The U.S. State Department has identified six Iranian government hackers allegedly responsible for a series of cyberattacks on U.S. water utilities last fall. In response, the department has announced a substantial reward for information about these six Iranian hackers leading to their identification or location.
This move highlights the severity of the threat posed by these cyber actors and the commitment of the U.S. government to safeguarding its critical infrastructure.
State Department Reward for Six Iranian Hackers
The State Department’s Rewards for Justice program is offering up to $10 million for information on individuals acting under foreign government control who engage in malicious cyber activities against U.S. critical infrastructure. This includes actions in violation of the Computer Fraud and Abuse Act.
The six Iranian officials named in the advisory are linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and its Cyber-Electronic Command (IRGC-CEC).
They are accused of compromising industrial control systems, specifically targeting the Vision series of programmable logic controllers (PLCs) manufactured by Israel-based Unitronics. These PLCs are widely used in various industries, including water and wastewater, energy, food and beverage, manufacturing, and healthcare.
The hackers exploited default credentials in these devices, leaving messages with anti-Israel sentiments and potentially rendering the devices inoperative.
The individuals identified are:
- Hamid Homayunfal
- Hamid Reza Lashgarian
- Mahdi Lashgarian
- Milad Mansuri
- Mohammad Bagher Shirinkar
- Reza Mohammad Amin Saberian
Profiles of Key Actors
- Hamid Reza Lashgarian: Head of the IRGC’s Cyber-Electronic Command and a commander in the IRGC-Qods Force. He has a history of involvement in various IRGC cyber and intelligence operations.
- Hamid Homayunfal, Mahdi Lashgarian, Milad Mansuri, Reza Mohammad Amin Saberian, and Mohammad Bagher Shirinkar: Senior officials within the IRGC-CEC, responsible for executing cyber activities.
CyberAv3ngers: The Hackers Behind the Cyberattacks
The CyberAv3ngers group, linked to the IRGC-CEC, specifically targeted the Vision series of PLCs manufactured by Israel-based Unitronics. In October 2023, CyberAv3ngers took credit for cyberattacks against Israeli PLCs via their Telegram channel. Starting in November 2023, they compromised the default credentials in these PLCs across the U.S., leaving messages on the devices’ digital screens with anti-Israel statements. These compromises often rendered the devices inoperative.
On February 2, 2024, the U.S. Department of the Treasury imposed sanctions on the six IRGC-CEC officials for their cyber activities. These individuals were designated as Specially Designated Nationals under Executive Order (E.O.) 13224, which targets leaders and officials of terrorist organizations. The sanctions block all property and interests in property of these officials within the U.S. or controlled by U.S. persons and generally prohibit U.S. persons from engaging in transactions involving these individuals.
The U.S. government is urging anyone with information on CyberAv3ngers’ activities or the identified individuals to contact Rewards for Justice. Information can be reported anonymously via a Tor-based tip line accessible through the Tor browser).
CISA’s Response and Recommendations
The Cybersecurity and Infrastructure Security Agency (CISA) has been proactive in identifying US water utility operators using Unitronics devices. Throughout the fall, CISA notified these operators of the campaign, urging them to change default passwords on their devices to prevent unauthorized access.
Although there was no evidence of compromised safe drinking water provision, officials expressed concern that hackers could use the compromised devices to gain deeper network access.
The incident has reignited concerns about the vulnerability of the U.S. water sector to cyberattacks. These concerns were highlighted by a recent government watchdog report criticizing the Environmental Protection Agency (EPA) for not conducting a comprehensive sector-wide risk assessment or developing a risk-informed strategy to guide its actions.
The U.S. government’s substantial reward for information on these Iranian hackers highlights the serious threat posed by cyberattacks on critical infrastructure.
By offering up to $10 million, the State Department hopes to bring these cyber criminals to justice and bolster the security of essential services.