{ "id": "c13b04ec-5588-4afc-b8bc-9e00a71636c6", "created_at": "2026-04-06T00:09:24.239727Z", "updated_at": "2026-04-10T03:27:54.446081Z", "deleted_at": null, "sha1_hash": "facc2cb899d3a38201c8f4cc7a9516497cd1c6dd", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56874, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:21:00 UTC\r\nHome \u003e List all groups \u003e CyberAv3ngers\r\n APT group: CyberAv3ngers\r\nNames CyberAv3ngers (self given)\r\nCountry Iran\r\nSponsor State-sponsored, Islamic Revolutionary Guard Corps (IRGC)\r\nMotivation Sabotage and destruction\r\nFirst seen 2019\r\nDescription\r\n(CISA) The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure\r\nSecurity Agency (CISA), National Security Agency (NSA), Environmental\r\nProtection Agency (EPA), and the Israel National Cyber Directorate (INCD)—\r\nhereafter referred to as 'the authoring agencies'—are disseminating this joint\r\nCybersecurity Advisory (CSA) to highlight continued malicious cyber activity\r\nagainst operational technology devices by Iranian Government Islamic\r\nRevolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT)\r\ncyber actors.\r\nThe IRGC is an Iranian military organization that the United States designated as a\r\nforeign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona\r\n“CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics\r\nVision Series programmable logic controllers (PLCs). These PLCs are commonly\r\nused in the Water and Wastewater Systems (WWS) Sector and are additionally used\r\nin other industries including, but not limited to, energy, food and beverage\r\nmanufacturing, and healthcare. The PLCs may be rebranded and appear as different\r\nmanufacturers and companies.\r\nObserved\r\nSectors: Industrial.\r\nCountries: Ireland, Israel, USA.\r\nTools used\r\nOperations performed Nov 2023 Pennsylvania water authority hit with cyberattack allegedly tied to\r\npro-Iran group\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9fe10605-78f1-4c01-bf85-b9dfa21431cd\r\nPage 1 of 2\n\nDec 2023\nTwo-day water outage in remote Irish region caused by pro-Iran\nhackers\nCounter operations Aug 2024\nCyberAv3ngers\nInformation Last change to this card: 27 August 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9fe10605-78f1-4c01-bf85-b9dfa21431cd\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9fe10605-78f1-4c01-bf85-b9dfa21431cd\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9fe10605-78f1-4c01-bf85-b9dfa21431cd" ], "report_names": [ "showcard.cgi?u=9fe10605-78f1-4c01-bf85-b9dfa21431cd" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434164, "ts_updated_at": 1775791674, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/facc2cb899d3a38201c8f4cc7a9516497cd1c6dd.pdf", "text": "https://archive.orkl.eu/facc2cb899d3a38201c8f4cc7a9516497cd1c6dd.txt", "img": "https://archive.orkl.eu/facc2cb899d3a38201c8f4cc7a9516497cd1c6dd.jpg" } }