{ "id": "0acce8fb-fb43-43eb-9800-f4fd50c224f2", "created_at": "2026-04-06T00:10:10.082101Z", "updated_at": "2026-04-10T13:11:33.196849Z", "deleted_at": null, "sha1_hash": "6e443138c56ad96f36b0d285d1ae36a57fe87856", "title": "(TLP:CLEAR) Water Utility Control System Cyber Incident Advisory: ICS/SCADA Incident at Municipal Water Authority of Aliquippa (Updated November 30, 2023) - WaterISAC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64967, "plain_text": "(TLP:CLEAR) Water Utility Control System Cyber Incident\r\nAdvisory: ICS/SCADA Incident at Municipal Water Authority of\r\nAliquippa (Updated November 30, 2023) - WaterISAC\r\nBy jlwalker\r\nPublished: 2023-11-30 · Archived: 2026-04-05 19:50:38 UTC\r\nAs WaterISAC continues to monitor for more information regarding this incident, we would like to make\r\nmembers aware that this may not be an isolated incident. There have been a few open source reports about\r\nadditional incidents with similar characteristics having occurred at other US water and wastewater utilities.\r\nWaterISAC is currently attempting to confirm those reports.\r\nBased on this information, as a reminder members are highly encouraged to:\r\nCheck for Unitroincs PLCs in your environment, especially ones directly exposed to the internet which\r\nare trivial to discover through a basic internet (Shodan, Censys, etc.) search. As a generally recommended\r\npractice, it is important to identify any PLC in your environment that might be directly connected to the\r\ninternet or other untrusted network – not just the ones identified in this current incident.\r\nChange default passwords. Per the previously shared CISA Alert Tuesday evening, it is believed the\r\nthreat actors are leveraging default passwords that have not been changed after deployment to gain access\r\nto impacted devices. Again, as a generally recommended practice, this should be performed on every\r\ndevice or component active in your networks (OT or IT).\r\nRefrain from connecting (all) PLCs to the internet. If remote access is not necessary, a PLC connected\r\nto the internet represents an unnecessary risk to safety, availability, and control of your SCADA\r\nenvironment.\r\nHowever, if remote access is absolutely necessary, it is important that at a minimum, it securely\r\nsits behind a firewall and requires a VPN to access.\r\nAdditionally, MFA should be implemented, at the very least on the VPN (if the PLC doesn’t\r\nsupport MFA).\r\nIf you haven’t already, review the CISA Alert, Exploitation of Unitronics PLCs used in Water and\r\nWastewater Systems for more details and address accordingly.\r\nImportant: For utilities that outsource SCADA support, please consult with integrators/support vendors to\r\nconfirm/insist that recommended practices are being followed. Internet exposed PLCs are exceedingly trivial\r\nto discover and default passwords are widely known by attackers, making them easy to gain access to.\r\nPlease discourage “this won’t happen to us” notions. Often, we aren’t targets for who/where we are, but for what\r\nwe have (data or components) and how accessible (vulnerable/exploitable) it is – regardless of the size of our\r\norganization or how many people we service.\r\nNovember 27, 2023\r\nhttps://www.waterisac.org/portal/tlpclear-water-utility-control-system-cyber-incident-advisory-icsscada-incident-municipal\r\nPage 1 of 2\n\nWhile few details are currently known, according to open-source reporting, on Saturday the Municipal Water\r\nAuthority of Aliquippa in western Pennsylvania was attacked by an Iranian-backed cyber group known as\r\nCyberAv3ngers. The authority reported the actors were able to gain control of a remote booster station serving\r\ntwo townships, but stressed there is no known risk to the drinking water or water supply. CyberAv3ngers claims to\r\nbe an active group focused on targeting Israeli water and energy sites – including ten water treatment stations in\r\nIsrael as of Oct. 30, 2023, according to their X page. The Pennsylvania State Police is currently investigating.\r\nA local Pittsburgh news channel (KDKA) reported that CyberAv3ngers took control of the booster station that\r\nmonitors and regulates pressure for Raccoon and Potter Townships. An alarm reportedly went off as soon as the\r\nattack occurred. The system has been disabled and is being operated manually. The compromised device is\r\nreported to be a Unitronics.\r\nOf note, the news site has posted an image stating it was submitted by the water authority. The image suggests the\r\nattacker’s message is displayed on the system that was compromised with the Unitronics device and model\r\n(V570). While there’s generally nothing wrong with providing attackers messages to the media, perhaps better\r\noperational security should be maintained by cropping the image to omit the device and model or other key data.\r\nWaterISAC will be monitoring this situation for updated information and will advise of any significant\r\ndevelopments.\r\nIncident Reporting\r\nIf your utility experiences any cyber incidents or suspicious activity, contact the FBI via your local Field Office,\r\nCyber Watch (CyWatch) at (855) 292-3937 or Cy*****@*bi.gov, or the Internet Crime Complaint Center (IC3).\r\nYou can also contact CISA at re****@**sa.gov or (888) 282-0870. Additionally, WaterISAC encourages\r\nmembers to share information by emailing an*****@*******ac.org, calling 866-H2O-ISAC, or using the online\r\nincident reporting form.\r\nTo help prevent incidents, WaterISAC encourages water and wastewater utilities to sign up for CISA’s free Cyber\r\nVulnerability Scanning (VS) service. The VS service continuously assesses the health of internet-accessible assets\r\nby checking for known vulnerabilities, weak configurations – or configuration errors – and suboptimal security\r\npractices. CISA created a fact sheet on the VS service focused on water and wastewater utilities, available here.\r\nWaterISAC also hosted a briefing on the VS service with CISA personnel on September 28 – the recording and\r\npresentation are posted on WaterISAC’s website here (only WaterISAC members can access the webpage).\r\nMarked TLP:CLEAR, recipients may share this information without restriction. Information is subject to standard\r\ncopyright rules. For more information on the Traffic Light Protocol, or TLP, visit CISA.\r\nSource: https://www.waterisac.org/portal/tlpclear-water-utility-control-system-cyber-incident-advisory-icsscada-incident-municipal\r\nhttps://www.waterisac.org/portal/tlpclear-water-utility-control-system-cyber-incident-advisory-icsscada-incident-municipal\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.waterisac.org/portal/tlpclear-water-utility-control-system-cyber-incident-advisory-icsscada-incident-municipal" ], "report_names": [ "tlpclear-water-utility-control-system-cyber-incident-advisory-icsscada-incident-municipal" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434210, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e443138c56ad96f36b0d285d1ae36a57fe87856.pdf", "text": "https://archive.orkl.eu/6e443138c56ad96f36b0d285d1ae36a57fe87856.txt", "img": "https://archive.orkl.eu/6e443138c56ad96f36b0d285d1ae36a57fe87856.jpg" } }