dec. 18, 2024)\r\nThreat Actor Activity Against U.S.-Based Unitronics Devices\r\nBetween November 2023 and January 2024, CyberAv3ngers targeted U.S.-based Unitronics PLC devices used in\r\nmultiple critical infrastructure industries, including the WWS Sector, likely in four separate waves of cyberattacks.\r\nThe actors compromised at least 75 devices, including at least 34 in the WWS Sector in the United States.\r\nThe actors compromised multiple Unitronics Vision Series devices by authenticating to internet-connected devices\r\nwith communications set to the default TCP port  20256 [T1110 ]. These devices either had a default password\r\nin place or no password [T1078.001 ]. The actors made multiple changes to the devices to disrupt their functions\r\nand prevent remote operators from connecting to the devices to remediate the problem. Actions taken by the actors\r\nincluded the following:\r\nThe actors erased the original ladder logic file on the device and downloaded their own [T1565.001 ].\r\nTheir ladder logic file contained no inputs or outputs. Since the programmed ladder logic is responsible for\r\ndirecting the functioning of the device, the replacement ladder logic file prevented the compromised\r\ndevices from operating as intended.\r\nThe actors renamed the compromised devices, which delayed the device operators from accessing the\r\ndevices remotely as the device name was a required field for facilitating remote connections [T1531 ].\r\nThe actors set the software version of their ladder logic file to an older version [T1565.001 ]. Resetting\r\nthe software version prevented the device operators from communicating with the PLC using their\r\nengineering workstation. This could only be resolved if the engineering workstation’s software version\r\nchanged to match the software version of the new ladder logic file or if the PLC device was factory reset so\r\nthe ladder logic would be the latest software version.\r\nThe actors disabled the upload and download functions of the PLC device to prevent the device operators\r\nfrom taking down the splash page [T1499 ]. Additionally, the actors enabled password protection for the\r\nupload settings, preventing device operators from changing the programming remotely [T1531 ].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 3 of 10\n\nThe actors changed the default port number for communicating remotely with the PLC device\r\n(from  20256 to  20257 ) [T1499 ].\r\nThe actors did not burn their ladder logic file to the device, preventing the retrieval of the ladder logic file\r\nfrom the device.\r\nThe actors uploaded a splash page with the aforementioned defacement message to the HMI screen, which\r\nprevented operators from reading anything the display screen would normally show, such as input and\r\noutput readings [T1491.001 ]. In at least one instance the actors displayed a text file with the same\r\nmessage on an older device that could not display a graphic image.\r\nMultiple versions of the Unitronics devices were compromised, including older models. The actors developed\r\ncustom ladder logic files to download for each device type.\r\nWith this type of access, and depending on the device’s configuration, deeper device and network level accesses\r\nare available and could render additional, more profound cyber-physical effects on processes and equipment.\r\nOrganizations should consider and evaluate their systems for these possibilities.\r\n(Update End)\r\nIndicators of Compromise\r\nUpdate Dec. 18, 2024:\r\nThe indicators provided in this advisory’s initial publication have been removed as they are outdated. For historic\r\nreference, see AA23-335A IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water\r\nand Wastewater Systems Facilities (Original Version).\r\n(Update End)\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 1 through Table 4 for all referenced threat actor tactics and techniques in this advisory. For assistance\r\nwith mapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s\r\nBest Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 1: Credential Access\r\nTechnique Title  ID Use\r\nBrute Force T1110 The actors used brute force to gain access to Valid Accounts.\r\nTable 2: Lateral Movement\r\nTechnique Title  ID Use\r\nValid Accounts: Default\r\nAccounts\r\nT1078.001 The actors compromised multiple devices via default\r\ncredentials.\r\nTable 3: Impact Techniques\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 4 of 10\n\nTechnique\r\nTitle\r\nID Use\r\nStored Data\r\nManipulation\r\nT1565.001\r\nThe actors erased the original ladder logic file on compromised devices.