Cyber Av3ngers (Sabotage Shahs)

Profile: Sabotage Shahs (Cyber Av3ngers)

Name: Cyber Av3ngers

Origin: Linked to Iranian government cyber groups.

First Identified: Active since at least 2020, with a significant uptick in activities recently.

Primary Targets:

• Targets critical infrastructure, especially facilities using Israeli-made technology.
• Recent attacks focused on water facilities in the United States, including a notable incident in Aliquippa, Pennsylvania.

Infection Method:

• Exploits cybersecurity weaknesses such as poor password security and internet exposure.
• Utilizes vulnerabilities in Unitronics PLCs.

Primary Function:

• Disrupts and gains control of critical infrastructure systems.
• Aims to create fear and media attention, particularly against Israeli technology.

Evasion Techniques:

• Likely employs sophisticated methods to access and manipulate industrial control systems.
• Specific evasion techniques are not detailed but would involve stealthy infiltration of targeted networks.

Impact:

• Causes operational disruptions in critical infrastructure.
• Raises significant concerns over the security of water and wastewater systems.

Defensive Recommendations:

• Change default passwords on critical systems.
• Implement multifactor authentication for remote access.
• Disconnect vulnerable systems from the open internet and use firewall/VPN solutions.
• Regularly back up system configurations and logic.
• Monitor and restrict access to key infrastructure systems.

Associated MITRE Techniques:

• Exploitation of Remote Services (T1210): Gaining access through remote services.
• Lateral Movement (T1021): Spreading through networks to control systems.
• Command and Control (T1071): Communicating with compromised systems.
• Defense Evasion (T1027, T1070): Avoiding detection during and after the attack.
• Discovery (T1082): Gathering information about the targeted environment.

Sabotage Shahs (Cyber Av3ngers) represent a persistent and evolving threat, particularly to infrastructures using specific foreign technologies. Their focused attacks highlight the need for increased security measures in critical sectors.