Congressmen ask DOJ to investigate water utility hack, warning it could happen anywhere

HARRISBURG, Pa. — Three members of Congress called on the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting the nation’s top cyber defense agency to warn other water and wastewater treatment companies. that could be vulnerable.

In a letter released Thursday, U.S. Sens. John Fetterman and Bob Casey and U.S. Rep. Chris Deluzio said Americans should know that their drinking water and other basic infrastructure are safe from “nation-state adversaries and terrorist organizations.” .

“Any attack on our nation’s critical infrastructure is unacceptable,” Fetterman, Casey and Deluzio wrote in their letter to Attorney General Merrick Garland. “If an attack like this can happen here in Western Pennsylvania, it can happen anywhere else in the United States.”

The compromised industrial control system was manufactured in Israel, and a photograph from the Aliquippa Municipal Water Authority, Pennsylvania, suggests that “hackivists” deliberately targeted that facility because of the equipment’s link to Israel. The image of the device’s screen shows a message from the hackers that read: “All ‘made in Israel’ equipment are legal targets of Cyber ​​Av3ngers.”

A group using that name used identical language on X, formerly Twitter, and Telegram on Sunday. The group claimed in a social media post on October 30 to have hacked 10 water treatment stations in Israel, although it is unclear if they shut down any equipment.

Casey’s office said U.S. officials told him they believe Cyber ​​Av3ngers are actually behind the attack. Aliquippa Water Authority Chairman Matthew Mottes said federal officials told him hackers also breached four other utilities and an aquarium.

“We have been told that we are not the only affected authority in the country, but it is believed that we are the first,” Mottes said in an interview.

Leading cybersecurity companies Check Point Research and Google’s Mandiant have identified Cyber ​​Av3ngers as hacktivists aligned with the government of Iran.

Since the start of the war between Israel and Hamas, the group has expanded and accelerated by targeting critical Israeli infrastructure, Check Point’s Sergey Shykevich said. Iran and Israel were involved in a low-level cyber conflict before Hamas’ attack on Israel on October 7, and cybersecurity experts have said they expected a rise in hacktivism in response to Israel’s attacks on Gaza.

The device hacked in Pennsylvania was manufactured by Israel-based Unitronics, according to the U.S. Cybersecurity and Infrastructure Security Agency. Known as a programmable logic controller, it is used in a wide spectrum of industries, including water utilities and wastewater treatment, power companies and oil and gas producers. Regulates processes including pressure, temperature and fluid flow, according to the manufacturer.

Unitronics has not responded to inquiries about what other facilities with its equipment may have been hacked or could be vulnerable.

Experts say many water companies have not paid enough attention to cybersecurity.

In Pennsylvania, the attack prompted the water authority on Saturday to temporarily stop pumping at a remote station that regulates water pressure for customers in two nearby towns. Crews disconnected the system and switched to manual operation, officials said.

The attack came less than a month after a federal appeals court decision prompted the Environmental Protection Agency to rescind a rule that would have required U.S. public water systems to include cybersecurity testing in its periodic audits required by the federal government. The reversal was prompted by a federal appeals court decision in a case brought by Missouri, Arkansas and Iowa, joined by a water services trade group.

The Biden administration has been trying to bolster cybersecurity of critical infrastructure (more than 80% of which is privately owned) and has imposed regulations on sectors including electric utilities, gas pipelines and nuclear facilities. But many experts complain that too many vital industries are allowed to self-regulate.

In its warning Tuesday, the U.S. cybersecurity agency said the attackers likely breached the Unitronics device “by exploiting cybersecurity weaknesses, including poor password security and Internet exposure.”

Mottes said he doesn’t know how the device was hacked in Aliquippa, but he trusted the federal agency’s judgment.