US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks

The U.S. State Department identified at least six Iranian government hackers allegedly responsible for a string of attacks on U.S. water utilities last fall and offered a large reward for information on their whereabouts.

In a release on Wednesday, the State Department said Hamid Homayunfal, Hamid Reza Lashgarian, Mahdi Lashgarian, Milad Mansuri, Mohammad Bagher Shirinkar and Reza Mohammad Amin Saberian are Iranian security officials allegedly linked to malicious cyber activities conducted by Iran’s Islamic Revolutionary Guard Corps (IRGC) hacking groups.

Lashgarian is allegedly the head of the IRGC’s Cyber-Electronic Command (CEC) and has previously been involved in several other cyber and intelligence operations conducted by Iran. 

The other five men are senior officials within the CEC. In February, the U.S. issued sanctions on the same six Iranians for their “deliberate targeting of critical infrastructure.” 

A Treasury Department official called the attacks “unconscionable and dangerous,” adding that the U.S. “will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account.” The U.S. previously sanctioned the IRGC-CEC in 2018. 

The State Department urged anyone with access to CyberAv3ngers or the six men to come forward, offering a reward of up to $10 million for information on their whereabouts. 

“CyberAv3ngers, affiliated with the IRGC-CEC and Mahdi Lashgarian, targeted and compromised the Vision series of programmable logic controllers (PLCs) made by Israel-based Unitronics,” the State Department said. 

“The PLCs are used by the water and wastewater, energy, food and beverage, manufacturing, healthcare, and other industries, and may be rebranded as manufactured by other companies.”

CyberAv3ngers publicly took credit for the cyberattacks in October 2023, arguing that the attacks were conducted in response to the Israeli government’s actions in Gaza.  

Water utilities and companies in the water sector use PLCs to control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs and more.

The hackers forced the Municipal Water Authority of Aliquippa in Pennsylvania to take systems offline and switch to manual operations in order to remove any risk to the municipality's water or water supply.

Officials at the facility told a local news outlet that the hackers did not get access to anything in the actual water treatment plant other than a pump that regulates pressure to elevated areas of the system.

Several utilities shared images of PLCs taken over by CyberAv3ngers, with messages left by the hackers saying “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”

The Cybersecurity and Infrastructure Security Agency (CISA) worked to identify water utility operators using devices from Unitronics throughout the fall and notified them of the campaign — urging them to change the default passwords set on the devices. 

There was no evidence that hackers impacted the provision of safe drinking water, according to CISA, but officials remained concerned that the hackers would use the devices to gain deeper network access. 

But the incident reignited concerns about cyberattacks on the water sector, which were brought to light again last week when a government watchdog criticized the Environmental Protection Agency (EPA) for, among other things, failing to conduct a “comprehensive sector-wide risk assessment” or a “risk-informed strategy to guide its actions." 

An EPA spokesperson told Recorded Future News it plans to complete the sector-wide plan by early 2025.