The US Cybersecurity and Infrastructure Security Agency (CISA) is warning users of a popular programmable logic controller (PLC) to check the security of their units, after seeing attack activity it attributes to Iranian threat actors.
CISA has identified attacks from actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC), exploiting the default admin password “1111” on Unitronix PLCs, attacking over the units’ default TCP port 20256.
Most of the observed activity has involved defacement of target units with anti-Israel messages; however, CISA said more serious compromise may have happened.
The agency’s advisory said the attacks targeted Unitronix Vision series PLCs with human machine interfaces (HMI).
The campaign began in October, when the attackers used a Telegram channel to claim credit for compromising targets in Israel; and since at least November 22, they turned their attention to targets in “multiple US states”.
A few days before the latest advisory, CISA issued this warning against PLC attacks.
It noted that one US municipality had reverted to manual operation of some of its water facilities after a PLC was compromised.
As well as changing all passwords on vulnerable systems, CISA recommended multifactor authentication be implemented on all operational technology.
Where PLCs have to be exposed to the internet, CISA said, they should be behind firewalls, and users should consider implementing a list of IP addresses allowed to access them.