South African water and sewage control systems potentially hit in global hack
The Shadowserver Foundation has revealed that South Africa is among the countries most impacted by a recent attack on Unitronics programmable logic controllers (PLCs).
This comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning that a state-sponsored Iranian hacking group had exploited security weaknesses in the controllers.
CISA stated that, in addition to water and wastewater systems, the targeted Unitronics PLCs are also used in energy, food and beverage manufacturing, and healthcare.
In an earlier alert, CISA said a U.S. water facility had been breached through a Unitronics PLC.
“In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations — there is no known risk to the municipality’s drinking water or water supply,” CISA assured.
CISA and the FBI, NSA, and the Israel National Cyber Directorate identified the attackers as a group called “CyberAv3ngers”.
According to CISA’s advisory, the group is affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) and is considered an Advanced Persistent Threat (APT) cyber actor.
“The IRGC is an Iranian military organisation that the United States designated as a foreign terrorist organisation in 2019,” CISA said.
It said the group likely accessed the impacted Unitronics Vision Series PLC with a Human Machine Interface by exploiting security weaknesses like poor passwords.
Many of these systems also should not have been connected to the Internet.
CISA noted that the default password for Unitronics PLCs is “1111” and must be changed.
It also urged organisations to require multifactor authentication for all remote access.
The PLCs should also be disconnected from the open Internet. If remote access is necessary, such access should be controlled through firewalls, virtual private networks, and IP address allowlists.
Non-profit information security foundation Shadowserver found at least 539 Unitronics PLC instances that remained publicly exposed worldwide.
Shadowserver said it specifically scanned the default Unitronics TCP port, 20256, on 2 December 2023.
CISA recommended that organisations configure their PLCs to use a different port.
Shadowserver’s scan revealed that Australia had the most number of exposed controllers (66), followed by Singapore (52), Switzerland (42), and the United States (37).
It recorded 15 exposed instances in South Africa — the same as Brazil and the Netherlands.
Only four countries were between South Africa and the U.S.: Estonia and Spain (31), Czechia (25), and Hungary (24).
It is unclear where these Unitronics Vision Series PLCs were being used in South Africa. Until they have mitigated the exploit, that is probably a good thing.
MyBroadband contacted water affairs minister Senzo Mchunu and the Department of Water & Sanitation for comment. Neither responded by publication.