The US government has issued a warning to its allies that state-backed hackers from Iran and China are increasingly targeting critical infrastructure, with the most notable attacks against water systems.
The Cybersecurity and Infrastructure Security Agency (CISA) probed a number of Iranian attacks targeting Unitronic programmable logic controllers (PLC) used in water facilities.
China has also turned its attention to probing critical US infrastructure in what government officials claim could be practice for a wider playbook in the event of war between the US and China.
Targeting the weakest link in the chain
A public letter issued by Environment Protection Agency (EPA) Administrator, Michael Regan, and National Security Advisor, Jake Sullivan, said, “Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
While the attack conducted by an Iranian-backed group did not affect the water supply at the targeted facility, a breach of the PLCs used to control the supply of water means that had the attack progressed further, the attackers could have contaminated the water, damaged the facility itself, or even turned off the municipal water supply.
Volt Typhoon is the most likely culprit behind the attacks carried out by China, with water facilities alongside power grids, port infrastructure, and at least one oil and gas pipeline. The letter continued, stating, “Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”
Water facilities in the US have long been an easy target for cyber attacks due to the critical underfunding, low staffing levels, and a general lack of cyber security. The Biden Administration recently announced that the burden of responsibility for cyber security should be shifted onto private enterprises that are best positioned to reduce the risks for small businesses and public institutions.
“In many cases, even basic cybersecurity precautions — such as resetting default passwords or updating software to address known vulnerabilities — are not in place and can mean the difference between business as usual and a disruptive cyberattack,” the letter stated.
Via Bloomberg