A group of Iranian hackers accessed an Israeli reclaimed water reservoir HMI system and published a video of the hack on their Telegram channel.
According to the industrial cybersecurity firm OTORIO, the threat actor got access to the reservoir’s human-machine interface (HMI) system, which was connected to the internet without any authentication or other security measures put in place to limit access to the system.
“This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser,” the researchers said.
The hackers posted their video on December 1, and on December 2 the owner of the compromised system implemented an authentication mechanism to prevent access to the system. However, the system itself is still accessible via the internet without any barrier, allowing more skilled attackers to compromise it.
“Additionally, the system still allows communications on port 502, which is used for Modbus protocol. Modbus/TCP does not require any authentication/encryption. It is a bad practice to expose this interface directly to the worldwide web. OTORIO researchers believe the ICS system used in this specific site is “T-Box” by Ovarro,” the report said.
The threat actor responsible for the hack is an Iran-based hacker group, named “Unidentified TEAM,” which, the researchers believe, does not posses any deep industrial capabilities or knowledge. In the past, the group had been observed attacking marginal American websites, including a governmental education website in Texas.
“The findings we present here highlight that there is a worrying lack of awareness of ICS cyber protection by SCADA engineers and system designers. In the case of the Israeli reservoir, even minimal steps, such as authentication and restricting access, were not taken. This led to an easy compromise of the system,” the researchers said. “In order fully protect SCADA devices, a more active approach should be applied. This includes secure remote access (e.g. VPN), access restriction based on Firewall rules, and active defense-in-depth methods.”
In April, the Israeli authorities issued an alert to warn organizations in the water sector about a series of cyberattacks aimed at water facilities.
According to the alert published by the Israeli National Cyber-Directorate (INCD), the attacks were aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.