\r\nThe actors set the software version of their ladder logic file to an older\r\nversion, which prevented device operators from communicating with the\r\nPLC using their engineering workstation. This could only be resolved\r\nwhen the engineering workstation’s software version changed to match the\r\nsoftware version of the new ladder logic file or if the PLC device was\r\nfactory reset so the ladder logic would be the latest software version.\r\nAccount Access\r\nRemoval\r\nT1531\r\nThe actors renamed the compromised devices so that device operators\r\ncould no longer access them.\r\nThe actors enabled password protections for the upload functions to\r\nprevent device operators from changing the programming remotely.\r\nEndpoint\r\nDenial of\r\nService\r\nT1499\r\nThe actors disabled the upload and download functions of the PLC device\r\nto prevent the device operators from taking down the splash page.\r\nDefacement:\r\nInternal\r\nDefacement\r\nT1491.001 The actors uploaded a splash page to the HMI screen to display a message\r\nregarding the hacking.\r\nTable 4: Command and Control\r\nTechnique Title ID Use\r\nEndpoint Denial of\r\nService\r\nT1499 The actors changed the default port number for communicating\r\nremotely with the PLC device.\r\nMitigations\r\nThe authoring agencies recommend critical infrastructure organizations, including WWS Sector facilities,\r\nimplement the following mitigation and detection strategies to improve organizational cybersecurity posture to\r\ndefend against IRGC-affiliated activity. These mitigations align with the Cross-Sector Cybersecurity Performance\r\nGoals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs\r\nprovide a minimum set of practices and protections that CISA and NIST recommend all organizations implement.\r\nCISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most\r\ncommon and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity\r\nPerformance Goals for more information on the CPGs, including additional recommended baseline protections.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 5 of 10\n\nNote: The mitigations below are based on threat actor activity against Unitronics PLCs, but threat actors have\r\ntargeted multiple internet-exposed PLCs in 2024.1 These mitigations should be applied to any internet-facing\r\nPLCs.\r\nNetwork Defenders\r\n(Updated Dec. 18, 2024)\r\nThe cyber threat actors accessed the affected devices—Unitronics Vision Series PLCs—by authenticating to\r\ninternet-connected devices using default or no passwords. To safeguard against this threat, the authoring agencies\r\nurge organizations to consider the following:\r\nImmediate steps to prevent the attack:\r\n(Updated Dec. 18, 2024) Upgrade engineering workstations to 9.9.00 VisiLogic software and upgrade\r\nthe firmware of all Vision series PLC/HMI devices to the newest firmware for that model, [CPG 2.A],\r\nensuring a strong password is used.\r\nFor more information, see Unitronics’ blog Unitronics Cybersecurity for Vision and Samba PLC\r\nSeries and Release notes for VisiLogic 9.9.00 .\r\nReplace all default passwords on PLCs and HMIs with a strong password. [CPG 2.A] In particular,\r\nensure the Unitronics PLC default password is not in use. Apply new security-related ladder logic elements\r\nto the project files on these devices, to include TCP/IP passwords, upload project files passwords, INFO\r\nmode passwords, and SD card passwords.\r\nDisconnect the PLC from the public-facing internet [CPG 2.X]. Either disable the capability for\r\nremotely programming PLCs or require a strong password for remotely programming the PLC. Also\r\nchange the default port, default PLC device name, and place behind a firewall that can detect attempted\r\nremote brute-forcing for the device password.\r\n(Update End)\r\nFollow-up steps to strengthen security posture:\r\nImplement multifactor authentication [CPG 2.H] for access to the OT network whenever applicable.\r\nIf remote access is required, implement a network proxy, gateway, firewall and/or virtual private\r\nnetwork (VPN) in front of the PLC to control network access.\r\nA VPN or gateway device can enable multifactor authentication for remote access even if the PLC\r\ndoes not support multifactor authentication. Implement security rules on these higher-level network\r\nsecurity mechanisms that prevent the type of repeated and sustained login attempts that would be\r\nseen during a brute force attack. When possible, implement a device control list for workstations\r\nsending messages or connecting to OT components.\r\nKeep Unitronics and other PLC devices updated with the latest software patches by the\r\nmanufacturer.\r\nConfirm third-party vendors apply the above recommended countermeasures to mitigate exposure of\r\nthese devices and all installed equipment.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 6 of 10\n\n(Updated Dec. 18, 2024)\r\nImplement network segmentation [CPG 2.F] through the use of network proxies, gateways, and firewalls\r\nand/or through the use of the Purdue Model to establish multiple levels and zones.