OTORIO confirms Iranian hackers gained access to ICS at an Israeli water reservoir

Industrial cybersecurity firm OTORIO has said that a group of Iranian hackers gained access to a human machine interface (HMI) system at an Israeli reclaimed water reservoir, and published a video hack. The target was unprotected and directly connected to the internet, without any security appliance defending it or limiting access.

The system did not use any authentication method upon access, OTORIO wrote in a blog post. It did not say if the intrusion resulted in any damage or data leakage.

Based on its experience, the OTORIO team investigating the security breach assumes that the main reason the reservoir was targeted was that it provided “easy, unprotected access.” Moreover, it is OTORIO’s view that the attackers did not possess any deep industrial capabilities or knowledge, the Tel-Aviv, Israel-based company added.

The breach was initially published over the Telegram channel of an Iran-based hacker group, named “Unidentified TEAM,” OTORIO said. This group is responsible for other attacks on marginal U.S. websites, one of which is a governmental education website in Texas. In that case, the attackers stated that they were avenging the assassination last month of Iranian nuclear scientist Mohsen Fakhrizadeh, it added.

The attackers had easy access to the industrial control system (ICS) at the water reservoir, apart from the capability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more.

On the night of Dec. 1st, the Iranian threat-actor hackers published a video of a breach in an Israeli reclaimed water reservoir HMI system, according to OTORIO. By the next morning, the HMI web application needed authentication to access the system. On Dec. 3, OTORIO researchers observed that the system was still accessible through the internet without any barrier.

Those with a minimal toolbox can most likely compromise the system, OTORIO said. “Additionally, the system still allows communications on port 502, which is used for Modbus protocol. Modbus/TCP does not require any authentication/encryption,” it added.

This is not the first time this year that Israel’s water sector has been targeted. In April, media reports quoted an alert issued by Israel’s National Cyber Directorate, warning that the attacks were directed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities. Authorities said the attacks did not cause any damage, but the attackers apparently knew how to target industrial systems.

OTORIO launched last month remOT, its remote access offering that provides improved security between the supply chain network and in-house industrial assets, by giving access to assets and services within the industrial network only to authorized remote personnel. This will help decrease risks caused by unauthorized or malicious access, and provide monitoring and control to keep networks safe from vulnerabilities that can be exploited by hackers.

John Evans

Customer Success Manager John has over 15 years’ experience in managing clients and helping them achieve their desired outcomes. John heads up our customer success and community management at IndustrialCyber, taking care of clients’ needs, inquiries and advertising.