Good news about South African water and sewage control systems following global hack
The Department of Water and Sanitation (DWS) has told MyBroadband that it does not use the programmable controllers exploited in a recent attack on a United States water facility.
This comes after the Shadowserver Foundation revealed that South Africa was among the countries most impacted by a recent attack on Unitronics programmable logic controllers (PLCs).
Shadowserver scanned the Internet for potentially vulnerable controllers following a U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisory.
CISA warned that a state-sponsored Iranian hacking group had exploited security weaknesses in the controllers.
It said that, in addition to water and wastewater systems, the targeted Unitronics PLCs are also used in energy, food and beverage manufacturing, and healthcare.
CISA and the FBI, NSA, and the Israel National Cyber Directorate identified the attackers as a group called “CyberAv3ngers”.
The agencies said this group is affiliated with the Iranian Government Islamic Revolutionary Guard Corps, which the United States designated as a foreign terrorist organisation in 2019.
South Africa’s water and sanitation department said its systems have not experienced any compromise.
“The department has not received any notification of interruption of systems or compromise in water quality and wastewater management as a result of hacking,” a DWS spokesperson told MyBroadband.
“However, the department cannot vouch the same for other institutions who are custodians of the infrastructure referred to within the sector, since they operate independently.”
Randwater did not immediately respond to a request for comment.
CISA said the CyberAv3ngers group likely accessed the impacted PLCs — Unitronics Vision Series with a Human Machine Interface — by exploiting security weaknesses like poor passwords.
It noted that the default password for Unitronics PLCs is “1111” and must be changed.
These systems should also not be connected to the open Internet, and CISA advised administrators to control all remote access through firewalls, virtual private networks, and IP address allowlists.
Following CISA’s advisory last week, Shadowserver found at least 539 Unitronics PLC instances that remained publicly exposed worldwide.
Shadowserver’s scan revealed that Australia had the most number of exposed controllers (66), followed by Singapore (52), Switzerland (42), and the United States (37).
These were followed by Estonia and Spain (31), Czechia (25), and Hungary (24).
Brazil, The Netherlands, and South Africa were tied with 15 exposed instances each.
It is still unclear where these Unitronics Vision Series PLCs were being used in South Africa.