\r\nAdopt mature asset management processes and understand which assets are being exposed, why they are\r\nbeing exposed, and their support and patch status.\r\nPeriodically inventory internet accessible devices [CPG 1.A] to identify any unexpected devices\r\nconnected to the network.\r\nConfigure external and internal firewalls to block traffic using common ports associated with\r\nnetwork protocols that are unnecessary for the particular network segment.\r\nAuthenticate all access to field controllers before authorizing access to, or modification of, a device’s\r\nstate, logic, or programs.\r\nCentralized authentication techniques can help manage the large number of field controller accounts\r\nneeded across the industrial control system (ICS).\r\nDisable any unused authentication methods, logic, or features, such as default authentication keys.\r\nUse a role-based mechanism to limit operating mode changes to required authenticated users only.\r\nPhysical mechanisms (e.g., keys) can also be used to prevent unauthorized operating mode changes.\r\nImplement device management systems that can authenticate all network messages to prevent\r\nunauthorized system changes.\r\nEnsure all field controllers require users to authenticate for all management sessions.\r\nUse host-based allowlists to prevent devices from accepting connections from unauthorized systems\r\nand ensure they can only connect with known workstations.\r\nImplement network intrusion detection and prevention systems whenever possible to identify\r\nmalicious activity.\r\nUse this to monitor for logon activity for unexpected or unusual access to devices from the internet.\r\n[11 ]\r\nRetain cold-standby or replacement hardware of similar models to ensure continued operations of\r\ncritical functions if the primary system is compromised or unavailable [CPG 2.R].[12]\r\nCreate and test strong backups of the logic and configurations of PLCs to enable fast recovery.\r\nUtilize watchdog timers, when possible, to enable quick detection of unresponsive systems.\r\nMonitor asset management systems for device configuration changes, which can be used to understand\r\nexpected parameter settings.\r\nMonitor the content of network traffic for the following:\r\nUnusual logins to internet-connected devices or unexpected protocols to/from the internet.\r\nFunctions of ICS management protocols that change an asset’s operating mode or modify programs.\r\nUnexpected protocols connected to ports that are mismatched with the protocols that would\r\nnormally connect to these ports.[11 ] Block all non-used high ephemeral ports and monitor for\r\nattempted connections using standard protocols on non-standard ports [CPG 2.V].\r\n(Update End)\r\nIn addition, the authoring agencies recommend network defenders apply the following mitigations to limit\r\npotential adversarial use of common system and network discovery techniques, as well as reduce the impact and\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 7 of 10\n\nrisk of compromise by cyber threat actors:\r\nReduce risk exposure. CISA offers a range of services at no cost, including scanning and testing, to help\r\norganizations reduce exposure to threats via mitigating attack vectors. CISA Cyber Hygiene services can\r\nhelp provide additional review of organizations’ internet accessible assets. Email\r\nvulnerability@cisa.dhs.gov with the subject line “Requesting Cyber Hygiene Services” to get started.\r\n(Updated Dec. 18, 2024) U.K. organizations can sign up for the free NCSC Early Warning service to\r\nreceive email alerts tailored to the cyber threat for your organization’s IP address. (End Update)\r\nDevice Manufacturers\r\nAlthough critical infrastructure organizations using Unitronics (including rebranded Unitronics) PLC devices can\r\ntake steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that\r\nare secure by design and default. The authoring agencies urge device manufacturers to take ownership of their\r\ncustomers’ security outcomes by following the principles in the joint guide Shifting the Balance of Cybersecurity\r\nRisk: Principles and Approaches for Secure by Design Software, primarily:\r\nDo not ship products with default passwords; instead, either ship products with random initial passwords or\r\nrequire users to change the password upon first use.\r\n(Updated Dec. 18, 2024) Change the manufacturers’ default settings to prevent exposing administrative\r\ninterfaces to the internet. (End Update)\r\nDo not charge additional fees for basic security features needed to operate the product securely.\r\nSupport multifactor authentication, including via phishing-resistant methods.