US sanctions Iranian military hackers for attacks on water facilities

The U.S. issued sanctions Friday on six Iranian government officials accused of being behind a string of cyberattacks on water facilities using technology made by an Israeli company.

The members of the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) are facing penalties for their “deliberate targeting of critical infrastructure,” according to Brian Nelson, undersecretary of the Treasury for terrorism and financial intelligence.

Treasury’s Office of Foreign Assets Control (OFAC) added the six men to its “specially designated nationals” list.

The sanctions relate to multiple attacks on programmable logic controllers (PLCs) manufactured by Unitronics, an Israeli company, throughout November and December following the onset of the Israel-Hamas war.

Those sanctioned include the head of IRGC-CEC — Hamid Reza Lashgarian — who also serves as a commander in the IRGC-Qods Force. Officials noted that Lashgarian has been involved in other cyber and intelligence operations.

Several other senior officials within the IRGC-CEC were sanctioned, including Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian.

Nelson called the attacks “unconscionable and dangerous,” adding that the U.S. “will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account.”

Water and wastewater systems use PLCs to control and monitor various stages and processes of treatment, including turning pumps on and off, pacing the flow of chemicals to meet regulations, gathering compliance data for monthly regulation reports and announcing critical alarms to operations.

Read More: Iran-linked hackers claim attack on Albania's Institute of Statistics

Unitronics PLCs are used widely within the water sector as well as other industries like energy, food and beverage manufacturing and healthcare. The devices are often exposed to the internet due to the remote nature of their control and monitoring functionalities.

A water utility in Pennsylvania and other U.S. water utilities and organizations involved in water distribution confirmed cyberattacks throughout November and December. The top cybersecurity agency in the U.S. told reporters in December that it was tracking a small number of impacted water utilities and reaching out directly to operators that may have been affected.

While U.S. officials say the hackers never caused severe operational damage to any water utility, the Municipal Water Authority of Aliquippa was forced temporarily to take systems offline and switch to manual operations. .

Several of the devices were defaced with messages from a hacking group called the Cyber Av3ngers — which was later tied to Iranian officials.

The Treasury Department reiterated on Friday that while the operation “did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devastating humanitarian consequences.”

“In this case, the United States, in coordination with the private sector and other affected countries, quickly remediated the incidents with minimal impacts,” the Treasury Department explained.

The sanctions notice added that the same Iranian hacking group is responsible for several notable attacks, including one targeting Boston Children’s Hospital in 2021 and others in Europe and Israel.

The U.S. previously sanctioned the IRGC-CEC in 2018. The sanctions come as the White House signaled the potential for airstrikes against Iranian proxy groups that have launched several attacks on U.S. military bases across Syria, Iraq and Jordan. The attack in Jordan led to the death of three U.S. soldiers.

Listen: Hacktivists are joining forces with Iran-backed operators to target victims with gossamer connections to Israel