\r\nBy using secure by design tactics, software manufacturers can make product lines secure “out of the box” without\r\nrequiring customers to spend additional resources making configuration changes, purchasing tiered security\r\nsoftware and logs, monitoring, and making routine updates.\r\nFor more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory\r\nNSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on\r\nsecure by design, see CISA’s Secure by Design webpage and joint guide.\r\nValidate Security Controls\r\nIn addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your\r\norganization's security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise\r\nframework in this advisory. The authoring agencies recommend testing any existing security controls inventory to\r\nassess how they perform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 1 through Table 4).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 8 of 10\n\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe authoring agencies recommend continually testing your security program, at scale, in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nResources\r\nEPA: Cybersecurity for the Water Sector\r\nCISA: Water and Wastewater Systems Sector\r\nCISA Alert: Exploitation of Unitronics PLCs used in Water and Wastewater Systems\r\nCISA: Iran Cyber Threat Overview and Advisories\r\nFBI: The Iran Threat\r\nCISA, MITRE: Best Practices for MITRE ATT\u0026CK Mapping\r\nCISA: Decider Tool\r\nCISA: Cross-Sector Cybersecurity Performance Goals\r\nCISA: Cyber Hygiene Services\r\nCISA: Shifting the Balance of Cybersecurity Risk - Principles and Approaches for Secure by Design\r\nSoftware\r\nCISA: Secure by Design Alert - How Software Manufacturers Can Shield Web Management Interfaces\r\nfrom Malicious Cyber Activity\r\nCISA, NSA: NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations\r\nCISA: Secure by Design and Default\r\nCCCS: Cyber Security Readiness Goals: Securing Our Most Critical Systems\r\nReferences\r\n1. Dark Reading: Pro-Iranian Attackers Claim to Target Israeli Railroad Network\r\n2. Industrial Cyber: Digital Battlegrounds - Evolving Hybrid Kinetic Warfare\r\n3. Bleeping Computer: Israel’s Largest Oil Refinery Website Offline After DDoS Attack\r\n4. Dark Reading: Website of Israeli Oil Refinery Taken Offline by Pro-Iranian Attackers\r\n5. X: @CyberAveng3rs\r\n6. MITRE: CyberAv3ngers\r\n7. VeroNews: Hackers in Iran Attack Computer at Vero Utilities, December 15, 2023\r\n8. CBS News: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group\r\n9. Dragos: The Rising Tide of Water Utility Cyber Threats: How Dragos Shield Water Systems\r\n10. Claroty: From Exploits to Forensics: Unraveling the Unitronics Attack\r\n11. Gardiner, J., Cova, M., and Nagaraja, S.: Command \u0026 Control Understanding, Denying and Detecting\r\n12. M. Rentschler and H. Heine. The Parallel Redundancy Protocol for Industrial IP Networks\r\nIncident Reporting Contact Information\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 9 of 10\n\nU.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory\r\nto:\r\nCISA via CISA’s 24/7 Operations Center (Contact@mail.cisa.dhs.gov or 884-729-2472) or your local\r\nFBI field office. When available, please include the following information regarding the incident: date,\r\ntime, and location of the incident; type of activity; number of people affected; type of equipment used for\r\nthe activity; the name of the submitting company or organization; and a designated point of contact.\r\nFor NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov .\r\nState, local, tribal, and territorial governments should report incidents to the MS-ISAC\r\n(SOC@cisecurity.org or 866-787-4722).\r\nCanadian organizations are encouraged to report incidents by emailing CCCS at contact@cyber.gc.ca .\r\nU.K. organizations are encouraged to report incidents to https://report.ncsc.gov.uk/ (monitored 24 hours).\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The authoring agencies do\r\nnot endorse any commercial entity, product, company, or service, including any entities, products, or services\r\nlinked within this document. Any reference to specific commercial entities, products, processes, or services by\r\nservice mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation,\r\nor favoring by CISA and co-sealers.\r\nVersion History\r\nDecember 2024: Updates noted throughout.\r\nDec. 14, 2023: Added CVE, patch information, and IOC descriptions.\r\nDec. 1, 2023: Initial version.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a" ], "report_names": [ "aa23-335a" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434769, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43437ca229f69672819bf00a4d930cbe4a2ee195.pdf", "text": "https://archive.orkl.eu/43437ca229f69672819bf00a4d930cbe4a2ee195.txt", "img": "https://archive.orkl.eu/43437ca229f69672819bf00a4d930cbe4a2ee195.jpg" } }